{
	"id": "db07e71d-543f-4e60-8b2f-00815da48985",
	"created_at": "2026-04-06T00:18:36.64415Z",
	"updated_at": "2026-04-10T03:21:38.499673Z",
	"deleted_at": null,
	"sha1_hash": "074b436e0630782b9c9d85e31bb9c403d6499625",
	"title": "LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4347036,
	"plain_text": "LockBit Ransomware Group Augments Its Latest Variant, LockBit\r\n3.0, With BlackMatter Capabilities\r\nPublished: 2022-07-25 · Archived: 2026-04-05 17:59:40 UTC\r\nIn June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own\r\ntechnical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware.\r\nBy: Ivan Nicole Chavez, Byron Gelera, Katherine Casona, Nathaniel Morales, Ieriz Nicolle Gonzalez, Nathaniel\r\nGregory Ragasa Jul 25, 2022 Read time: 11 min (2912 words)\r\n \r\nIn March 2022,  less than a year after LockBit 2.0 first emerged, researchers caught wind of an upcoming new variant of\r\nthe LockBit ransomware. LockBit 3.0, aka “LockBit Black,” wouldn’t be unveiled until late June, coinciding with the\r\nlaunch of the group’s new leak site and bug bounty program. A researcher has since shared a sample of LockBit 3.0,\r\nalong with his initial analysis of the new variant.\r\nUsing the packer identifier utility Detect It Easy, we found that this particular LockBit 3.0 sample is a Win32 .exe file\r\nwith multiple sections packed with an unknown packer (Figure 1). According to the original source of the sample, the\r\nmalware uses this argument for execution:\r\n{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe -k LocalServiceNetworkRestricted -pass\r\ndb66023ab2abcb9957fb01ed50cdfa6a\r\nThe LockBit 3.0 sample then drops an .ico file with the same file name as the one appended to the encrypted files in\r\nthe %PROGRAMDATA% folder (Figure 2).\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 1 of 23\n\nFigure 1. The file properties of LockBit 3.0\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 2 of 23\n\nFigure 2. The .ico file in the %PROGRAMDATA% folder\r\nAs part of its encryption process, LockBit 3.0 appends the extension HLJkNskOq (Figure 3) and changes the icons of\r\nencrypted files to that of the aforementioned .ico file.\r\nFigure 3. The encrypted files with new file names and extensions, along with LockBit’s ransom note\r\nThe ransomware then drops its ransom note (Figure 4), which references “Ilon Musk” and the European Union’s\r\nGeneral Data Protection Regulation (GDPR). Lastly, it changes the wallpaper of the victim’s machine to inform them of\r\nthe ransomware attack (Figure 5).\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 3 of 23\n\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 4 of 23\n\nFigure 4. The contents of LockBit 3.0’s ransom note\r\nFigure 5. The desktop wallpaper applied by LockBit 3.0\r\nSimilarities to BlackMatter ransomware\r\nResearchers have pointed out that portions of LockBit 3.0’s code seem to be borrowed from the BlackMatter\r\nransomware, hence the nickname LockBit Black. Likewise, we found similarities between BlackMatter and the new\r\nLockBit variant during our debugging of the LockBit 3.0 sample. From our examination of the unpacked sample and an\r\nanalysis provided by the researcher Chuong Dong, we discovered that LockBit 3.0 requires a pass parameter to decrypt\r\nits main routine (Figure 6). Other ransomware families like Egregor have been observed exhibiting this same behavior,\r\nwhere an argument is required to proceed with the routine. This makes the binary harder to reverse if the parameter is\r\nnot available.\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 5 of 23\n\nFigure 6. Decrypting sections using a -pass argument\r\nLockBit 3.0 performs API harvesting by hashing the API names of a DLL, and then comparing it to the list of the APIs\r\nthat the ransomware needs (Figure 7). This routine is identical to that of BlackMatter (Figure 8), as the externally\r\navailable script for renaming BlackMatter’s APIs also works for LockBit 3.0 (Figures 9 and 10). \r\nFigure 7. LockBit 3.0’s routine for API harvesting\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 6 of 23\n\nFigure 8. BlackMatter’s routine for API harvesting\r\nFigure 9. The XOR key LockBit 3.0 uses for renaming APIs\r\nFigure 10. The XOR key BlackMatter uses for renaming APIs\r\nInstead of directly calling the addresses of the harvested APIs, LockBit 3.0 implements a trampoline pointer (Figure 11)\r\nto go to an allocated heap that contains a disassembly code that will then jump to the API address of