A joint advisory from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) aims to distribute information on known indicators of government compromise. LockBit 3.0 ransomware. (IOC) and techniques (TTP) that were discovered during FBI investigations in March 2023.
LockBit 3.0 ransomware is a continuation of LockBit 2.0 and LockBit ransomware programs. It uses a Ransomware-as-a-Service (RaaS) model to carry out its activities and functions as a RaaS model. LockBit has been running as an affiliate-based ransomware variant since January 2020; Affiliates implementing LockBit RaaS use a wide variety of TTPs to target a wide variety of businesses and critical infrastructure organizations, which can make it difficult to effectively defend computer networks or mitigate their effects.
LockBit 3.0, also known as “LockBit Black”, is an updated version of the ransomware that is more modular and elusive than its previous versions. It also has features with malware known as Blackmatter and Blackcat.
During the build process, LockBit 3.0 is customized with a wide variety of variables, each of which influences the way the ransomware operates. During the process of putting ransomware into action within a victim-owned environment, numerous arguments can be given to further adjust the behavior of the malware. For example, LockBit 3.0 allows the acceptance of additional arguments for some actions, such as lateral movement and safe-mode reboot (see LockBit command-line parameters in Flags of Compromise). If a LockBit affiliate does not have access to the Passwordless LockBit 3.0 ransomware, then running the ransomware will require the input of a password argument. Those who are affiliated with LockBit 3.0 but do not enter the correct password will not be able to carry out the ransomware. A cryptographic key, the password is used to decrypt the LockBit 3.0 executable. LockBit 3.0 can prevent malware detection and analysis by encrypting the code in such a way that it is undecipherable and cannot be executed. This renders the code useless for detecting and analyzing malware. Since the encrypted potion of the LockBit 3.0 executable will change depending on the cryptographic key that was used for encryption, and at the same time a unique hash is created, signature-based detections may not be able to identify the LockBit 3.0 executable. LockBit 3.0 will crack the core component when given the proper password, then continue to crack or unzip its code, and finally execute the ransomware. 0 is able to avoid malware detection and analysis by encrypting the code in such a way that it is undecipherable and cannot be executed. This renders the code useless for detecting and analyzing malware. Since the encrypted potion of the LockBit 3.0 executable will change depending on the cryptographic key that was used for encryption, and at the same time a unique hash is created, signature-based detections may not be able to identify the LockBit 3.0 executable. LockBit 3.0 will crack the core component when given the proper password, then continue to crack or unzip its code, and finally execute the ransomware. 0 is able to avoid malware detection and analysis by encrypting the code in such a way that it is undecipherable and cannot be executed. This renders the code useless for detecting and analyzing malware. Since the encrypted potion of the LockBit 3.0 executable will change depending on the cryptographic key that was used for encryption, and at the same time a unique hash is created, signature-based detections may not be able to identify the LockBit 3.0 executable. LockBit 3.0 will crack the core component when given the proper password, then continue to crack or unzip its code, and finally execute the ransomware. 0 will change depending on the cryptographic key that was used for encryption while simultaneously creating a unique hash, signature-based detections may not be able to identify the LockBit 3.0 executable. LockBit 3.0 will crack the core component when given the proper password, then continue to crack or unzip its code, and finally execute the ransomware. 0 will change depending on the cryptographic key that was used for encryption while simultaneously creating a unique hash, signature-based detections may not be able to identify the LockBit 3.0 executable. LockBit 3.0 will crack the core component when given the proper password, then continue to crack or unzip its code, and finally execute the ransomware.
LockBit 3.0 will only infect computers that do not have language settings that are compatible with a specified exclusion list. A configuration flag that is first set at compile time will ultimately decide whether or not a system language is checked when actually used at runtime. The list of languages that cannot be used are not limited to, but include, Romanian (spoken in Moldova), Arabic (spoken in Syria) and Tatar (Russia). LockBit 3.0 will stop execution if a language from the exclude list is found [T1614.001]but it will not infect the system.
To lessen the risk of ransomware attacks and lessen their severity when they do occur, the FBI, CISA, and MS-ISAC advise companies to implement mitigations.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He has also worked for security companies such as Kaspersky Lab. His daily work includes investigating new malware and cybersecurity incidents. He also has a deep level of knowledge in mobile security and mobile vulnerabilities.
Send news tips to [email protected] or www.instagram.com/iicsorg/
You can also find us on Telegram www.t.me/noticiasciberseguridad