What is Lockbit 3.0? Who is Behind It? How to Protect From Lockbit Ransomware?

As crime grows in the digital world, cyber criminals try to make their malware more sophisticated. Ransomware is one such malware that tries to lock the victim’s data by encrypting and making them inaccessible by the victim and demand for ransom to unlock it. In this blog, we will see the most prevalent Ransomware of 2022, which is Lockbit Ransomware. Lockbit was first caught in September 2019, and after that, it has seen a lot of improvement with the release of Lockbit 2.0 in 2021 and Lockbit 3.0 in mid of 2022. Since Lockbit 3.0 is the currently running version of the Lockbit family, let’s dive into learning what is Lockbit 3.0, who is behind it, how Lockbit 3.0 works and its stages of the attack, its victims, IOCs, and finally, how to protect from Lockbit 3.0 ransomware, in this post.

What is Ransomware and Ransomware as a Service (RaaS)

Ransomware is nothing but malicious software (Malware) that lock the system by encrypting the files and demanding a ransom for releasing it. Ransomware as a service (Raas) is a business model which uses an already developed ransomware tool and provide it as a service for attackers in exchange for financial compensation.

The most common RaaS revenue models are

  • No profit sharing with a monthly fee
  • Flat fee and subscription-based
  • Only profit sharing
  • Subscription model and also share a profit percentage

The most widely exploited Ransomware of the year 2022 is Lockbit 3.0. In this post, we will look into what is Lockbit 3.0 and how to protect from Lockbit ransomware.

What is Lockbit 3.0? Who is Behind It?

Lockbit 3.0 is the latest strain of malware released by the popular Lockbit ransomware family. Lockbit ransomware was First observed in September 2019. However, the Lockbit gang became prevalent through Lockbit 2.0 in 2021.

Lockbit ransomware gang targets multiple organizations all around the world. This family of ransomware programs is self-spreading. The main target of this group are organizations that are able to pay a large ransom. This ransomware family uses Ransomware as a service(RaaS) operating model where users can pay and get the ransomware services as a subscription. It is also suspected that Lockbit ransomware gang has roots in the black matter threat actors. 

After successful years of using Lockbit 2.0, by late 2022, the ransomware family released a more powerful strain of the ransomware program Lockbit 3.0 aka Lockbit black. To make things worse, they also adopted a double extortion model, which means they not only encrypt the files but do exfiltration as well. These files are shared to another device, making it scarier for the victim and urging them to pay the ransom.

See also  How To Fix CVE-2021-35003(4)- A Remote Code Execution Vulnerability On TP-Link Products

How Lockbit 3.0 Works?

Like every other attacker group, Lockbit ransomware group also has some specific features, one of the most remarkable features of this Ransomware is its ability to self-propagate. There are multiple predefined automated processes set in the code of Lockbit, which makes it unique from other ransomware groups which are driven manually, which helps in completing recon much faster.

After infecting a single host, Lockbit ransomware can propagate itself and find other accessible hosts without any human intervention. One of the other notable features used by the Lockbit ransomware is the tools in a pattern that is native to an operating system which makes it more difficult for the endpoints to detect any suspicious behavior. They also hide the executable file in a .PNG format to deceive the defense mechanism.

Stages of Lockbit Attack

Lockbit attack can be roughly divided into three stages

  • Exploit
  • Infiltrate
  • Deploy


The initial stage of a ransomware attack is by exploiting a weakness in a network. This initial exploitation can be via multiple methods, which may include phishing, social engineering, and other tactics as well. The attacker can also utilize weak password policies or other vulnerabilities, zero days, and misconfigurations in the network to gain initial access. It’sIt’s RaaS module recruits Initial Access Brokers (IAB) to obtain stolen credentials for Remote Desktop Protocol (RDP) or Virtual Private Network (VPN) access.

Once the initial foothold is established, the Ransomware prepares itself to be spread across multiple devices in the network. Before that, the threat actor makes sure all requirements are in place.


