Summary of LockBit 3.0 (aka LockBit Black) Ransomware

In February 2024, an international coalition of law enforcement, led by the NCA (National Crime Agency), disrupted LockBit ransomware infrastructure and operations. LockBit’s Data Leak Sites (DLS) and victim portals have been updated, as part of Operation Cronos, to distribute data about the LockBit seizure and provide links to victim resources. Details around LockBit’s in-house exfiltration tool called “StealBit” have also been released as part of the operation.

The Cronos Task Force has made several resources available to assist potential victims of LockBit ransomware, including decryption tools. Over 30 associated servers have been seized across multiple countries including Finland, Germany, Netherlands, France, Australia, the United States, and the United Kingdom.

Those in the United States can direct related inquiries to the LockBit Victims IC3 portal here. Those in the United Kingdom are encouraged to submit inquiries to the Cyber Incident Signposting Site. LockBit decryption tools have been posted to the NoMoreRansom project portal here.

  • LockBit 3.0 was first observed around June 2022. At this time, new infections were observed, and existing LockBit 2.0 infections were upgraded to 3.0.
  • LockBit 3.0 operators offered an open Bug Bounty during the span of their operation.
  • Primary new features (from 2.0 to 3.0) include support for Zcash, updated Management capabilities, and anti-analysis and evasion.
  • The builder tools and source for LockBit 3.0 were “leaked” in September of 2022.

What Does LockBit 3.0 Ransomware Target?

LockBit’s direct affiliates and rogues (those attacking outside the affiliate structure, or with leaked builder tools) combined have accounted for thousands of worldwide attacks, costing billions of dollars in ransom payouts and/or recovery costs. They typically target:

  • Large enterprises, high-value targets
  • Small and medium businesses (SMBs)
  • Manufacturing, technology, education, and engineering industries (heavy targeting)

How Does LockBit 3.0 Ransomware Spread?

  • Phish and spear phishing emails
  • Exposed and vulnerable applications and services
  • Third-party framework (e.g., Empire, Metasploit, Cobalt Strike)

LockBit 3.0 Ransomware Technical Details

Initial delivery of the LockBit ransomware payloads is typically handled via third-party frameworks such as Cobalt Strike. As with LockBit 2.0, we have seen infections occur down the chain from other malware components as well, such as a SocGholish infection dropping Cobalt Strike, which in turn delivers the LockBit 3 ransomware.

The payloads themselves are standard Windows PE files with strong similarities to prior generations of LockBit as well as BlackMatter ransomware families.

LockBit 3.0 achieves persistence via installation of System Services. Each execution of the payload will install multiple services. We have observed the following service names in conjunction with LockBit 3.0 ransomware payloads. On execution, the LockBit 3.0 ransomware will drop newly-formatted ransom notes along with a change to the desktop background. Interestingly, Notepad and Wordpad are included in the list of prescribed processes as noted above. Therefore, if a victim attempts to open the ransom note immediately after it is dropped, it will promptly close since the process is blocked until the ransomware completes its execution.

How to Detect LockBit 3.0 Ransomware

  • The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with LockBit 3.0 ransomware.

How to Mitigate LockBit 3.0 Ransomware

  • The SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts associated with LockBit 3.0.

How to Remove LockBit 3.0 Ransomware

  • SentinelOne customers are protected from LockBit 3.0 ransomware without any need to update or take action. In cases where the policy was set to Detect Only and a device became infected, remove the infection by using SentinelOne’s unique rollback capability. As the accompanying video shows,  the rollback will revert any malicious impact on the device and restore encrypted files to their original state.