LockBit 3.0
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| LockBit Black | (Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: Sentinel Labs LockBit 3.0 JUL 2022) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
LockBit 3.0 can bypass UAC to execute code with elevated privileges through an elevated Component Object Model (COM) interface.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
LockBit 3.0 can use HTTP to send victim host information to C2.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024) |
| Enterprise | T1547 | .004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
LockBit 3.0 can enable automatic logon through the `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon` Registry key.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
LockBit 3.0 can use PowerShell to apply Group Policy changes.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
LockBit 3.0 can install system services for persistence.(Citation: Sentinel Labs LockBit 3.0 JUL 2022) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
LockBit 3.0 can Base64-encode C2 communication.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
| Enterprise | T1484 | .001 | Domain or Tenant Policy Modification: Group Policy Modification |
LockBit 3.0 can enable options for propogation through Group Policy Objects.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
LockBit 3.0 can encrypt C2 communications with AES.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
| Enterprise | T1480 | .002 | Execution Guardrails: Mutual Exclusion |
LockBit 3.0 can create and check for a mutex containing a hash of the `MachineGUID` value at execution to prevent running more than one instance.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
LockBit 3.0 can disable security tools to evade detection including Windows Defender.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024) |
| .009 | Impair Defenses: Safe Mode Boot |
LockBit 3.0 can reboot the infected host into Safe Mode.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
||
| Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
LockBit 3.0 can delete log files on targeted systems.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
| .004 | Indicator Removal: File Deletion |
LockBit 3.0 can delete itself from disk.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
||
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
LockBit 3.0 can use code packing to hinder analysis.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: INCIBE-CERT LockBit MAR 2024) |
| .013 | Obfuscated Files or Information: Encrypted/Encoded File |
The LockBit 3.0 payload includes an encrypted main component.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
||
| Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
LockBit 3.0 can use SMB for lateral movement.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
| Enterprise | T1218 | .003 | System Binary Proxy Execution: CMSTP |
LockBit 3.0 can attempt a CMSTP UAC bypass if it does not have administrative privileges.(Citation: Sentinel Labs LockBit 3.0 JUL 2022) |
| Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
LockBit 3.0 will not affect machines with language settings matching a defined exlusion list of mainly Eastern European languages.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
LockBit 3.0 can use PsExec to execute commands and payloads.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023) |
| Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
LockBit 3.0 can use a compromised local account for lateral movement.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023) |
References
- CISA et al. (2023, June 14). UNDERSTANDING RANSOMWARE THREAT ACTORS: LOCKBIT. Retrieved February 5, 2025.
- FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
- INCIBE-CERT. (2024, March 14). LockBit: response and recovery actions. Retrieved February 5, 2025.
- Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.