The LockBit 3.0 ransomware advisory refers to a warning about the latest version of the LockBit ransomware threat. LockBit is an infamous ransomware-as-a-service (RaaS) operation where cybercriminals can pay to utilize the ransomware and its infrastructure. LockBit 3.0 is the newest iteration of this ransomware strain, first observed in June 2022. This updated version includes enhancements that could make attacks more devastating. As such, cybersecurity professionals have issued advisories to ensure organizations are informed and prepared.
Ransomware remains one of the most significant cyber threats facing businesses today. Ransomware is a form of malicious software that encrypts an organization’s files until a ransom payment is made. Without access to critical data and systems, ransomware can grind business operations to a halt. RaaS operations like LockBit lower the barrier to entry, allowing even unskilled cybercriminals to leverage ransomware successfully.
What enhancements are included in LockBit 3.0?
LockBit 3.0 includes several enhancements that improve its effectiveness and evasiveness:
– Faster encryption speed – LockBit 3.0 can encrypt files up to 50% faster than the previous version. This means it can impact more systems and data in a shorter time frame during an attack.
– Evasion of detection – LockBit 3.0 is stealthier and incorporates methods to avoid security solutions. For example, it disables Windows Defender antivirus on compromised hosts.
– Use of Cobalt Strike – LockBit 3.0 utilizes Cobalt Strike as part of its attack chain. This pentesting tool makes it easier for threat actors to move laterally and escalate privileges.
– Ransomware-as-a-Service – LockBit operates as RaaS, allowing affiliates to easily rent the ransomware. This decentralized model makes it more challenging for law enforcement to take down.
– Double extortion – LockBit 3.0 continues the use of double extortion, threatening to publish exfiltrated data if the ransom isn’t paid.
Who is impacted by LockBit 3.0?
LockBit 3.0 targets organizations across all industries and geographic regions. Any organization that pays the ransom could find itself targeted. However, LockBit affiliates often focus on targets where a high-value ransom payout is likely, such as:
– Critical infrastructure sectors like healthcare, emergency services, and energy.
– Large enterprises and multinational corporations.
– Highly regulated industries like finance and insurance.
– Companies with valuable data like intellectual property or personal information.
Notably, LockBit claims it will not target hospitals, schools, universities, non-profit organizations, and government sectors. However, affiliates have still targeted some entities in these industries.
Notable LockBit 3.0 attacks
Some examples of initial LockBit 3.0 attacks include:
| Target | Industry | Location | Date |
| Boeing | Aerospace | USA | August 2022 |
| Conduent | Business services | USA | June 2022 |
| Tabcorp | Gambling/gaming | Australia | June 2022 |
These attacks demonstrate that no sector or region appears safe from LockBit 3.0 campaigns.
What are the impacts of a LockBit 3.0 attack?
If not prevented, a LockBit ransomware attack can severely disrupt an organization’s operations and finances:
– **System downtime** – Encrypted files make systems and applications inaccessible to employees and customers. This can last days to weeks if backups are insufficient.
– **Crippled operations** – With core business systems affected, most organizations grind to a halt during an attack. Impacts cascade through operations, finance, and customer service.
– **Data loss** – If backups are not available, encryption by LockBit may mean permanent data loss. This affects intellectual property, financial information, client data, and more.
– **Remediation costs** – The average cost of recovery and remediation for a ransomware attack is estimated at $1.85 million. Extensive IT and legal resources are required.
– **Ransom demands** – LockBit ransom demands start in the six figures, paid in cryptocurrency. Historical demands have ranged from $70,000 up to $5 million.
– **Reputational damage** – Media coverage of a ransomware attack harms brand reputation and customer trust. This is worsened if data gets leaked publicly.
Defense strategies against LockBit 3.0
The following cybersecurity measures can help defend against LockBit 3.0 attacks:
Employer security awareness training
Ongoing education helps employees recognize and avoid ransomware attacks before they occur. Suspicious emails and links should be reported.
Email security and filtering
Advanced email security solutions and gateways can identify and quarantine ransomware campaigns delivering malicious attachments or links.
Vulnerability management
Actively patch and update internet-facing systems and software. Quickly remediate known weaknesses that ransomware exploits.
Limit RDP and VPN access
Reduce remote desktop protocol (RDP) and virtual private network (VPN) exposure where possible. Use multi-factor authentication and session limits.
Segmentation and firewalling
Segment networks to control lateral movement between zones. Firewalls can also restrict unauthorized communication channels.
Next-gen antivirus
Advanced endpoint detection and response (EDR) tools can detect and block ransomware execution and activity.
Backups and recovery
Maintain offline, immutable backups of critical data and systems. Regularly test restoration to ensure availability.
Incident response planning
Have an updated incident response plan so teams are ready to act swiftly in case of an attack. Know roles and integrate outside help.
Conclusion
The LockBit 3.0 ransomware advisory highlights the serious threat this new variant poses to organizations. Its technical improvements enable faster and stealthier attacks, putting businesses worldwide at risk. All organizations should take LockBit 3.0 seriously and assess their cybersecurity posture against its updated tactics. Implementing a defense-in-depth strategy can help safeguard systems and data from encryption in case of attack. With robust preparation and response capabilities in place, organizations can reduce the business disruption and financial impacts of this dangerous new ransomware.