Once the Ransomware is in the network, the attacker tries to download C2 tools on the compromised environment. Lockbit uses Red Team framework tools like Cobalt Strike Beacon, MetaSploit, and Mimikatz to infiltrate further to make the system ready for attack. As previously mentioned, the Lockbit program has multiple automated processes, which helps it to propagate independently to gain access by privilege escalations and lateral movement.

In this stage, the Ransomware prepares the system by disabling security programs or any other defensive mechanism so that they can deploy the encryption portion of the Ransomware safely.

The main goal of this stage is to make the victim helpless in recovering the encrypted files unassisted, hence urging them to pay ransom to restore the operations.


Once the exploit and infiltrate stages are completed successfully the Ransomware installs itself in the Windows Registry to maintain persistence and releases its encryption payload, which travels effortlessly through the network and starts encrypting or putting a lock on all the system files. It uses a pair of ECC (Curve25519) session keys, with the private key encrypted with an ECC public key stored in the Windows Registry. The deploy stage is much easier as a single system with high privilege can do complete damage.

See also  Defending Against the Deceptive LABRAT Campaign

Once the encryption is completed, all system files will be locked from the victim, which can be only unlocked by a custom key created by Lockbit’s proprietary decryption tool. The attacker also makes sure to leave a ransom note which provides instructions on what can be done to access the file back. It may also include a threatening blackmailing note.

After all the stages are completed, the rest is up to the victim. They may pay the ransom for restoring the files by following their demands. However, this is not advised as the victim has no guarantee of what the attackers may request.

What Did Security Researchers Find About Lockbit 3.0 in Their Analysis?

  • Trend Micro researchers say that the Lockbit 3.0 is a Win32.exe file that has multiple sections packed with an undisclosed packer.
  • An Icon file (.ico) will be dropped in the %PROGRAMDATA% folder, which has the same file name as the one appended to encrypted files.
  • The extension ”HLJkNskOq” will be appended, and the icons will be changed.
  • The ransom note is dropped where they mention “”Ilon Musk”” and “”GDPR””
  • They also change the wallpaper so that the victim understands they have been hacked.

{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a

On Sep 2022, An unknown user, @ali_qushji published that his team had hacked the Lockbit servers, and he made the malware build available on GitHub. Please check out the post published on VMware blogs for more  technical details  about the Lockbit Black. 

Ransome note (Soruce: Trend Micro)
The desktop wall paper applied by Lockbit 3.0 (Source: Trend Micro)

Who Can Be Affected by Lockbit 3.0?

If we talk about the operating system platforms, Lockbit predominantly targets the windows platform. However, it is also seen that the new version of Lockbit has evolved to target Linux systems, including virtual environments such as VMWare ESXi. 

When you look at the geo-locations, the malware has tried victimizing the United States, Canada, Europe, Asia, and Latin America. And also, it has been observed that the group has been seen ignoring the countries from Eastern Europe region and the Commonwealth of Independent States except for Ukraine. 

When you look at the Organization list, Lockbit most likely targeted small to mid-sized businesses. This doesn’t mean that large-sized organizations should ignore this malware. All organizations must be very vigilant in such kinds of ransomware attacks. As per the statistics shared by BlackBerry, at least 478 blocks on the Lockbit malware family are observed, which makes it almost five attempts per day worldwide, including all Lockbit versions

See also  What Imperva Said About the Recent Cyber Attacks on Oracle WebLogic Servers?
Source: Blackberry

