Lockbit 3.0 Ransomware Group Target Multiple Sectors and Organizations Worldwide

LockBit ransomware is a popular and active ransomware group first detected in September 2019 and used by Threat Actors (TAs) to target multiple sectors and organizations worldwide.

According to CYBLE, Cyber Threat Intelligence Company, “We determine that over 1/3rd of the ransomware gang’s victims are from the BFSI sector, followed by the Professional Services sector.”

Image: Cyble

Cyble Research Labs came across a Twitter post wherein a researcher mentioned that a new version of ransomware named “LockBit 3.0” (also referred to as “LockBit Black”) is now active in the wild.

LockBit 3.0 Ransomware

The recent blog post published by Cyble mention that LockBit 3.0 encrypts files on the victim’s machine and appends the extension of encrypted files as “HLJkNskOq.” LockBit ransomware requires a key from the command-line argument “-pass” to execute.

LockBit 3.0 Ransomware Process Tree

Experts say, the ransomware is encrypted and decrypts the strings and code during runtime, and resolves its API functions dynamically.

Subsequently, it creates a mutex to make sure that only one instance of malware is running on the victim’s system at any given time. The malware exits if the mutex is already present.

Experts mention that ransomware creates multiple threads to perform several tasks in parallel for faster file encryption. Each thread is responsible for querying system information, getting drive details, ransom note creation, getting file attributes, deleting services, file search, encryption, etc.

LockBit 3.0 ransomware deletes a few services to encrypt the files successfully. To delete these services, the ransomware calls the OpenSCManagerA() API to get the service control manager database access. At last, the ransomware changes the victim’s wallpaper.

LockBit 3.0 Changing Desktop Background

Here the victims are instructed on how to pay the ransom to decrypt their encrypted files. Additionally, the TAs threatens the victims stating that their personal data will be posted on their leak site if the ransom is not paid within the specified window.

TAs behind LockBit 3.0 suggest that their victims buy Bitcoin using the payment options

Ways to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.