LockBit 3.0 is Dangerous - Warn Feds

Diving into details

• Also known as LockBit Black, LockBit 3.0 features a highly modular architecture compared to its previous versions and offers a range of customizable arguments that can alter its behavior post-deployment. 
• Additionally, to impede detection and analysis, LockBit 3.0 employs encryption for its installers, which can only be run with the correct password.
• LockBit 3.0 includes specific arguments for lateral movement, allowing it to spread within a network. It gains initial access through various means, such as RDP compromise, drive-by attacks, phishing, compromised credentials, and exploiting vulnerabilities in public-facing applications.
• Once installed, LockBit Black attempts to escalate privileges, gathers system information, terminates processes and services, launches commands, and enables automatic logon for persistence.
• LockBit 3.0 has a hardcoded list of credentials to move laterally into the network, and can also spread via Group Policy Objects and PsExec, using the SMB protocol.

LockBit activities

• Earlier in March, LockBit was used to bypass the MOTW protection mechanism. The group, furthermore, used a set of evasion techniques during a campaign running from December 2022 to January 2023. 
• LockBit Black is actually not the latest version of the ransomware; it is LockBit Green. This variant significantly overlaps with Conti ransomware v3. Moreover, LockBit Green uses random extensions instead of the standard .lockbit extension.

The bottom line