Since its emergence in July 2022, LockBit3.0 (also known as LockBit Black) has become one of the most notorious ransomware threats worldwide. Several industries have been adversely impacted by LockBit3.0, with numerous semiconductor firms in Taiwan falling victim to its ransom demands.
At this point, LockBit3.0 not only maintains its RaaS (Ransomware as a Service) platform operations, but also steadily enhances its encryption capabilities with various techniques, particularly those focused on anti-analysis.
The ransomware requires a password to unpack the original text section, a technique similarly employed by Egregor and BlackCat. Based on code similarities, many researchers assert that the majority of the techniques utilized by LockBit3.0 are derived from BlackMatter/Darkside.
Figure 1. The entry points of LockBit3.0 (Left) and BlackMatter (Right) are very similar
Figure 2. The ParseApiHashTable functions of LockBit3.0 (Left) and BlackMatter (Right) follow the same operations
Utilizing its configuration file, the threat actor can tailor the encryptor for a more adaptable range of options, including customizing the list of terminated services/processes, ransom note, files and folders whitelist, and more.
In this analysis, we examined the sample (sha256: 80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce) and highlighted the most prominent techniques employed by LockBit3.0.
Figure 3. The computer held ransom by LockBit3.0 will have its wallpaper changed, and the icon of the encrypted file will be replaced with Lockbit’s
Figure 4. Using this script , the configuration can be dumped from the sample –Part 1
Figure 5. Using this script , the configuration can be dumped from the sample – Part 2
The analyzed sample can be broken down into four distinct phases: Unpack Sections, Reconstruct IAT, Escalate Privilege, and Ransom Main.
1. In the Unpack Sections phase, the actual sections are decrypted.
2. The Reconstruct IAT phase not only restores the functionality of the IAT but also obfuscates the address using a customized stub.
3. During the Escalate Privilege phase, the sample attempts to evolve by granting itself higher privileges.
4. The Ransom Main phase is the most complex stage. Most functions are initiated as child threads, and operations corresponding to the decrypted configuration from the Escalate Privilege phase are executed.
Figure 6. The code flow of LockBit 3.0
Figure 7. The analyzed sample consists of 4 steps
MITRE ATT&CK Tactics and Techniques
Initially, we employ the MITRE ATT&CK Tactics and Techniques framework to meticulously examine the LockBit3.0 attack methodology. Following this comprehensive analysis, we delve into the distinctive aspects of the method, enabling readers to gain a thorough understanding of how to dissect these specialized techniques:
Table 1. MITRE ATT&CK Tactics and Techniques
|MITRE Tactics||MITRE Techniques||Description|
|Execution||T1106 Native API||LockBit3.0 adopts Native Windows API|
|T1047 WMI||LockBit3.0 deletes shadow copies through WMI>|
|Persistence||T1547.001 Registry Run Keys||LockBit3.0 sets autorun registry in the safeboot mode|
|Privilege Escalation||T1134.001 Token Impersonation||LockBit3.0 attempts to impersonate other processes by duplicating their tokens|
|T1548.002 Bypass User Account Control||LockBit3.0 adopts “CMSTPLUA UAC Bypass” techniques to bypass UAC|
|Defense Evasion||T1140 Deobfuscate/Decode Files or Information||LockBit3.0 requires password to decrypt the sections|
|T1562.001 Impair Defenses: Disable or Modify Tools||LockBit3.0 disables Windows Defender to evade detection|
|T1070.001 Indicator Removal: Clear Windows Event Logs||LockBit3.0 disables Windows Event Logs to evade detection|
|T1027 Obfuscated Files or Information||LockBit3.0 obfuscates stack string to make analysis more difficult|
|T1027.007 Dynamic API Resolution||LockBit3.0 resolves APIs dynamically by comparing the customized hash and modifying the stub in the IAT to make analysis more difficult|
|T1622 Debugger Evasion||LockBit3.0 adopts multiple anti-debug techniques to make analysis more difficult|
|T1112 Modify Registry||LockBit3.0 modifies multiple registries (for example, it customizes the desktop by changing the wallpaper and icons)|
|Discovery||T1614.001 System Location Discovery: System Language Discovery||LockBit3.0 detects language settings to determine whether to execute or not|
|Lateral Movement||T1570 Lateral Tool Transfer||LockBit3.0 laterally moves to other computers through Admin Shares or Domain Group Policy|
|Impact||T1486 Data Encrypted for Impact||LockBit3.0 encrypts all the targeted files|
|T1490 Inhibit System Recover||LockBit3.0 deletes shadow copies to prevent victims from recovering the encrypted files|
|T1489 Service Stop||LockBit3.0 stops the processes and services listed in the hardcoded configuration|
1. T1140 Deobfuscate and Decode Files or Information
- A stub, situated in the .itext section, serves to decrypt the sections using a password acquired from command line arguments.
Figure 8. The decryption routine is at sub_41B000
Figure 9. Identify the keyword ‘-pass’ in the command line
- Following the decryption of the text section, the .itext section undergoes a transformation, and the analyzed sample ultimately comprises four distinct functions.
