LockBit 3.0 (aka LockBit Black) is an evolved ransomware capable of aggressive anti-analysis and evasion, rapid encryption, and expanded data-leak and affiliate-management features. The piece provides a technical dive into its payload behavior, persistence, getaways for researchers, and indicators of compromise. #LockBit3 #LockBitBlack
Keypoints
- LockBit 3.0 introduces robust anti-analysis techniques, including code packing, obfuscation, dynamic resolution of function addresses, and anti-debugging measures.
- Each sample uses a unique passphrase to run the malware, hindering sandbox and dynamic analysis unless recovered with the sample.
- Encryption is extremely rapid, often completing on a test host in under a minute and spreading to adjacent systems.
- Persistence is achieved by installing multiple Windows services, with copies written to %programdata% and launched from there.
- Initial delivery commonly uses third‑party frameworks (e.g., Cobalt Strike), sometimes via chained infections (SocGholish → Cobalt Strike → LockBit 3.0).
- New leakage and public-mirror strategies include multiple data mirrors and an instant-search feature on leak sites, plus a bug bounty program and a TOR-based support portal for victims.
- IOCs include SHA256/SHA1 hashes and numerous .onion domains tied to the LockBit ecosystem.
MITRE Techniques
- [T1543.003] Create or Modify System Process: Windows Service – Persistence via installation of System Services. Each execution of the payload will install multiple services. (‘persistence via installation of System Services. Each execution of the payload will install multiple services.’)
- [T1055] Process Injection – The ransomware executes the NtSetInformationThread function through a trampoline, such that the ThreadHandle and ThreadInformationClass parameters have the values of 0xFFFFFFFE and 0x11 (ThreadHideFromDebugger). (‘The ransomware executes the NtSetInformationThread function through a trampoline, such that the ThreadHandle and ThreadInformationClass parameters have the values of 0xFFFFFFFE and 0x11 (ThreadHideFromDebugger).’)
- [T1622] Debugger Evasion – anti-debugging techniques. (‘anti-debugging techniques.’)
- [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – UAC bypass attempted when privileges are insufficient. (‘The ransomware payloads are designed to execute with administrative privileges. In the event that the malware does not have the necessary privileges, a UAC bypass will be attempted (CMSTP).’)
- [T1218.003] System Binary Proxy Execution: CMSTP – CMSTP-based proxy execution. (‘System Binary Proxy Execution: CMSTP’)
- [T1406.002] Obfuscated Files or Information: Software Packing – code packing, obfuscation and dynamic resolution of function addresses, function trampolines, and anti-debugging techniques. (‘These techniques include code packing, obfuscation and dynamic resolution of function addresses, function trampolines, and anti-debugging techniques.’)
- [T1485] Data Destruction – Encryption is rapid and widespread; fully encrypts targets. (‘The encryption phase is extremely rapid, even when spreading to adjacent hosts. The ransomware payloads were able to fully encrypt our test host in well under a minute.’)
Indicators of Compromise
- [SHA256] Hashes – f9b9d45339db9164a3861bf61758b7f41e6bcfb5bc93404e296e2918e52ccc10, a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e, d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee
- [SHA1] Hashes – ced1c9fabfe7e187dd809e77c9ca28ea2e165fa8, 371353e9564c58ae4722a03205ac84ab34383d8c, c2a321b6078acfab582a195c3eaf3fe05e095ce0
- [ONION domains] Onion domain indicators – lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead[.]onion, lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd[.]onion, lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd[.]onion, and other onion domains