LockBit 3.0: Significantly Improved Ransomware Helps the Gang Stay on Top

Just ahead of its headline-grabbing attack on the Italian tax agency, the infamous ransomware group debuted an improved version of the malware featuring parts from Egregor and BlackMatter.

4 Min Read
Illustration of a computer keyboard where all the letters are replaced with glowing red skull logos representing ransomware
Source: Negro Elkha via Adobe Stock

Reverse-engineering the latest ransomware executables from the group behind LockBit shows that the developers have added capabilities from other popular attack tools and are actively working to improve LockBit's anti-analysis capabilities, according to researchers.

This significant evolution, seen in the recently debuted LockBit 3.0 (aka LockBit Black), is likely meant to offset better defenses, a greater scrutiny by researchers and investigators, and competition from other gangs, according to analyses by multiple researchers.

"There is no question that, whether it is law enforcement pressure or the defenders getting better, that we are seeing that these groups are forced to evolve — they have to get better at what they are doing," says Jon Clay, vice president of threat intelligence for Trend Micro.

They also have to keep up with the Dark-Web Joneses. To that end, the latest version now requires a key to obfuscate its main routines and hinders reverse engineering and analysis, for example — a technique used by other ransomware families, such as Egregor, cybersecurity firm Trend Micro stated in an advisory published on Tuesday. The new version of the ransomware program also enumerates available application programming interfaces (APIs), a feature identical to the BlackMatter ransomware program, the company stated.

Ransomware Attack on Italy's Tax Agency

Earlier this month, the Italian Revenue Agency became the latest purported victim of LockBit, with the group boasting that it encrypted and exfiltrated 78 gigabytes of files from the tax agency. If true, the organization will have to find a way to recover, but the attack also threatens Italian citizens, Gil Dabah, co-founder and CEO of data-protection firm Piiano, said via email.

"The second type of victim is the individual whose data was compromised," he said. "In this case, there is a high chance that the data of an individual taxpayer was compromised."

Following Russia's invasion of Ukraine, these ransomware groups have committed to supporting Russia and are increasingly facing requests to conduct operations against nation-state targets, says Paul Martini, CEO of iBoss, a provider of cloud-security solutions.

"The shadow cyber-war between nations that has been carried out through espionage, disinformation campaigns, and strategic attacks on critical targets is just starting to come out of the shadows," he said. "We can expect this to boil over and the West is going to need stronger defenses in place to protect government and civilian targets."

The group behind LockBit has had a good run so far in 2022. Despite an 18% drop in overall attacks, likely due to the disruption of the infrastructure behind the Conti cybercrime group or possibly fallout from Russia's invasion of Ukraine, LockBit has become the most commonly encountered ransomware family, accounting for 40% of all attacks detected by security firm NCC Group in May.

But evolution is necessary to stay on top.

Major Improvements for LockBit 3.0

The changes to the latest version of the LockBit ransomware includes functions that collect system APIs as a way to use legitimate functions as part of its attack and extensive — albeit fairly simple — encryption of configuration data and code, according to Trend Micro's advisory.

Perhaps most notably, a major addition to LockBit 3.0 is a set of features to slow down or prevent reverse engineering. The program includes, for example, a password required to decrypt the main body of executable code and a feature that attempts to crash debuggers.

"They pride themselves on their ability to regularly update their ransomware and ransomware-as-a-service offerings," says Trend Micro's Clay. "There are a lot more obfuscation capabilities in 3.0, and they put in a lot of features that try to minimize how much analysts and researchers can discover about their code."

Meanwhile, the adoption of BlackMatter tactics is unsurprising, given that both LockBit and BlackMatter are Russia-linked groups and cybercriminals are increasingly moving between groups.

The Basics of Ransomware Defense Still Work

For the most part, the new features found in LockBit 3.0 do not undermine current defenses, says Trend Micro's Clay. Multi-factor authentication can block the most common approach to gaining access — through stolen credentials — while modern endpoint detection and response (EDR) can detect and stop and attack before attackers start encrypting data. Finally, having a good backup process for critical data will make recovery easier.

"They [ransomware groups] claim that backups will not help, but if you have a proper procedure then you can recover your data," he says. "The good news is that the defenders have implemented a lot of these best practices, and they seem to be working."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights