What is the LockBit 3.0 ransomware advisory?

by
What is the LockBit 3.0 ransomware advisory

Ransomware attacks have been on the rise in recent years, causing major disruptions and financial losses for businesses and organizations around the world. One of the most active and notorious ransomware gangs currently in operation is known as LockBit.

LockBit first appeared in 2019 and has continuously updated its malware, most recently to version 3.0 in 2022. LockBit 3.0 incorporates new techniques to evade detection, encrypt files faster, and pressure victims into paying ransoms through the public leak of sensitive data.

IT security experts have been closely tracking LockBit activities and providing advice to organizations on how to boost defenses against this rapidly evolving threat.

What is LockBit 3.0?

LockBit 3.0 is the latest variant of the LockBit ransomware, which is operated by a sophisticated cybercriminal group that targets organizations globally across a wide range of industries and geographic regions.

This latest LockBit 3.0 version contains upgrades that make it stealthier, faster, and more difficult to combat. Key enhancements include:

  • New obfuscation methods to evade anti-virus detection
  • Faster file encryption speeds to lock down networks quickly
  • Stronger encryption algorithms
  • Expanded targeting capabilities and delivery mechanisms
  • Enhanced techniques to steal data for extortion

The developers of LockBit 3.0 ransomware also operate a Ransomware-as-a-Service (RaaS) model. This means they manage the malware architecture and infection process, while “affiliates” purchase access to deploy it against victims for a cut of any ransom payments.

How does LockBit 3.0 ransomware operate?

LockBit 3.0 retains many of the malicious capabilities that made previous LockBit versions a dangerous threat. Its general attack process involves these steps:

  1. Gaining initial access to target networks through phishing, exploits, stolen credentials, or Remote Desktop Protocol (RDP) access
  2. Using tools like Mimikatz to steal account usernames and passwords from system memory
  3. Disabling security software
  4. Deploying the ransomware package to devices across the network
  5. Encrypting files rapidly with encryption algorithms like AES and RSA
  6. Modifying filenames by appending identification codes
  7. Creating ransom notes in each affected directory with payment instructions
  8. Threatening to publish stolen data to a public “leak site”

This multi-stage infection chain allows the attackers to penetrate deep into the target environment before activating the data-encrypting payload. The enhanced evasion and encryption capabilities make LockBit 3.0’s activities harder to detect and contain once started.

What tactics does LockBit 3.0 use?

Some of the notable tactics used by LockBit 3.0 ransomware operators include:

  • Double extortion – Stealing sensitive data during the attack and threatening to leak it publicly if ransom demands are not met.
  • Scaling through affiliates – The RaaS model allows the gang to scale attacks exponentially through its affiliate partners.
  • Targeted hits on large enterprises – Big organizations with deeper pockets are researched and selectively attacked.
  • Anonymous extortion sites – Payment portals and data leak sites are hidden via ToR and cryptocurrencies.
  • Sophisticated technologies – Advanced obfuscation, encryption, and spreading mechanisms make LockBit harder to combat.
  • Ransomware awareness flow – LockBit runs an active ransomware education site to teach other cybercriminals.

These strategies maximize the gang’s effectiveness and minimize risk. In particular, the double extortion tactic puts enormous pressure on victims to pay, as the cost of stolen data exposure could exceed the ransom amount.

What are the main targets of LockBit 3.0 ransomware?

LockBit 3.0 appears to be an opportunistic threat actor willing to target victims across a diverse range of sectors and regions. However, researchers have observed the gang favoring these types of targets:

  • Organizations in English-speaking countries (e.g. US, Canada, UK, Australia)
  • Critical infrastructure sectors like healthcare, manufacturing, and IT services
  • Large corporations with ample resources to pay ransoms
  • Technology, media, and telecommunications firms
  • Educational institutions
  • Government contractors and vendors

Essentially any organization with valuable data and resources to pay ransoms could be a potential LockBit target. Small businesses may be ignored as they are unlikely to yield a high ransom payout.

