Hide Navigation Hide TOC

LockBit 3.0 (08c70ea5-9d4d-4146-826e-c5ebd5490378)

Ransomware labeled “LockBit” was first observed in 2020, and since that time, the LockBit group and its affiliates have carried out a very large number of attacks involving a wide range of victims around the world.^{[U.S. CISA Understanding LockBit June 2023]}

LockBit developers have introduced multiple versions of the LockBit encryption tool. According to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), the following major LockBit variants have been observed (first-observed dates in parentheses): ABCD (LockBit malware’s predecessor; September 2019), LockBit (January 2020), LockBit 2.0 (June 2021), LockBit Linux-ESXi Locker (October 2021), LockBit 3.0 (September 2022), LockBit Green (a variant that incorporates source code from Conti ransomware; January 2023), and variants capable of targeting macOS environments (April 2023). As of June 2023, CISA reported that the web panel that offers affiliates access to LockBit malware explicitly listed the LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker variants.^{[U.S. CISA Understanding LockBit June 2023]} According to CISA, LockBit 3.0 (also known as “LockBit Black”) shares code similarities with Blackmatter and BlackCat ransomware and is “more modular and evasive" than previous LockBit strains.^{[U.S. CISA LockBit 3.0 March 2023]}

According to data collected by the ransomwatch project and analyzed by Tidal, LockBit actors publicly claimed 970 victims in 2022 (394 associated with LockBit 3.0), the most of any extortion threat that year. Through April 2023, LockBit had claimed 406 victims (all associated with LockBit 3.0), more than double the number of the next threat (Clop, with 179 victims).^{[GitHub ransomwatch]}

Delivered By: Cobalt Strike^{[Sentinel Labs LockBit 3.0 July 2022]}, PsExec^{[NCC Group Research Blog August 19 2022]}

Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit

Malware Bazaar (Samples & IOCs): https://bazaar.abuse.ch/browse/tag/lockbit/

PulseDive (IOCs): https://pulsedive.com/threat/LockBit

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
LockBit Ransomware Actors & Affiliates (d0f3353c-fbdd-4bd5-8793-a42e1f319b59)	Tidal Groups	LockBit 3.0 (08c70ea5-9d4d-4146-826e-c5ebd5490378)	Tidal Software	1