the\r\nNtTerminateProcess API (Figure 12). The code contained in the heap is randomly chosen from this set of codes:\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 7 of 23\n\nROR by random number\r\nROL by random number\r\nXOR to key\r\nROR by random number, then XOR to key\r\nROL by random number, then XOR to key\r\nFigure 11. LockBit 3.0’s trampoline pointer code\r\nFigure 12. LockBit 3.0’s trampoline call to the NtTerminateProcess API\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 8 of 23\n\nLockBit 3.0 and BlackMatter also implement the same antidebugging technique: Both set the thread information to\r\nThreadHideFromDebugger (0x11) via the NtSetThreadInformation API (Figure 13) to cause any debuggers to crash if a\r\nbreakpoint is placed on this thread.\r\nFigure 13. ThreadHideFromDebugger via NtSetThreatInformation\r\nLike BlackMatter, LockBit 3.0 employs threading when using an API instead of directly calling an API, which is likely\r\nan attempt to make it more difficult for researchers to analyze. The strings it uses are decrypted using a simple bitwise-XOR routine (Figure 14), a bitwise-XOR and NOT routine (Figure 15), or a decryption routine involving a linear\r\ncongruential generator (LCG) algorithm to generate a pseudorandom key (Figure 16). This is also similar to how\r\nBlackMatter operates, except for the addition of the bitwise-XOR and NOT routine.\r\nFigure 14. LockBit 3.0’s bitwise-XOR routine for string decryption\r\nFigure 15. LockBit 3.0’s bitwise-XOR and NOT for string decryption\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 9 of 23\n\nFigure 16. LockBit’s 3.0 string decryption using an LCG algorithm\r\nLockBit 3.0’s configurations (Table 1) are decrypted using the same XOR routine and keys obtained from an LCG\r\npseudorandom number generator, and then decompressed using a compression library called APLib.\r\nConfiguration Description\r\nPUB_KEY[0x80] RSA public key \r\nVICT_ID[0x10] Victim ID (This is based on BlackMatter’s code, but is not used by LockBit 3.0.)  \r\nAES_KEY[0x10]\r\nAES_KEY for the command-and-control (C\u0026C) server (This is based on BlackMatter’s code,\r\nbut is not used by LockBit 3.0.)  \r\nFLAGS[0x18] Flags for specific routines \r\nOFFSET_ARRAY\r\nArray of the offset of Base64-encoded strings from this address (The length of the array is\r\nequal to the first value.) \r\nBASE64_STRING\r\nArray of Base64-encoded strings, which includes: \r\nHashes of folders, files, and extensions to avoid\r\nHashes of computer names to avoid \r\nServices and processes to kill \r\nA list of C\u0026C servers \r\nAdmin credentials  \r\nThe ransom note \r\nTable 1. A list of LockBit 3.0’s configurations\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 10 of 23\n\nLockBit 3.0 also checks the victim machine’s UI language to avoid infecting machines with these languages:\r\nArabic (Syria)\r\nArmenian (Armenia)\r\nAzerbaijani (Cyrillic Azerbaijan)\r\nAzerbaijani (Latin Azerbaijan)\r\nBelarusian (Belarus)\r\nGeorgian (Georgia)\r\nKazakh (Kazakhstan)\r\nKyrgyz (Kyrgyzstan)\r\nRomanian (Moldova)\r\nRussian (Moldova)\r\nRussian (Russia)\r\nTajik (Cyrillic Tajikistan)\r\nTurkmen (Turkmenistan)\r\nTatar (Russia)\r\nUkranian (Ukraine)\r\nUzbek (Cyrillic Uzbekistan)\r\nUzbek (Latin Uzbekistan)\r\nLockBit 3.0 also retains these BlackMatter routines for privilege escalation:\r\nUses UACMe’s method of bypassing user account control (UAC), which is to use the ICMLuaUtil COM\r\ninterface under dllhost.exe\r\nDuplicates the Explorer.exe token for its own use\r\nPerforms a 32-bit or 64-bit shellcode injection to elevate its token\r\nThe string that both LockBit 3.0 and BlackMatter use as the encrypted file name extension, ransom note name, and\r\nwallpaper and icon name is a Base64-encoded hash (Figure 17). However, a key difference between the two pieces of\r\nransomware is that LockBit 3.0 opts to use an RSA public key embedded in its configuration and hash it with MD5,\r\nwhereas BlackMatter uses a MachineGUID hashed using the same algorithm for APIs. This makes the string similar for\r\nall machines infected by the same sample, which is likely an attempt by LockBit’s operators to make it easier for them\r\nto identify which RSA private key pair is needed for an encrypted file. \r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 11 of 23\n\nFigure 17. The string generation for BlackMatter (left) and LockBit 3.0 (right)\r\nLike BlackMatter, LockBit 3.0 also performs these routines:\r\nAttempts to log in using credentials