Industry Sectors Targeted by LockBit
Healthcare Yes
Finance Yes
Retail Yes
Government Yes
Technology Yes
Manufacturing Yes
Education Yes

Notable LockBit 3.0 ransomware attacks

Some of the major confirmed ransomware attacks carried out by LockBit 3.0 affiliates include:

  • September 2022 – LockBit encrypted systems at Scottish Power, a major UK energy utility firm.
  • August 2022 – US defense contractor Aerospace Testing Engineering & Certification (Atec) was hit by a LockBit attack.
  • July 2022 – LockBit crippled systems at Baykar, a major Turkish defense firm.
  • June 2022 – LockBit infiltrated the network of outsourcing firm Concentrix, stealing troves of client data.
  • March 2022 – Consumer goods giant Reckitt Benckiser suffered a ransomware hit attributed to LockBit.

These represent just a handful of the many organizations impacted by LockBit 3.0 in its first year of activity. The group conducts dozens of successful attacks per month, implying a high infection success rate.

How much do LockBit 3.0 ransom demands cost?

In most cases, LockBit 3.0 ransom demands range from tens of thousands to millions of dollars, based on the victim’s size and perceived ability to pay. Some of the largest reported demands include:

  • $5 million from Scottish Power
  • $50 million from Aerospace Testing Engineering & Certification (Atec)
  • $5 million from Baykar defense
  • $15 million from Banque Cantonale Vaudoise (BCV)

Small businesses have reportedly been ransomed for sums as low as $10,000. The gang tends to scale ransom amounts to what they believe each victim can afford.

Even if ransom payments are made, LockBit may still leak stolen data as added punishment. There are no guarantees of preventing exposure after meeting demands.

How can you protect against LockBit 3.0?

Defense against sophisticated ransomware like LockBit 3.0 requires a multi-layered security strategy including these measures:

  • Backups – Maintain air-gapped, immutable backups to restore encrypted data without paying ransoms. Test restoration regularly.
  • Incident response plan – Have an IR plan in place to rapidly detect and contain a ransomware outbreak.
  • Employee training – Educate staff on cyber risks and phishing attacks that could enable ransomware infections.
  • Network segmentation – Isolate and secure critical systems through network segmentation.
  • Vulnerability management – Actively scan, patch and upgrade systems to eliminate security holes.
  • Strong controls – Employ multilayered controls like firewalls, antivirus, and endpoint detection and response (EDR) tools.

No single solution is a silver bullet against ransomware threats. But a defense-in-depth approach can significantly reduce the risk of a successful LockBit 3.0 attack and ensure resilience if one occurs.

What should you do if infected with LockBit 3.0?

If your organization is victimized by a LockBit 3.0 ransomware attack, key response steps include:

  1. Disconnect infected systems – Isolate affected devices from networks to prevent further spread.
  2. Secure backups – Ensure backups are intact and protected from possible corruption.
  3. Consult incident response – Engage cybersecurity IR experts to investigate the attack’s nature and scope.
  4. Notify authorities – Contact law enforcement and cybersecurity agencies for additional support.
  5. Assess damage – Identify which systems, files, and data were impacted or stolen.
  6. Notify customers – If personal data was compromised, warn impacted individuals as required.
  7. Evaluate payment decision – Weigh the risks of paying ransom versus restoration costs.
  8. Rebuild securely – After recovery, eliminate vulnerabilities and strengthen defenses.

Moving rapidly while collaborating with internal and external experts gives you the best chance of minimizing disruption from a LockBit 3.0 attack.

Conclusion

The LockBit 3.0 ransomware variant represents an elevated threat to organizations across sectors and geographic regions. Its technical upgrades enable faster spread within victim networks and make avoidance more difficult.

By targeting large enterprises like critical infrastructure and leveraging MFA-bypass tools, LockBit 3.0 breakouts can yield million dollar ransoms. Even if paid, sensitive data may still appear on the gang’s leak site.

Reducing the risk of ransomware outbreaks requires ongoing staff training and deployment of layered security controls. But no preventive measures are perfect. Having well-tested backups and response plans in place is crucial for minimizing business disruption in the event of an inevitable intrusion.

LockBit 3.0 exemplifies the increasing sophistication and effectiveness of ransomware. But by understanding its TTPs and bolstering defenses accordingly, organizations can make themselves a harder target and improve resilience if attacked.