{
	"id": "b581bcd1-9712-43fa-923e-f9382d8a61f1",
	"created_at": "2026-04-06T00:09:44.845105Z",
	"updated_at": "2026-04-10T13:11:40.45544Z",
	"deleted_at": null,
	"sha1_hash": "5ba63dbcc8660a03c98d95f0c3196e1d2aa13e8d",
	"title": "LockBit 3.0 Update | Unpicking the Ransomware's Latest Anti-Analysis and Evasion Techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2469952,
	"plain_text": "LockBit 3.0 Update | Unpicking the Ransomware's Latest Anti-Analysis and Evasion Techniques\r\nBy Jim Walter\r\nPublished: 2022-07-21 · Archived: 2026-04-05 12:51:10 UTC\r\nBy Jim Walter \u0026 Aleksandar Milenkoski\r\nLockBit 3.0 ransomware (aka LockBit Black) is an evolution of the prolific LockBit ransomware-as-a-service\r\n(RaaS) family, which has roots that extend back to BlackMatter and related entities. After critical bugs were\r\ndiscovered in LockBit 2.0 in March 2022, the authors began work on updating their encryption routines and\r\nadding several new features designed to thwart researchers. In June 2022, LockBit 3 caught the interest of the\r\nmedia as the ransomware operators announced they were offering a ‘bug bounty’ to researchers. In this post, we\r\nprovide an overview of the LockBit 3.0 ransomware update and offer a technical dive for researchers into LockBit\r\n3.0’s anti-analysis and evasion features.\r\nLockBit 3.0 Changes and New Features Since LockBit 2.0\r\nAround June of 2022, operators and affiliates behind LockBit ransomware began the shift to LockBit 3.0.\r\nAdoption of LockBit 3.0 by affiliates has been rapid, and numerous victims have been identified on the new\r\n“Version 3.0” leak sites, a collection of public blogs naming non-compliant victims and leaking extracted data.\r\nLockBit 3 ransomware leaks site\r\nIn order to improve resilience, the operators have been aggressive with regards to standing up multiple mirrors for\r\ntheir leaked data and publicizing the site URLs.\r\nhttps://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nPage 1 of 12\n\nLockBit has also added an instant search tool to their leaks site.\r\nUpdated LockBit leak site with new Search feature\r\nThe authors of LockBit 3.0 have introduced new management features for affiliates and added Zcash for victim\r\npayments in addition to Monero and Bitcoin.\r\nThe ransomware authors also claim to have opened a public “bug bounty” program. Ostensibly, this appears to be\r\nan effort to improve the quality of the malware, and financially reward those that assist.\r\nOn top of that, there is a purported $1 million reward on offer to anyone who can uncover the identity of the\r\nprogram affiliate manager. Understandably, given the criminal nature of the operators, would-be researchers may\r\nfind that reporting bugs to a crimeware outfit may not lead to the promised payout but could lead to criminal\r\ncharges from law enforcement.\r\nLockBit 3.0 Payloads and Encryption\r\nThe updated LockBit payloads retain all the prior functionality of LockBit 2.0.\r\nInitial delivery of the LockBit ransomware payloads is typically handled via 3rd party frameworks such as Cobalt\r\nStrike. As with LockBit 2.0, we have seen infections occur down the chain from other malware components as\r\nwell, such as a SocGholish infection dropping Cobalt Strike, which in turn delivers the LockBit 3 ransomware.\r\nThe payloads themselves are standard Windows PE files with strong similarities to prior generations of LockBit as\r\nwell as BlackMatter ransomware families.\r\nhttps://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nPage 2 of 12\n\nPEStudio view of LockBit 3.0 Payload\r\nLockBit ransomware payloads are designed to execute with administrative privileges. In the event that the\r\nmalware does not have the necessary privileges, a UAC bypass will be attempted (CMSTP).