Theft, extortion, blackmail, and impersonation are rife online, with thousands of people falling victim to various scams and attacks every month. One such mode of attack uses a kind of ransomware known as LockBit 3.0. So, where did this ransomware come from, how is it being used, and what can you do to protect yourself?

Where Did LockBit 3.0 Come From?

locked laptop and skull flag

LockBit 3.0 (also known as LockBit Black) is a strain of ransomware borne from the LockBit ransomware family. This is a group of ransomware programs that was first discovered in September 2019, after the first wave of attacks took place. Initially, LockBit was referred to as the ".abcd virus", but at that point, it was not known that LockBit's creators and users would continue to create new iterations of the original ransomware program.

LockBit's family of ransomware programs is self-spreading, but only certain victims are targeted—mainly those with the ability to pay a large ransom. Those who use LockBit ransomware often purchase Remote Desktop Protocol (RDP) access on the dark web so that they can access victims' devices remotely and more easily.

LockBit's operators have targeted organizations around the world since its first use, including the UK, US, Ukraine, and France. This family of malicious programs uses the Ransomware-as-a-Service (RaaS) model, wherein users can pay the operators to have access to a given kind of ransomware. This often involves some form of subscription. Sometimes, users can even check statistics to see if their use of LockBit ransomware was successful.

It wasn't until 2021 that LockBit became a prevalent kind of ransomware, through LockBit 2.0 (the current strain's predecessor). At this point, the gangs who used this ransomware decided to adopt the double extortion model. This involves both encrypting and exfiltrating (or transferring) a victim's files to another device. This additional attack method makes the entire situation even scarier for the targeted individual or organization.

The most recent kind of LockBit ransomware has been identified as LockBit 3.0. So, how does LockBit 3.0 work, and how is it being used today?

What Is LockBit 3.0?

person using laptop with lock icon on screen

In late Spring 2022, a new iteration of the LockBit ransomware group was discovered: LockBit 3.0. As a ransomware program, LockBit 3.0 can encrypt and exfiltrate all the files on an infected device, allowing the attacker to hold the victim's data hostage apparently until the requested ransom is paid. This ransomware is now active in the wild, and is causing a lot of concern.

The process of a typical LockBit 3.0 attack is:

  1. LockBit 3.0 infects a victim's device, encrypts files, and appends the extension of encrypted files as “HLjkNskOq”.
  2. A command-line argument key known as "-pass" is then required to carry out the encryption.
  3. LockBit 3.0 creates various threads to perform multiple tasks simultaneously so that the data encryption can be completed in less time.
  4. LockBit 3.0 deletes certain services or features to make the encryption and exfiltration process that much easier.
  5. An API is used to harbor service control manager database access.
  6. The victim's desktop wallpaper is changed so that they know they're under attack.

If the ransom is not paid by the victim in the required window of time, LockBit 3.0 attackers will then sell the data they have stolen on the dark web to other cybercriminals. This can be catastrophic for both an individual victim and an organization.

At the time of writing, LockBit 3.0 is most notable for exploiting Windows Defender to deploy Cobalt Strike, a penetration testing tool that can drop payloads. This software can also cause a chain of malware infections across multiple devices.

In this process, the command line tool MpCmdRun.exe is exploited so that the attacker can decrypt and launch the beacons. This is done by tricking the system into prioritizing and loading a malicious DLL (Dynamic-Link Library).

The MpCmdRun.exe executable file is used by Windows Defender to scan for malware, hence protecting the device from harmful files and programs. Given that Cobalt Strike can bypass Windows Defender security measures, it has become very useful for ransomware attackers.

This technique is also known as side-loading, and allows malicious parties to harbor or steal data from infected devices.

How to Avoid LockBit 3.0 Ransomware

lock icon in front of circuit graphic

LockBit 3.0 is an increasing concern, especially among larger organizations that have mounds of data that can be encrypted and exfiltrated. it's important to ensure that you're steering clear of this dangerous kind of attack.

To do this, you should first make sure that you're using super-strong passwords and two-factor authentication on all your accounts. This added layer of security can make it that much harder for cybercriminals to attack you using ransomware. Consider Remote Desktop Protocol ransomware attacks, for example. In such a scenario, the attacker will scan the internet for vulnerable RDP connections. So, if your connection is password-protected and uses 2FA, you're much less likely to be targeted.

Additionally, you should always keep your devices' operating systems and antivirus programs up to date. Software updates can be time-consuming and frustrating, but there's a reason they exist. Such updates often come with bug fixes and extra security features to keep your devices and data protected, so don't pass up the opportunity to keep your devices updated.

Another important measure to take not to avoid ransomware attacks, but their consequences, is backing up files. Sometimes, ransomware attackers will withhold crucial information that you need for various reasons, so having a backup mitigates the extent of damage to some degree. Offline copies, such as those stored on a USB stick, can be invaluable when data is stolen or wiped from your device.

Post-Infection Measures

While the above suggestions can protect you against LockBit ransomware, there is still a chance of infection. So, if you find your computer has been infected by LockBit 3.0, it's important to not act irrationally. There are steps you can take to remove ransomware from your device, which you should follow closely and carefully.

You should also alert the authorities if you've fallen victim to a ransomware attack. This helps the relevant parties to better understand and tackle a given strain of ransomware.

LockBit 3.0 Attacks May Continue

No one knows how many more times LockBit 3.0 ransomware will be used to threaten and exploit victims. This is why it's crucial to protect your devices and accounts in every way possible, so that your sensitive data stays safe.