Figure 10. Compare the difference between the unpacked one (Left) and the packed one (Right) – Part 1
Figure 11. Compare the difference between the unpacked one (Left) and the packed one (Right) – Part 2
2. T1027 Obfuscated Files or Information
- To enhance obfuscation, LockBit3.0 employs the following techniques to increase the complexity of analysis:
A. Utilizing String Hash Matching
Figure 12. The string hash function is at 0x4011E4
B. Implementing Stack String Obfuscation
Figure 13. The string decrypt function is at 0x401260
3. T1027.007 Dynamic API Resolution
- In order to rebuild the Import Address Table (IAT), LockBit3.0 employs a highly intricate approach.
Figure 14. The function for reconstructing IAT is at 0x408254
- The process of reconstructing the IAT involves three stages:
A. Identifying DLLs within the system memory using string hashes.
B. Extracting the API address by parsing the InLoadOrderModuleList and comparing the API name hash.
C. Arbitrarily selecting one of the five available stubs for IAT reconstruction. Each stub retrieves the genuine API address through a circular shift and XOR operation using a hardcoded key.
Figure 15. The preparation of the obfuscated API addresses is actually an invertible operation
4. T1614.001 System Location Discovery: System Language Discovery
- LockBit3.0 incorporates a code snippet originating from BlackMatter/Darkside. If the detected language is among the following: Russian (0x419), Ukrainian (0x22), Belarusian (0x23), etc., the execution will be halted.
Figure 16. The code snippet of language checking is the same as BlackMatter/Darkside
5. T1490 Inhibit System Recover
- In order to hinder the recovery of encrypted files from shadow copies, LockBit3.0 also terminates and removes the VSS service. Subsequently, it eliminates the shadow copies of disks utilizing the WMI interface.
Figure 17. Delete shadow copies through WMI
6. T1562.001 Impair Defenses: Disable or Modify Tools
- To disable Windows Defender, the analyzed sample replicates the access token of the Trusted Installer Service, which is authorized to halt Windows Defender. Utilizing this access token, it can effectively stop and remove services associated with Windows Defender.
Figure 18. Stops the services matched to one of the string hashes
7. T1070.001 Indicator Removal: Clear Windows Event Logs
- To eradicate traces in the Windows Event Log, the analyzed sample clears the event logs and ceases the corresponding services, ensuring that no evidence remains.
Figure 19. The decrypted stack strings for Windows Event Log
Figure 20. LockBit3.0 clears the event log with ClearEventLogW()
Figure 21. Terminates and deletes Windows Event Log services
8. T1489 Service Stop
- To halt processes, LockBit3.0 utilizes the Windows API function TerminateProcess.
- To cease services, LockBit3.0 employs the Windows API functions ControlService and DeleteService.
Figure 22. The stopped services and processes in the analyzed sample
9. T1486 Data Encrypted for Impact
- LockBit3.0 incorporates a multithreading file encryption approach through the use of IoCompletionPort.
Figure 23. Creates multiple threads for file encryption
Figure 24. The main logic for handling multithreading file encryption
- Throughout the execution process, the ransom note remains obfuscated until it is ultimately written to the file.
Figure 25. The ransom note of LockBit3.0
Figure 26. The ransom note in memory
- The analyzed sample saves the icon and wallpaper within the C:\ProgramData directory.
Figure 27. The icon of LockBit3.0
Figure 28. The wallpaper of LockBit3.0
1. Stellar can detect LockBit3.0 ransomware with Realtime Scanning
Stellar is the first solution to provide uninterrupted protection and comprehensive oversight for both legacy and modernized assets operating concurrently. By utilizing the advanced threat scan of real time scanning, it is possible to detect malicious software in real-time. Upon detection of such software, it will display event log messages, informing the name, path, and security risk of the infected file.
Figure 29. LockBit3.0 quarantined by Stellar
2. Stellar can prevent the execution of LockBit3.0 ransomware by Application Lockdown
Stellar provides support for application lockdown, which can prevent programs, DLL files, drivers, and scripts that are not explicitly included in the approved application list from running. By blocking malicious software and preventing accidental use, Stellar ensures operational integrity, reduces downtime, and provides cost savings through increased flexibility, especially for systems that cannot be patched.
Figure 30. The execution of LockBit3.0 blocked by Stellar
Indicators of Compromise (IoCs)
 NorthwaveSecurity, GitHub – NorthwaveSecurity/lockbit3: An assortment of scripts used in the analysis of Lockbit 3.0, NorthwaveSecurity’s GitHub, Accessed Feb 26, 2023
 Ivan Nicole Chavez, Byron Gelera, Katherine Casona, Nathaniel Morales, Ieriz Nicolle Gonzalez, Nathaniel Gregory Ragasa, LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities, TrendMicro, July 25, 2022
 Chuong Dong, Darkside Ransomware, Chuong Dong’s Blog, May 6, 2021
 Chuong Dong, BlackMatter Ransomware v2.0, Chuong Dong’s Blog, Sep 5, 2021
 Dana Behling, https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html, VMware, Oct 15, 2022
 Alexandre Mundo, LockBit3.0: A Threat that Persists, Trellix, Nov 17, 2022
 Jim Walter, LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques, SentinalOne, Jul 21, 2022