1/9

Lockbit 3.0 AKA Lockbit Black is here, with a new icon,
new ransom note, new wallpaper, but less evasiveness?

blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-
less-evasiveness

Tweet

https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness
https://blog.minerva-labs.com/lockbit-3.0-aka-lockbit-black-is-here-with-a-new-icon-new-ransom-note-new-wallpaper-but-less-evasiveness
https://twitter.com/share


2/9

This month the Lockbit ransomware gang announced their first Bug Bounty program as part
of their evolution into Lockbit 3.0.  A first sample of the new version was published by Arda
Büyükkaya. According to their new ransomware wallpaper that appears after encryption, this
specific version has been named ‘Lockbit Black’, which interestingly follows their new
execution method which is pretty similar to the BlackCat ransomware execution method.
There are actually even more similarities between the two ransomwares. 

Lockbit Black - Execution 

 The new Lockbit ransomware requires a “pass” to be supplied as a parameter upon
execution, Similar to BlackCat with requires an “access-token”. The “pass” for the published
sample was also provided by Arda Büyükkaya: 

 

Figure 1 - The execution command 

Lockbit Black – Packer and dynamic imports 

Lockbit Black is well packed, and its imports table is almost empty. Most API functions calls
are resolved dynamically by calling a trampoline function which decrypts the API function
using XOR encryption: 

 

Figure 2 - Trampoline function performing XOR encryption 

Lockbit Black – UAC bypass 

When executing without Admin privileges, Lockbit Black (much like its previous versions)
performs a CMSTPLUA COM UAC bypass. 

Lockbit Black – Service Delete and Process Termination 

Lockbit Black enumerates services and processes against a pre-defined “Blacklist”. The new
version however has a much shorter list than its predecessors. The list is effectively a
“Blacklist”, and all services that appear in the list are designated to be either deleted. The

https://twitter.com/WhichbufferArda
https://twitter.com/WhichbufferArda


3/9

service list of the new version seems like a combined and shorter version of the services that
were previously deleted by Lockbit and BlackCat together and contains: 

1. vss 
2. sql 
3. svc$ 
4. memtas 
5. mepocs 
6. msexchange 
7. sophos 
8. veeam 
9. backup 

10. GxVss 
11. GxBlr 
12. GxFWD 
13. GxCVD 
14. GxCIMgr 

 

Figure 3 - Service deletion by Lockbit Black 

The new Lockbit also uses the same method to terminate a number of processes if they are
found to be running on victim’s PC: 

1. sql 
2. oracle 
3. ocssd 
4. dbsnmp 
5. synctime 
6. agntsvc 
7. isqlplussvc 
8. xfssvccon 
9. mydesktopservice 



4/9

10. ocautoupds 
11. ncsvc 
12. firefox 
13. tbirdconfig 
14. mydesktopqos 
15. ocomm 
16. dbeng50 
17. sqbcoreservice 
18. excel 
19. infopath 
20. msaccess 
21. mspub 
22. onenote 
23. outlook 
24. powerpnt 
25. steam 
26. thebat 
27. thunderbird 
28. visio 
29. winword 
30. wordpad 
31. notepad 

 

Figure 4 - Process Termination 

Lockbit Black – Default language check 

Previous versions of the Lockbit ransomware performed a default language check on the
system and the current user through the Windows API calls GetSystemDefaultUILanguage
and GetUserDefaultUILanguage. If the language code identifier matched the one specified,
the program shuts down. The new version seems to extend the country list to also include
Syria: 



5/9

New Version 

419 – Russian 

422 – Ukrainian 

423 – Belarusian 

428 – Tajik 

42B - Armenian 

42C – Azerbaijani (Latin) 

437 – Georgian  

43F – Kazakh 

440 – Kyrgyz  

442 – Turkmen  

443 – Uzbek (Latin) 

444 – Tatar 

818 - Romanian (Moldova) 

819 - Russian (Moldova) 

82C – Azerbaijani (Cyrillic) 

843 - Uzbek (Cyrillic) 

2801 - Arabic (Syria) 



6/9

 

 

Lockbit Black – Mutex 

Lockbit Black creates a “2cae82bd1366f4e0fdc7a9a7c12e2a6b” mutex. 

Lockbit Black – New icon, wallpaper and ransom note 

 Lockbit's Black’s icon, wallpaper and ransom note were updated in the new version: 

 

 Figure 5 - Lockbit Black icon 

 

Figure 6 - Lockbit Black wallpaper 



7/9

 

Figure 7 - Part of the new ransom note 

The new ransom note comes in the form of a text file and contains a reference to Elon
Musk’s Twitter (Ilon Musk), but with a link to a more generic #lockbit hashtag page on
Twitter. 

 There are several chat list URLs added to the link which lead to several Lockbit Darknet
websites. 

 

Lockbit Black – hiding threads from the debugger 

Hiding threads from the debugger is not a new behavior for Lockbit but is has increased
usage in the new version. The thread hiding is performed by calling the
NtSetInformationThread API with the undocumented value
THREAD_INFORMATION_CLASS::ThreadHideFromDebugger (0x11): 



8/9

 

Figure 8 - hiding thread from the debugger 

Lockbit Black –Windows Defender Log tampering 

In order to disable Windows Defender logs, Lockbit Black sets
‘HKLMSoftware\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-
Windows Defender/Operational\Enabled’ to ‘0’ as well changing the ‘ChannelAccess’ to
‘(O:BAG:SYD:(A;;0x1;;;SY)(A;;0x5;;;BA)(A;;0x1;;;LA)’. 

 

Figure 9 - Windows Defender Log Disabled 

As in most ransomware cases the encryption is performed by several threads for faster and
efficient work. 

 



9/9

Minerva Lockbit 3.0 Prevention of the UAC bypass 

 Minerva customers don't need to worry, as many of Minerva's modules block Lockbit Black
in its earliest stages, including the UAC Bypass stage, shutting it down completely before the
encryption stage even begins.

 

Figure 10 - UAC bypass prevention by Minerva