\r\nLockBit 3.0 achieves persistence via installation of System Services. Each execution of the payload will install\r\nmultiple services. We have observed the following service names in conjunction with LockBit 3.0 ransomware\r\npayloads.\r\nSecurityHealthService\r\nSense\r\nsppsvc\r\nWdBoot\r\nWdFilter\r\nWdNisDrv\r\nWdNisSvc\r\nWinDefend\r\nwscsvc\r\nvmicvss\r\nvmvss\r\nVSS\r\nEventLog\r\nAs with previous versions, LockBit 3.0 will attempt to identify and terminate specific services if found. The\r\nfollowing service names are targeted for termination in analyzed LockBit 3.0 samples:\r\nbackup\r\nGxBlr\r\nGxCIMgr\r\nGxCVD\r\nGxFWD\r\nhttps://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nPage 3 of 12\n\nGxVss\r\nmemtas\r\nmepocs\r\nmsexchange\r\nsophos\r\nsql\r\nsvc$\r\nveeam\r\nvss\r\nIn addition, the following processes are targeted for termination:\r\nagntsvc\r\ndbeng50\r\ndbsnmp\r\nencsvc\r\nexcel\r\nfirefox\r\ninfopath\r\nisqlplussvc\r\nmsaccess\r\nmspub\r\nmydesktopqos\r\nmydesktopservice\r\nnotepad\r\nocautoupds\r\nocomm\r\nocssd\r\nonenote\r\noracle\r\noutlook\r\npowerpnt\r\nregistry\r\nsqbcoreservice\r\nsteam\r\nsynctime\r\ntbirdconfig\r\nthebat\r\nthunderbird\r\nvisio\r\nwinword\r\nwordpad\r\nxfssvccon\r\nLockBit 3.0 writes a copy of itself to the %programdata% directory, and subsequently launches from this process.\r\nhttps://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nPage 4 of 12\n\nThe encryption phase is extremely rapid, even when spreading to adjacent hosts. The ransomware payloads were\r\nable to fully encrypt our test host in well under a minute.\r\nOn execution, the LockBit 3.0 ransomware will drop newly-formatted ransom notes along with a change to the\r\ndesktop background. Interestingly, notepad and wordpad are included in the list of prescribed processes as noted\r\nabove. Therefore, if a victim attempts to open the ransom note immediately after it is dropped, it will promptly\r\nclose since the process is blocked until the ransomware completes its execution.\r\nThe new LockBit 3.0 ransomware desktop wallpaper is a simple text message on a black background.\r\nLockBit 3.0 Desktop Wallpaper\r\nThe extension appended to newly encrypted files will also differ per campaign or sample.  For example, we have\r\nseen “HLJkNskOq” and “futRjC7nx”. Both encrypted files and the ransom notes will be prepended with the\r\ncampaign-specific string.\r\nfutRjC7nx.README\r\nHLJkNskOq.README\r\nDuring our analysis, we observed infected machines shutting down ungracefully approximately 10 minutes after\r\nthe ransomware payload was launched. This behavior may vary per sample, but it is worth noting.\r\nPost-infection, LockBit 3.0 victims are instructed to make contact with their attacker via their TOR-based\r\n“support” portal.\r\nhttps://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nPage 5 of 12\n\nLockBit 3.0 Ransom Note Excerpt\r\nLockBit 3 Anti-Analysis \u0026 Evasion\r\nThe LockBit 3.0 ransomware uses a variety of anti-analysis techniques to hinder static and dynamic analysis, and\r\nexhibits similarities to the BlackMatter ransomware in this regard. These techniques include code packing,\r\nobfuscation and dynamic resolution of function addresses, function trampolines, and anti-debugging techniques.\r\nIn this section, we cover some of the anti-analysis techniques that LockBit 3.0 uses.