LockBit 3.0: A Deeper Look 
L

LockBit 3.0: A Deeper Look 

By Austin Miller

After last week’s whistle stop tour on how LockBit 3.0 has changed to infect and lock up systems in a new way, we’re now going to take a look at the specific tactics, processes, and procedures that the malware uses to infiltrate the machines of unwitting victims. Thanks to research from @petrovic082, another sample was analyzed on VirusTotal – this time, including plenty of information about the adopted PowerShell from BlackMatter, the injection DLL, and the obfuscation used to defend the script. 

The Processes 

Three different processes run when LockBit has infected a system: 

  • Powershell.exe (A PowerShell executable runs) 
  • CMSTPLUA (see em es tee pee el yoo ay runs and launches multiple subprocesses that start to encrypt files and upload the ransom background image) 
  • printfilterpipelinesvc.exe (An executable called print filter pipeline es vee see launches a OneNote document which  

In combination, these launch and lock down the system in a grand total of 60 seconds. That’s pretty rapid, but it’s evident that this third iteration of LockBit has been improved to increase the amount of suffering it can dish out to an IT team. With that in mind, let’s have a look at the process in action. 

Process #1: PowerShell 

After initial infection, a PowerShell command – -file – is launched. Pulling the fff[.]ps1 file from the dropped .dll, the payload quickly gets to encrypting the system files.  

If you want a closer look at how this PowerShell script functions, here is a piece of the deobfuscated code. 

The most interesting part of a full code analysis, however, is the main function – see the picture below to see how the LockBit ransomware sets off its malicious payload: 

And now compare it with the main function from BlackMatter: 

Not that different, right? Although no one can know everything about every single piece of malware out there, a comprehensive understanding of malware types and a robust security posture will help you more than you think it will. 

Process #2: Encryption 

As shown in the image below, a stylized B-like symbol is added in place of the existing file images and the file type is changed to stop the victim from accessing their files. As evidenced in @petrovic082’s breakdown, this process is practically instantaneous – when the PowerShell command runs, a standard system will be locked down easily.

Process #3: Ransom 

What would ransomware be without a ransom note? After the files are encrypted, LockBit 3.0 launches the ominous black screen and directs the victim to the installed ransom note (19MqZqZ0s.README[.]txt). 

How do I protect my organization? 

It’s never enough just to know what is at the gates – you have to know how to battle it. Thankfully, some standard best practices are effective in stopping LockBit 3.0 from locking down your systems and stopping the bad guys get away with it. 

  • Employ an effective backing up system which allows you access to all key files in the case of a ransomware attack. Example protocols could include the 3-2-1 rule
  • Improve your defenses against social engineering attacks, such as using software to filter outside emails entering the organization. As this malware has been shown to use email-based phishing attacks to spread, locking down emails is the easiest way to improve defenses. 
  • Patch, patch, patch, update, update, update – as always, keep your systems and anti-malware / anti-virus up to date to stop the ransomware onto your systems. Find the indicators of compromise below to strengthen your defenses before it’s too late! 

Indicators of Compromise 

As always, staying ahead of the game is key to surviving adversarial developments. That’s why we’re providing the following IoCs to help you spot LockBit 3.0 before it becomes a problem for you and your team. 

SHA-256 

80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce 

a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e 

d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee 

506f3b12853375a1fbbf85c82ddf13341cf941c5acd4a39a51d6addf145a7a51 

c597c75c6b6b283e3b5c8caeee095d60902e7396536444b59513677a94667ff8 

917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2 

Detection names 

Ransom.Win32.LOCKBIT.YXCGD 

Ransom.Win32.LOCKBIT.YXCGFT 

Ransom.Win32.LOCKBIT.YXCGD 

Ransom.Win32.LOCKBIT.YXCGKT 

Ransom.PS1.LOCKBIT.YXCGTT 

Ransom.Win32.LOCKBIT.YXCGT 

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.