On Dec. 12, the Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note on LockBit 3.0 ransomware. LockBit 3.0 is the newest version of the LockBit ransomware that was first discovered in September of 2019.
The note says that “The ransomware family has a history of using the Ransomware-as-a-service (RaaS) model and typically targets organizations that could pay higher ransoms. Historically, this ransomware employs a double extortion technique where sensitive data is encrypted and exfiltrated. The actor requests payment to decrypt data and threatens to leak the sensitive data if the payment is not made. With the new release, it appears that the ransomware is using a triple extortion model where the affected victim may also be asked to purchase their sensitive information. Since its appearance, HC3 is aware of LockBit 3.0 attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizing the healthcare community, LockBit 3.0 should be considered a threat to the HPH sector.”
LockBit 3.0, also dubbed LockBit Black, was discovered in June of this year. The gang operates with the RaaS model along with affiliates who don’t have the resources of their own to create and deploy attacks. A percentage of the ransom goes to the affiliate hacker. Ransom numbers have been seen into the millions of dollars (USD) range. Additionally, LockBit 3.0 has been a particular challenge for security researchers, as the malware sometimes requires a 32-character password each time it is launched, giving it anti-analysis features.
The note adds that “Research from Sophos suggests that the ransomware has carried over most of the functions from LockBit 2.0 but has been observed to have new capabilities. Also, the malware appears to be utilizing features of another well-known ransomware, BlackMatter. These similarities include the ability to send ransom notes to a printer on the network, deleting Volume Shadow Copies, obtaining the victim’s operating system, and several debugging features. LockBit 3.0 will take additional steps to attempt to obfuscate itself. Due to the striking number of similarities, Sophos suggest that LockBit 3.0 could be reusing some of the code from BlackMatter.”
That said, “Further research states that LockBit 3.0 is a Win32.exe file, and uses the “-pass” argument for execution. The encryption uses a Base64-encoded hash and an RSA public key in its configuration and hashes it with MD5. The malware is capable of targeting Windows and Linux systems. Additionally, the new strain contains worm capabilities to spread itself without human interaction. Encrypted files can only be unlocked with LockBit’s decryption tool. Once on the network, the ransomware attempts to download command and control (C2) tools such as Cobalt Strike, Metasploit, and Mimikatz.”
An analyst comments in the note that “LockBit 3.0 is the newest strain of the LockBit ransomware which appeared in June 2022. After a leak on Twitter, the builder has been used by other threat attackers like the Bl00dy ransomware gang. Additionally, LockBit has unveiled their own bug bounty program for reporting vulnerabilities which is open to both ethical and unethical hackers. LockBit has been seen to target multiple organizations globally but has heavily victimized the United States and HPH sector. On previous compromises in the HPH sector, the threat actor has occasionally shared proof via screenshots that the network has been compromised and will threaten to publish the stolen data after a set timeline.
Other techniques HC3 sees following attack vectors associated with ransomware include:
- Phishing
- Remote Desktop Protocol (RDP) compromises and credential abuse
- Compromises of exploited vulnerabilities, like VPN servers
- Compromises in other known vulnerabilities