Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

LockBit 3.0

LockBit 3.0 is an evolution of the LockBit Ransomware-as-a-Service (RaaS) offering with similarities to BlackMatter and BlackCat ransomware. LockBit 3.0 has been in use since at least June 2022 and features enhanced defense evasion and exfiltration tactics, robust encryption methods for Windows and VMware ESXi systems, and a more refined RaaS structure over its predecessors such as LockBit 2.0.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)
ID: S1202
Associated Software: LockBit Black
Type: MALWARE
Platforms: Windows
Created: 05 Feb 2025
Last Modified: 06 Feb 2025

Associated Software Descriptions

Name Description
LockBit Black (Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: Sentinel Labs LockBit 3.0 JUL 2022)

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

LockBit 3.0 can bypass UAC to execute code with elevated privileges through an elevated Component Object Model (COM) interface.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

LockBit 3.0 can use HTTP to send victim host information to C2.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)

Enterprise T1547 .004 Boot or Logon Autostart Execution: Winlogon Helper DLL

LockBit 3.0 can enable automatic logon through the `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon` Registry key.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

LockBit 3.0 can use PowerShell to apply Group Policy changes.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

LockBit 3.0 can install system services for persistence.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)

Enterprise T1132 .001 Data Encoding: Standard Encoding

LockBit 3.0 can Base64-encode C2 communication.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

LockBit 3.0 can enable options for propogation through Group Policy Objects.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

LockBit 3.0 can encrypt C2 communications with AES.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Enterprise T1480 .002 Execution Guardrails: Mutual Exclusion

LockBit 3.0 can create and check for a mutex containing a hash of the `MachineGUID` value at execution to prevent running more than one instance.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

LockBit 3.0 can disable security tools to evade detection including Windows Defender.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: INCIBE-CERT LockBit MAR 2024)

.009 Impair Defenses: Safe Mode Boot

LockBit 3.0 can reboot the infected host into Safe Mode.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

LockBit 3.0 can delete log files on targeted systems.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

.004 Indicator Removal: File Deletion

LockBit 3.0 can delete itself from disk.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

LockBit 3.0 can use code packing to hinder analysis.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: INCIBE-CERT LockBit MAR 2024)

.013 Obfuscated Files or Information: Encrypted/Encoded File

The LockBit 3.0 payload includes an encrypted main component.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

LockBit 3.0 can use SMB for lateral movement.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Enterprise T1218 .003 System Binary Proxy Execution: CMSTP

LockBit 3.0 can attempt a CMSTP UAC bypass if it does not have administrative privileges.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)

Enterprise T1614 .001 System Location Discovery: System Language Discovery

LockBit 3.0 will not affect machines with language settings matching a defined exlusion list of mainly Eastern European languages.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Enterprise T1569 .002 System Services: Service Execution

LockBit 3.0 can use PsExec to execute commands and payloads.(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)

Enterprise T1078 .003 Valid Accounts: Local Accounts

LockBit 3.0 can use a compromised local account for lateral movement.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.