from its configuration list to determine if the compromised system is a part\r\nof the domain admin that it will use for later routines\r\nTerminates and deletes processes and services from its configuration list, a routine similar to that of BlackMatter\r\nWipes the recyle bin folder of every drive\r\nChecks a list of computer name hashes to avoid from its configuration list\r\nConnects to the C\u0026C server from its configuration list if the flag is set\r\nEncrypts network shares and Exchange Mailbox if set in its configuration flag\r\nObtains a list of files, folders, and extensions to be avoided from its configuration list\r\nUses pointed files when encrypting .lnk files \r\nPrints the ransom note on any available printers and modifies the desktop wallpaper\r\nUses the same encryption algorithm as BlackMatter\r\nLockBit 3.0’s deletion of shadow copies (Figure 18) is clearly lifted from BlackMatter’s code, as this is performed using\r\nWindows Management Instrumentation (WMI) through COM objects, as opposed to LockBit 2.0’s use of vssadmin.exe.\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 12 of 23\n\nFigure 18. LockBit 3.0’s deletion of shadow copies via WMI\r\nThis latest LockBit iteration performs some routines only if a specific argument is provided. LockBit 3.0 accepts only\r\nthe arguments listed in Table 2, while BlackMatter accepts only the -safe, -wall, and -path arguments.\r\nArgument Description\r\n-pass\r\n{value}\r\nUses the first 32 characters of the value as a key to decrypt the main routine (This is required for\r\nthe ransomware to execute properly.)\r\n-safe Reboots in SafeBoot\r\n-wall Only sets the ransomware wallpaper and prints the ransom note on printers\r\n-path\r\n{target}\r\nSpecifically encrypts the target, which can be a file or folder\r\n-gspd Performs group policy modification for lateral movement\r\n-psex Performs lateral movement via admin shares\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 13 of 23\n\n-gdel Deletes group policy updates\r\n-del Deletes itself\r\nTable 2. A list of arguments that LockBit 3.0 accepts\r\nThe new LockBit variant checks arguments using hashing and based on the code. It’s designed to perform only one\r\nroutine from the arguments except for -pass, which needs to be performed before the other arguments can be checked.\r\nThe routines to print the ransom note and change the victim machine’s wallpaper is also similar to BlackMatter’s\r\nroutines if the -wall argument is provided. Like BlackMatter, LockBit 3.0 can also restart in safe mode and execute via\r\nthe RunOnce registry, as long as the -safe argument is provided.\r\nHowever, there is one key difference between their configuration flags: BlackMatter has only nine flags while LockBit\r\n3.0 has 24, as detailed in Table 3.\r\nConfiguration flag Description\r\nENCRYPT_LARGE_FILE_FLAG\r\nIf set, a large file will be included in the encryption\r\nroutine.\r\nRANDOM_FILE NAME_FLAG\r\nIf set, encrypted files will be renamed to random file\r\nnames.\r\nATTEMPT_LOGON_FLAG\r\nIf set, a login attempt will be made using credentials\r\nfrom LockBit 3.0’s configuration list, and the credentials\r\nwill be saved if these have domain admin rights.\r\nEXCLUDE_HIDDEN_FLAG If set, hidden files will not be encrypted.\r\nCHECK_UI_LANGUAGE_FLAG\r\nIf set, the victim machine’s UI language will be checked\r\nand the ransomware will terminate if the machine is from\r\nany of the avoided countries.\r\nMOUNT_VOL_ENC_EXCHANGE_SERVER_FLAG\r\nIf set, all volumes for encryption will be mounted and\r\navailable exchange servers will be encrypted.\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 14 of 23\n\nENC_SHARED_FLAG If set, shared folders will be encrypted.\r\nTERMINATE_PROCESS_FLAG\r\nIf set, processes from LockBit 3.0’s configuration list\r\nwill be terminated.\r\nDELETE_SERVICE_FLAG\r\nIf set, services from LockBit 3.0’s configuration list will\r\nbe deleted.\r\nCREATE_MUTEX_FLAG\r\nIf set, a check will be done to see whether mutex is\r\nalready created and the ransomware will terminate if it is.\r\nPRINT_RANSOM_NOTE_FLAG\r\nIf set, the ransom note will be printed on available\r\nprinters.\r\nCHANGE_WALLPAPER_FLAG If set, the victim’s wallpaper will be changed.\r\nCHANGE_ICON_FLAG If set, the icons of encrypted files will be changed.\r\nCONNECT_TO_CNC_FLAG\r\nIf set, communication will be done with a C\u0026C server\r\nfrom LockBit 3.0’s configuration list.\r\nDELETE_SELF_FLAG\r\nIf set, the ransomware will delete itself using a dropped\r\n.tmp file.