Indicator Of Compromise IOC


IOC Description 
c2bc344f6dde0573ea9acdfb6698bf4c MD5 Builder File 
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77 SHA1 Builder File 
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db SHA256 Builder File 
71c3b2f765b04d0b7ea0328f6ce0c4e2 MD5 keygen File 
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4 SHA1 keygen file 
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37 SHA256 keygen file 
4d388f95a81f810195f6a8dfe86be755 MD5 Resource 100 
cb6fdb25a15b7797890fadc2b823984f93da5368 SHA1 Resource 100 
cc3d006c2b963b6b34a90886f758b7b1c3575f263977a72f7c0d1922b7feab92 SHA256 Resource 100 
87308ec0a44e79100db9dbec588260ec MD5 Resource 101 
939ff7e5eeaccb0c2f4ee080a8e403e532b6317a SHA1 Resource 101 
03b8472df4beb797f7674c5bc30c5ab74e8e889729d644eb3e6841b0f488ea95 SHA256 Resource 101 
4655a7ac60ed48df9b57648db2f567ef MD5 Resource 103 
02ea524429ba2aefac63fed27e924ab3659f8c00 SHA1 Resource 103 
a0db5cff42d0ee0de4d31cff5656ed1acaa6b0afab07d19f9f296d2f72595a56 SHA256 Resource 103 
23a30838502f5fadc97e81f5000c4190 MD5 Resource 106 
9c1142122370c9b28b13aa147c6e126b3be50845 SHA1 Resource 106 
ae993930cb5d97caa5a95b714bb04ac817bcacbbf8f7655ec43e8d54074e0bd7 SHA256 Resource 106 

Yara Rules to Detect Lockbit Black

import "pe" 
rule LockBit_3_dll 
        author = "VMware TAU" //bdana  
        date = "2022-Oct-12"  
        description = "Identifies LockBit 3.0 DLL encryptor by exported function names."  
        rule_version = “1”  
        yara_version = "4.2.3"  
        exemplar_hash = “c2529655c36f1274b6aaa72911c0f4db7f46ef3a71f4b676c4500e180595cac6” 
      pe.exports("del") and 
      pe.exports("gdel") and 
      pe.exports("gdll") and 
      pe.exports("gmod") and 
      pe.exports("pmod") and 
      pe.exports("sdll") and 
rule LockBit_3_exe 
        author = "VMware TAU" //bdana 
        date = "2022-Oct-12" 
        description = "Identifies LockBit 3.0 exe encryptor section names, and artifact section names." 
        rule_version = “1” 
        yara_version = "4.2.3" 
        exemplar_hash = “5202e3fb98daa835cb807cc8ed44c356f5212649e6e1019c5481358f32b9a8a7” 
      $text = ".text" ascii wide 
      $itext = ".itext" ascii wide 
      $data = ".data" ascii wide 
      $rdata = ".rdata" ascii wide 
      $idata = ".idata" ascii wide 
      $xyz = ".xyz" ascii wide 
      $reloc = ".reloc" ascii wide 
      $bss = ".bss" ascii wide 
      #text > 2 and 
      #itext > 1 and  
      #data > 1 and 
      #rdata > 2 and 
      #idata > 3 and 
      $reloc and  
      $bss and $xyz and not 
      for any i in (0..pe.number_of_sections-1) : (  
           pe.sections[i].name == ".xyz" or 
           pe.sections[i].name == ".bss" 

How to Protect From Lockbit 3.0?

After we learn what is lockbit 3.0, now it’s time to know how to protect from Lockbit 3.0 malware. We have listed a few guidelines that help you protecting your assets from Lockbit 3.0.

  • Every organization must be prepared by having an effective endpoint detection and response software that will quickly identify and isolate the system which is likely to be infected by the Ransomware.
  • RDP hardening should be done, and users with RDP access must make sure to turn it off when not in use.
  • The principle of least privilege must be in place so that privilege escalation and lateral movement will be very hard.
  • All users in an organization must be aware of basic cyber security policies, and appropriate training should be provided on time.
  • Multi-factor authentication and strong password policies should be implemented.
  • Make sure to clean outdated and unused user accounts.
  • All system configurations must be in line with the security policies.
  • Even at best, preparedness breaches can still happen. Hence a disaster recovery plan must be in place for all organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *