LockBit 3.0 ransomware, also known as LockBit Black, is an evolved form of the LockBit ransomware-as-a-service (RaaS) family, with roots extending back to BlackMatter and related entities. It’s a type of malware that encrypts victims’ data and demands a ransom for its return. This ransomware was updated after critical bugs were found in LockBit 2.0 in March 2022, leading the authors to improve their encryption routines and add several new features.
The switch from LockBit 2.0 to LockBit 3.0 happened around June 2022. The new version of the ransomware rapidly gained adoption by affiliates, with numerous victims being identified on the new “Version 3.0” leak sites. These sites, which are a collection of public blogs, name non-compliant victims and leak extracted data. To improve resilience, the operators have stood up multiple mirrors for their leaked data and publicized the site URLs. An instant search tool has also been added to their leak sites.
The LockBit 3.0 update brought in enhanced administrative tools for its partners and incorporated Zcash into its payment methods for victims, joining existing options like Bitcoin and Monero. The ransomware authors also started a public “bug bounty” program to improve the quality of their malware and financially reward those who assist. However, given the criminal nature of the operation, attempting to report bugs could potentially lead to criminal charges from law enforcement.
The new versions of the LockBit ransomware, known as payloads, continue to have all the features and capabilities of the previous version, LockBit 2.0. Usually, the process of deploying these payloads is managed through external platforms, such as Cobalt Strike. The payloads themselves are standard Windows PE files with strong similarities to previous generations of LockBit as well as the BlackMatter ransomware families. LockBit 3.0 requires administrative privileges to execute and will attempt a UAC bypass if it does not have the necessary privileges.
LockBit 3.0 also achieves persistence by installing system services. Each execution of the payload will install multiple services, and specific services and processes are targeted for termination. Upon execution, the ransomware drops newly-formatted ransom notes and changes the desktop background. The encryption phase is extremely rapid and can spread to adjacent hosts quickly. Infected machines have been observed to shut down ungracefully approximately 10 minutes after the ransomware payload was launched.
When it comes to its methods for avoiding detection and hindering analysis, LockBit 3.0 employs several strategies. These include using code packing to compress its code and make it harder to analyze, obfuscation to conceal its true nature, dynamically determining the locations of functions to avoid predictable patterns, using function trampolines to redirect execution flow, and implementing techniques to thwart debugging attempts. It exhibits similarities to the BlackMatter ransomware in these techniques.