\r\nDELETE_AV_SERVICE_FLAG\r\nIf set, AV services matching the hashes will be\r\nterminated.\r\nCREATE_TEMP_MAX_DISKSPACE\r\nIf set, another .tmp file (from the same .tmp file used in\r\nDELETE_SELF_FLAG flag) will be created on each\r\ndrive with random contents and sizes based on\r\nDiskFreeSpace.\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 15 of 23\n\nHAS_ADMIN_CRED_FLAG\r\nIf set, an attempt will be made to use admin credentials\r\nobtained from the ATTEMPT_LOGON_FLAG flag.\r\nRUN_AS_ADMIN_FLAG\r\nIf set, commands will be executed as admin using\r\ncredentials from the ATTEMPT_LOGON_FLAG flag.\r\nFORCE_GPUPDATE_VIA_POWERSHELL_FLAG\r\nIf set, group policy updates will be forced on all active\r\ndirectories using a PowerShell command.\r\nDELETE_TEMP_FLAG\r\nIf set, the same .tmp file used in the\r\nDELETE_SELF_FLAG flag will be deleted via\r\nMoveFileExW and the victim machine will be restarted.\r\nDISABLE_EVENTLOG_FLAG If set, EventLog will be disabled via registry and service.\r\nDELETE_GPO_FLAG\r\nIf set and the -gspd parameter is used, the victim\r\nmachine’s sleep time will be set to 1 minute before\r\nperforming routines that will delete group policy updates.\r\nUNUSED_FLAG\r\nAn extra flag that’s not used in the analyzed binary (or\r\npossibly an indicator of the end of flags).\r\nTable 3. The flags that can be set in LockBit 3.0’s configuration\r\nOne notable behavior for this third LockBit version is its file deletion technique: Instead of using cmd.exe to execute a\r\nbatch file or command that will perform the deletion, it drops and executes a .tmp file decrypted from the binary. It has,\r\nhowever, retained some of LockBit 2.0’s features, like the earlier version’s ability for lateral movement through a group\r\npolicy update, as long as there is a -gspd parameter provided.\r\nThe executed .tmp file overwrites the contents of the ransomware binary and then renames the binary multiple times\r\n(Figure 19), with the new file names based on the length of the original file name. For example, a file named 1.exe,\r\nwhich has five characters (including the file name extension), is renamed as AAAAA, and then BBBBB, up to ZZZZZ.\r\nAfter renaming the file, LockBit 3.0 finally deletes it (Figure 20). This routine is probably the LockBit ransomware\r\ngroup’s attempt to avoid recovery by forensic tools and cover their tracks by completely removing any trace of the\r\nransomware.\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 16 of 23\n\nFigure 19. LockBit 3.0 renaming the ransomware file multiple times\r\nFigure 20. LockBit 3.0 deleting the ransomware file after renaming it repeatedly\r\nLockBit 3.0 on VirusTotal\r\nA researcher recently spotted another LockBit 3.0 sample on VirusTotal (Figure 21), with 19 detections at the time of\r\nthis writing. This specific sample is a PowerShell script containing two layers of obfuscated code (Figures 22 and 23).\r\nAfter deobfuscating the script (Figure 24), we found that LockBit 3.0 is capable of injecting a DLL into memory via\r\nreflective loading (Figure 25), using code that is identical to BlackMatter’s own PowerShell code (Figure 26).\r\nFigure 21. A LockBit 3.0 sample found on VirusTotal as of July 21, 2022\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 17 of 23\n\nFigure 22. The first layer of LockBit 3.0’s obfuscated code\r\nFigure 23. The second layer of LockBit 3.0’s obfuscated code\r\nFigure 24. LockBit 3.0’s deobfuscated PowerShell script\r\nFigure 25. LockBit 3.0’s main function\r\nFigure 26. BlackMatter’s main function\r\nThis particular sample has a payload that is compressed and encrypted via Base64 (Figure 27). To access it, we modified\r\nthe script to dump the payload instead of executing it (Figure 28). By dumping the payload, we were able to obtain\r\nLockBit 3.0’s main binary (Figure 29). \r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 18 of 23\n\nWhen it is executed, the script exhibits the same behavior as the previously discovered LockBit 3.0 sample. This\r\nspecific sample appends 19MqZqZ0s to the file names of encrypted files (Figure 30).