1. Home
  2. Software
  3. LockBit 3.0

LockBit 3.0

LockBit 3.0 is an evolution of the LockBit Ransomware-as-a-Service (RaaS) offering with similarities to BlackMatter and BlackCat ransomware. LockBit 3.0 has been in use since at least June 2022 and features enhanced defense evasion and exfiltration tactics, robust encryption methods for Windows and VMware ESXi systems, and a more refined RaaS structure over its predecessors such as LockBit 2.0.[1][2][3][4]

ID: S1202
Associated Software: LockBit Black
Type: MALWARE
Platforms: Windows
Contributors: Matt Brenton, Zurich Global Information Security
Version: 1.0
Created: 05 February 2025
Last Modified: 06 February 2025
Version Permalink

Associated Software Descriptions

Name Description
LockBit Black

[2][3][1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

LockBit 3.0 can bypass UAC to execute code with elevated privileges through an elevated Component Object Model (COM) interface.[3]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

LockBit 3.0 can use HTTP to send victim host information to C2.[3][4]
Enterprise T1547 .004 Boot or Logon Autostart Execution: Winlogon Helper DLL

LockBit 3.0 can enable automatic logon through the SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon Registry key.[3]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

LockBit 3.0 can use PowerShell to apply Group Policy changes.[3]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

LockBit 3.0 can install system services for persistence.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

LockBit 3.0 can Base64-encode C2 communication.[3]
Enterprise T1486 Data Encrypted for Impact

LockBit 3.0 can encrypt targeted data using the AES-256, ChaCha20, or RSA-2048 algorithms.[2][1][3][4]
Enterprise T1622 Debugger Evasion

LockBit 3.0 can check heap memory parameters for indications of a debugger and stop the flow of events to the attached debugger in order to hinder dynamic analysis.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

The LockBit 3.0 payload is decrypted at runtime.[1][3][4]
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

LockBit 3.0 can enable options for propogation through Group Policy Objects.[3]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

LockBit 3.0 can encrypt C2 communications with AES.[3]
Enterprise T1480 Execution Guardrails

LockBit 3.0 can make execution dependent on specific parameters including a unique passphrase and the system language of the targeted host not being found on a set exclusion list. [2][1][3]
.002 Mutual Exclusion

LockBit 3.0 can create and check for a mutex containing a hash of the MachineGUID value at execution to prevent running more than one instance.[3]
Enterprise T1083 File and Directory Discovery

LockBit 3.0 can exclude files associated with core system functions from encryption.[3]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

LockBit 3.0 can disable security tools to evade detection including Windows Defender.[2][3][4]
.009 Impair Defenses: Safe Mode Boot

LockBit 3.0 can reboot the infected host into Safe Mode.[3]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

LockBit 3.0 can delete log files on targeted systems.[2][3]
.004 Indicator Removal: File Deletion

LockBit 3.0 can delete itself from disk.[2][3]
Enterprise T1490 Inhibit System Recovery

LockBit 3.0 can delete volume shadow copies.[2][3][4]
Enterprise T1112 Modify Registry

LockBit 3.0 can change the Registry values for Group Policy refresh time, to disable SmartScreen, and to disable Windows Defender.[3][4]
Enterprise T1106 Native API

LockBit 3.0 has the ability to directly call native Windows API items during execution.[1][4]
Enterprise T1135 Network Share Discovery

LockBit 3.0 can identify network shares on compromised systems.[3]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

LockBit 3.0 can use code packing to hinder analysis.[1][4]
.013 Obfuscated Files or Information: Encrypted/Encoded File

The LockBit 3.0 payload includes an encrypted main component.[1][3]
Enterprise T1120 Peripheral Device Discovery

LockBit 3.0 has the ability to discover external storage devices.[3]
Enterprise T1057 Process Discovery

LockBit 3.0 can identify and terminate specific services.[1][2]
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

LockBit 3.0 can use SMB for lateral movement.[3]
Enterprise T1489 Service Stop

LockBit 3.0 can terminate targeted processes and services related to security, backup, database management, and other applications that could stop or interfere with encryption.[2][1][3][4]
Enterprise T1218 .003 System Binary Proxy Execution: CMSTP

LockBit 3.0 can attempt a CMSTP UAC bypass if it does not have administrative privileges.[1]
Enterprise T1082 System Information Discovery

LockBit 3.0 can enumerate system hostname, domain, and local drive configuration.[3]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

LockBit 3.0 will not affect machines with language settings matching a defined exlusion list of mainly Eastern European languages.[2][3]
Enterprise T1569 .002 System Services: Service Execution

LockBit 3.0 can use PsExec to execute commands and payloads.[2]
Enterprise T1078 .003 Valid Accounts: Local Accounts

LockBit 3.0 can use a compromised local account for lateral movement.[3]

References

  1. Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025.
  2. CISA et al. (2023, June 14). UNDERSTANDING RANSOMWARE THREAT ACTORS: LOCKBIT. Retrieved February 5, 2025.
  1. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  2. INCIBE-CERT. (2024, March 14). LockBit: response and recovery actions. Retrieved February 5, 2025.