LockBit, a ransomware-as-a-service (RaaS) threat, just weaponized a Microsoft® antivirus tool so it will deliver Cobalt Strike payloads. And this new version, LockBit 3.0, now shares similar functionality with ransomware families such as BlackMatter, DarkSide, and BlackCat.
This latest version, LockBit 3.0, is also known as LockBit Black, the internal name used by the threat author as part of the ransom note. Once deployed, LockBit 3.0 encrypts all files on the victim’s machine and changes both parts of affected files’ name, rendering the files both unusable and unrecognizable.
The ransom note for Lockbit 3.0 is quite extensive compared to many other ransomware families. In this missive, the author explains that they will publish data stolen from victims if they don’t pay the ransom. The note goes on to explain that the “double-extortion” threat could cause victims to violate the General Data Protection Regulation (GDPR) – the European Union’s data protection law – implying that victims may be subject to legal fines when their information is made public.
It's notable that LockBit’s threat actor apparently anticipated the possibility of its TOR infrastructure, used to communicate with their victims, being taken down. To provide redundancy, the ransom note for this version includes several different Onion servers and Tor2Web proxies (used for accessing TOR via traditional browser).
Leveraging Cobalt Strike to Drop LockBit 3.0
Cobalt Strike beacons are side-loaded to the system through a malicious DLL that decrypts the payload onto the user’s system. Researchers found these beacons can later be used to gain a further foothold on a target network, to download or execute malicious payloads in the future. The BlackBerry Research and Intelligence Team profiled Cobalt Strike Beacons in-depth in their 2021 publication, Finding Beacons in the Dark: A Guide to Cyber Threat Intelligence.
Once attackers have gained initial access to an organization, the actions they can take are fairly open-ended. From the content of their ransom note, it’s clear that the attacker’s primary goal is to get payment from their victims, after having gathered and exfiltrated sensitive data to the attacker’s infrastructure for “insurance.” Whether they will take additional steps beyond this is up to the threat operator and will likely depend on whether they see the need or opportunity.
LockBit 3.0 also abuses the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads. This file is used to scan for malware as part of the Windows Defender security app.
Which Organizations Should Be Concerned About LockBit 3.0?
All organizations should remain cautious of this threat. There are currently no known methods to decrypt the LockBit 3.0 encryption. Public exposure of personal and sensitive data has serious consequences.
According to BlackBerry telemetry, there were at least 478 blocks on LockBit malware family in our tenants. That’s about five attempts per day worldwide, as shown in Figure 1 below. This includes both previous LockBit versions as well as LockBit 3.0.