#StopRansomware: LockBit 3.0 (AA23-075A)

Read Time:1 Minute, 53 Second

On March 16th, 2023, CISA, FBI and MS-ISAC released a joint advisory on LockBit 3.0 ransomware as part of #StopRansomware effort. LockBit 3.0, also known as LockBit Black, operates a Ransomware-as-a-Service (RaaS) service and employs a double-extortion tactic to get victims to pay ransom.Why is this Significant?This is significant because organizations hit by ransomware are likely to suffer from and not limited to – operational downtime, damaged reputation, heavy cost of time and manpower due recovery effort, and exposure of stolen data. AA23-075A is the latest #StopRansomware joint advisory released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing & Analysis Center (MS-ISAC), which provides observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against LockBit 3.0 ransomware.What is LockBit 3.0?LockBit 3.0 is a ransomware variant that is a successor to LockBit and LockBit 2.0 ransomware which was released in mid-2022. The ransomware operates as Ransomware-as-a-Service (RaaS) and employs a double-extortion tactic that demands victims pay ransom to recover affected files and not have stolen information leaked to the public.As a ransomware, LockBit 3.0 encrypts files on compromised machines. Prior to the file encryption routine, attackers exfiltrate information using custom and dual-use tools such as Stealbit and rclone, and publicly available file sharing services. The ransomware also drops a ransom note labeled [Ransomware ID].README.txt. Furthermore, LockBit 3.0 deletes shadow copies to prevent file recovery and replaces desktop wallpaper with its own. The ransomware stops its operation if a compromised machine’s language setting is set to predefined languages such as Russian, Armenian, Belarusian, Georgian and Ukrainian. Example of LockBit 3.0 ransomware’s ransom noteWhat is the Status of Protection?FortiGuard Labs has the following AV signatures in place for LockBit 3.0 samples known to us:W32/Lockbit.K!tr.ransomW32/Filecoder_Lockbit.H!trW32/BlackMatter.D!trW32/BlackMatter.E!tr.ransomW32/BlackMatter.K!tr.ransomW32/BlackMatter.O!tr.ransomW32/Filecoder_BlackMatter.D!trW32/Filecoder_BlackMatter.D!tr.ransomW32/Filecoder_BlackMatter.E!trW32/Filecoder_BlackMatter.E!tr.ransomW32/AZG!tr.ransomNSIS/Injector.AOW!trW32/PossibleThreat

Cyber Security News

Alarming Decline in Cybersecurity Job Postings in the US

Akira Ransomware Group Rakes in $42m, 250 Organizations Impacted

Quishing Attacks Jump Tenfold, Attachment Payloads Halve

Russia’s Sandworm Upgraded to APT44 by Google’s Mandiant

New Cyber-Threat MadMxShell Exploits Typosquatting and Google Ads

Change Healthcare data for sale on dark web as fallout from ransomware attack spirals out of control

3.5 million Omni Hotel guest details held to ransom by Daixin Team

Police smash LabHost international fraud network, 37 arrested

US Election Officials Told to Prepare for Nation-State Influence Campaigns

#StopRansomware: LockBit 3.0 (AA23-075A)

python-reportlab-4.2.0-1.fc39

python-reportlab-4.2.0-1.fc40

USN-6743-1: Linux kernel vulnerabilities

USN-6742-1: Linux kernel vulnerabilities

BACKDOOR.WIN32.DUMADOR.C / Remote Stack Buffer Overflow (SEH)

SEC Consult SA-20240418-0 :: Broken authorization in Dreamehome app