Skip Navigation
BlackBerry Blog

LockBit 3.0 Ransomware Abuses Windows Defender to Load Cobalt Strike

CYBERSECURITY / 08.03.22 / Lysa Myers
Update 03.03.23: Canada's Indigo Books and Music revealed it was hit with LockBit ransomware, the same ransomware strain that targeted Toronto’s Hospital for Sick Children.  

LockBit, a ransomware-as-a-service (RaaS) threat, just weaponized a Microsoft® antivirus tool so it will deliver Cobalt Strike payloads. And this new version, LockBit 3.0, now shares similar functionality with ransomware families such as BlackMatter, DarkSide, and BlackCat.

LockBit 3.0

This latest version, LockBit 3.0, is also known as LockBit Black, the internal name used by the threat author as part of the ransom note. Once deployed, LockBit 3.0 encrypts all files on the victim’s machine and changes both parts of affected files’ name, rendering the files both unusable and unrecognizable.

The ransom note for Lockbit 3.0 is quite extensive compared to many other ransomware families. In this missive, the author explains that they will publish data stolen from victims if they don’t pay the ransom. The note goes on to explain that the “double-extortion” threat could cause victims to violate the General Data Protection Regulation (GDPR) – the European Union’s data protection law – implying that victims may be subject to legal fines when their information is made public.

It's notable that LockBit’s threat actor apparently anticipated the possibility of its TOR infrastructure, used to communicate with their victims, being taken down. To provide redundancy, the ransom note for this version includes several different Onion servers and Tor2Web proxies (used for accessing TOR via traditional browser).

Leveraging Cobalt Strike to Drop LockBit 3.0

Cobalt Strike beacons are side-loaded to the system through a malicious DLL that decrypts the payload onto the user’s system. Researchers found these beacons can later be used to gain a further foothold on a target network, to download or execute malicious payloads in the future. The BlackBerry Research and Intelligence Team profiled Cobalt Strike Beacons in-depth in their 2021 publication, Finding Beacons in the Dark: A Guide to Cyber Threat Intelligence.

Once attackers have gained initial access to an organization, the actions they can take are fairly open-ended. From the content of their ransom note, it’s clear that the attacker’s primary goal is to get payment from their victims, after having gathered and exfiltrated sensitive data to the attacker’s infrastructure for “insurance.” Whether they will take additional steps beyond this is up to the threat operator and will likely depend on whether they see the need or opportunity.

LockBit 3.0 also abuses the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads. This file is used to scan for malware as part of the Windows Defender security app.

Which Organizations Should Be Concerned About LockBit 3.0?

All organizations should remain cautious of this threat. There are currently no known methods to decrypt the LockBit 3.0 encryption. Public exposure of personal and sensitive data has serious consequences.

According to BlackBerry telemetry, there were at least 478 blocks on LockBit malware family in our tenants. That’s about five attempts per day worldwide, as shown in Figure 1 below. This includes both previous LockBit versions as well as LockBit 3.0.

Figure 1 – Geographic locations of LockBit targets (Source: BlackBerry)

Protecting Against RaaS Campaigns Like LockBit 3.0

The BlackBerry Threat Research and Intelligence Team recommends implementing the following strategies to protect against RaaS attacks:

  • Continuously monitor and patch software and firmware assets. 
  • Regularly review the rights and privileges of all accounts. Remove accounts and privileges that are not needed to perform necessary job functions.
  • Monitor failed password attempts, password changes, and creation of new users.
  • Enable a 24x7 SOC enhanced with Sigma, Suricata, and Yara rules. Empower it with professional, high-quality feeds.
  • Hunt for anomalies and not just for matches.
  • Extend your visibility over all network assets.
  • Enable good visual data representations so that you can easily identify data exfiltration in outbound network traffic.
  • Test and implement a reliable backup system. Backups must be inaccessible from the primary network so the threat actor cannot encrypt them.
  • Conduct Purple Team exercises based on LockBit tactics, techniques, and procedures (TTPs) to test security posture and detection capabilities.

Indicators of Compromise (IoCs)


Yara Rule

rule LockBit3_ransomware {
        author = "BlackBerry"
        date = "08-03-2022"
        version = "1"
        tlp = "white"
        description = "Rule detecting Lockbit3 ransomware samples"
        $code1 =
        $code2 = {7D0C66AD6685C07505E98A0000006683F841720C6683F84677066683E837EB266683F861720C6683F86677
        $code3 = {FFFF8BC885C974348BF78BD166B82000F266AF85C975128BCA894DFC8B7D0CF366A56633C066ABEB132BD14A87D1894
        uint16(0) == 0x5a4d and
        filesize < 3MB and
        2 of them

BlackBerry Stops LockBit 3.0 and Cobalt Strike

Customers using CylancePROTECT® are protected from LockBit 3.0 and Cobalt Strike.

To combat this highly effective and infectious malware variant, BlackBerry recommends using artificial intelligence-based agents trained for threat detection on millions of both safe and unsafe files, in addition to the aforementioned security practices. For example, Cylance® AI uses automated security agents to block LockBit 3.0 based on numerous file attributes and malicious behaviors, rather than relying on a specific file signature.

Customers can take this protection a step further with the use of the CylanceGUARD® managed Extended Detection and Response (XDR) service to defend against LockBit 3.0 attacks.

About CylancePROTECT

CylancePROTECT endpoint protection platform (EPP) employs BlackBerry's seventh-generation Cylance AI technology, which uses advanced machine learning models to provide a predictive advantage against both zero-day threats and legacy cyberattacks.

About CylanceGUARD

CylanceGUARD is a subscription-based 24x7 managed extended detection and response (XDR) service. BlackBerry expert analysts act as an extension of your team, correlating telemetry across devices and providing actionable intelligence to prevent threats quickly while minimizing alert fatigue.

Lysa Myers

About Lysa Myers

Lysa Myers is a Principal Threat Researcher at BlackBerry.