\r\nFigure 27. LockBit 3.0’s payload\r\nFigure 28. Dumping LockBit 3.0’s payload\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 19 of 23\n\nFigure 29. LockBit 3.0’s main binary\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 20 of 23\n\nFigure 30. LockBit 3.0’s encrypted files with 19MqZqZ0s appended to their names\r\nThe payload of this specific LockBit 3.0 sample checks for only three hashed arguments (Figure 31), while the previous\r\nLockBit 3.0 sample checks for eight. Its DLL payload is reflectively loaded, and the codes of its propagation routine via\r\nadmin shares and group policy are designed for PE (Portable Executable) binaries, not for a PowerShell script, which\r\nmight explain why some of the routines don’t work. Another possibility is that LockBit 3.0’s ransomware builder might\r\nhave the option to disable certain routines. This LockBit 3.0 sample with the PowerShell script doesn’t need a pass\r\n“key” to run even if there is a check for the -pass argument, although the rest of its routines are the same as those in the\r\nabovementioned sample with a Win32 .exe file.\r\nFigure 31. The hashed arguments in the LockBit 3.0 sample with a PowerShell script\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 21 of 23\n\nLocking out ransomware attacks\r\nThe LockBit ransomware gang led the ransomware-as-a-service (Raas) scene in the first quarter of 2022, with 220 self-reported successful RaaS and extortion attacks. One headline-making attack reportedly took place in January, during\r\nwhich LockBit operators claimed to have breached France’s Ministry of Justice. It would be no surprise if some of\r\nBlackMatter’s affiliates had joined the ranks of the LockBit group, considering LockBit’s recent rise in notoriety, which\r\nwould explain the many similarities between the two pieces of ransomware.\r\nWith the release of this latest variant — and the launch of LockBit’s bug bounty program, which rewards its affiliates —\r\nwe expect the LockBit ransomware group to be even more active in the coming days. We advise organizations and end\r\nusers to be wary of this new variant, especially since the bug bounty program might help the operators in making their\r\nransomware an even more formidable one. Best practices for mitigating the risk of a ransomware attack include:\r\nFollowing the 3-2-1 rule, which involves backing up files in three copies in two different formats, with one copy\r\nstored off-site. This is a precautionary measure to avoid data loss in case of a ransomware attack.\r\nRemaining vigilant against socially engineered emails to reduce the risk of a ransomware infection, as\r\nransomware is commonly spread through malicious spam email attachments.\r\nKeeping applications and programs up to date. Regular patching ensures that software vulnerabilities that\r\nransomware actors could exploit as entry points can be addressed in a timely fashion.\r\nOrganizations can benefit from a multilayered approach that can help guard possible entry points into a system\r\n(endpoint, email, web, and network). Trend Micro offers a suite of security solutions that can detect malicious\r\ncomponents and suspicious behavior, and improve an enterprise’s security posture. Trend Micro Vision One™ provides\r\nmultilayered protection and behavior detection, which helps block suspicious behavior early in a system before a\r\nransomware infection can do irreversible damage. Trend Micro™ Deep Discovery™ Email Inspector uses custom\r\nsandboxing and advanced analysis techniques to block malicious emails, including phishing emails that are common\r\nentry points for ransomware. Additionally, Trend Micro Apex One™ offers automated threat detection and response to\r\nprotect endpoints from more advanced concerns such as fileless threats and ransomware.\r\nIndicators of compromise (IOCs)\r\nSHA-256 Detection name\r\n80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce Ransom.Win32.LOCKBIT.YXCGD\r\na56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e Ransom.Win32.LOCKBIT.YXCGFT\r\nd61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee Ransom.Win32.LOCKBIT.YXCGD\r\n506f3b12853375a1fbbf85c82ddf13341cf941c5acd4a39a51d6addf145a7a51 Ransom.Win32.LOCKBIT.YXCGKT\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 22 of 23\n\nc597c75c6b6b283e3b5c8caeee095d60902e7396536444b59513677a94667ff8   Ransom.PS1.LOCKBIT.YXCGTT\r\n917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2  Ransom.Win32.LOCKBIT.YXCGT\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nhttps://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"
	],
	"report_names": [
		"lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434716,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/074b436e0630782b9c9d85e31bb9c403d6499625.pdf",
		"text": "https://archive.orkl.eu/074b436e0630782b9c9d85e31bb9c403d6499625.txt",
		"img": "https://archive.orkl.eu/074b436e0630782b9c9d85e31bb9c403d6499625.jpg"
	}
}