LockBit 3.0 Ransomware

LockBit 3.0 Ransomware

Introduction: LockBit 3.0, also known as LockBit Black, is a ransomware variant that was first observed around June 2022. This version introduced new features, including support for Zcash, updated management capabilities, and enhanced anti-analysis and evasion techniques. The builder tools and source code for LockBit 3.0 were leaked in September 2022.

Targets: LockBit 3.0 primarily targets large enterprises and high-value entities, including small and medium businesses (SMBs). The ransomware has shown a significant focus on industries such as manufacturing, technology, education, and engineering.

Propagation: LockBit 3.0 spreads through various methods, including phishing and spear-phishing emails, exploitation of exposed and vulnerable applications and services, and the use of third-party frameworks like Empire, Metasploit, and Cobalt Strike.

Technical Details:

  • Delivery and Infection:
    • Initial delivery of LockBit 3.0 payloads is often facilitated through third-party frameworks such as Cobalt Strike.
    • Infections may occur down the malware chain, with SocGholish infections dropping Cobalt Strike, which then delivers LockBit 3.0.
  • Persistence:
    • LockBit 3.0 achieves persistence through the installation of system services.
    • Each execution of the payload installs multiple services, ensuring continued presence.
  • Payload Characteristics:
    • LockBit 3.0 payloads are standard Windows PE files, sharing similarities with prior LockBit generations and the BlackMatter ransomware family.
  • Ransom Note and Desktop Changes:
    • Upon execution, the ransomware drops newly-formatted ransom notes and modifies the desktop background.
    • Notepad and Wordpad are included in the list of blocked processes, preventing victims from opening the ransom note until the ransomware completes its execution.

Detection Strategies: EDR is effective in detecting and preventing malicious behaviors and artifacts associated with LockBit 3.0 Ransomware.

For those without EDR , a multi-layered approach is recommended:

  1. Security Tools:
    • Utilize anti-malware software or other security tools capable of detecting and blocking known ransomware variants.
  2. Network Traffic Monitoring:
    • Regularly monitor network traffic to identify indicators of compromise, such as unusual patterns or communication with known command-and-control servers.
  3. Security Audits:
    • Conduct periodic security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are effective.
  4. Education & Training:
    • Educate and train employees on cybersecurity best practices, emphasizing the identification and reporting of suspicious emails and other threats.
  5. Backup & Recovery Planning:
    • Implement a robust backup and recovery plan to restore data in case of an attack.

Mitigation Measures: For EDR customers, the EDR prevents LockBit 3.0 Ransomware infections. In case of an infection, the platform’s unique rollback capability can remove the infection and restore encrypted files to their original state.

For those without EDR , in addition to the detection strategies mentioned above, follow these steps to mitigate the risk of LockBit 3.0 Ransomware attacks:

  1. Incident Response Plan:
    • Implement an incident response plan to efficiently manage and recover from ransomware attacks.
  2. Isolation:
    • Identify infected devices and isolate them from the network to prevent further spread.
  3. Security Patching:
    • Regularly update and patch systems to fix vulnerabilities and prevent exploitation.
  4. Restore from Backups:
    • If available, restore affected systems from clean and updated backups.

A proactive and comprehensive security approach is crucial for effectively mitigating the risk of LockBit 3.0 Ransomware attacks.

Back

Copyright © 2024 RASOC all rights reserved