\r\nLockBit 3.0 payloads require a specific passphrase to execute. The passphrase is unique to each sample or\r\ncampaign and serves to hinder dynamic and sandbox analysis if the passphrase has not been recovered along with\r\nthe sample. A similar technique has been used by Egregor and BlackCat ransomware. The passphrase is provided\r\nupon execution via the -pass parameter. For example,\r\nlockbit.exe -pass XX66023ab2zyxb9957fb01de50cdfb6\r\nEncrypted content located in the LockBit 3.0 payload is decrypted at runtime using an XOR mask. The images\r\nbelow show the content of the ransomware’s .text executable segment before (label 1) and after (label 2) the\r\nransomware has decrypted the segment content. The .text segment starts at the virtual address 0x401000.\r\nhttps://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nPage 6 of 12\n\nThe content of the ransomware’s .text executable segment\r\nLockBit 3.0 also first stores in heap memory and then uses trampolines for executing functions, for example, the\r\nWindows system calls NtSetInformationThread and ZwProtectVirtualMemory . The ransomware obfuscates the\r\nfunction addresses that the trampolines execute using the XOR and/or bit rotation obfuscation technique.\r\nhttps://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nPage 7 of 12\n\nSome of the function trampolines LockBit 3.0 implements\r\nSeveral techniques are implemented for detecting the presence of a debugger and hindering dynamic analysis. For\r\nexample, the ransomware evaluates whether heap memory parameters that indicate the presence of a debugger are\r\nset. Such flags are HEAP_TAIL_CHECKING_ENABLED (0x20) and\r\nHEAP_VALIDATE_PARAMETERS_ENABLED (0x40000000).\r\nLockBit 3.0 examines the ForceFlags value in its PEB (Process Environment Block) to evaluate whether\r\nHEAP_VALIDATE_PARAMETERS_ENABLED is set.\r\nLockBit 3.0 evaluates whether HEAP_VALIDATE_PARAMETERS_ENABLED is set\r\nThe ransomware also evaluates whether the 0xABABABAB byte signature is present at the end of heap memory\r\nblocks that it has previously allocated. The presence of this byte signature means that\r\nHEAP_TAIL_CHECKING_ENABLED is set.\r\nLockBit 3.0 evaluates whether HEAP_TAIL_CHECKING_ENABLED is set\r\nhttps://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nPage 8 of 12\n\nThe LockBit 3.0 ransomware executes the NtSetInformationThread function through a trampoline, such that the\r\nThreadHandle and ThreadInformationClass function parameters have the values of 0xFFFFFFFE and 0x11\r\n( ThreadHideFromDebugger ). This stops the flow of events from the current ransomware’s thread to an attached\r\ndebugger, which effectively hides the thread from the debugger and hinders dynamic analysis.\r\nLockBit 3.0 executes NtSetInformationThread\r\nIn addition, LockBit scrambles the implementation of the DbgUiRemoteBreakin function to disable debuggers\r\ntrying to attach to the ransomware process. When it executes, LockBit 3.0 ransomware:\r\nResolves the address of DbgUiRemoteBreakin .\r\nExecutes the ZwProtectVirtualMemory function through a trampoline to apply the\r\nPAGE_EXECUTE_READWRITE (0x40) protection to the first 32 bytes of the memory region where the\r\nimplementation of DbgUiRemoteBreakin resides. This makes the bytes writable.\r\nExecutes the SystemFunction040 (RtlEncryptMemory) function through a trampoline to encrypt the bytes\r\nthat the ransomware has previously made writable. This scrambles the implementation of the\r\nDbgUiRemoteBreakin function and disables debuggers to attach to the ransomware process.\r\nhttps://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nPage 9 of 12\n\nLockBit 3.0 modifies the implementation of the DbgUiRemoteBreakin function\r\nThe images below depict the implementation of the DbgUiRemoteBreakin function before (label 1) and after\r\n(label 2) the LockBit 3.0 ransomware has modified the implementation of the function.\r\nThe implementation of the DbgUiRemoteBreakin function\r\nConclusion\r\nLockBit has fast become one of the more prolific ransomware-as-a-service operators out there, taking over from\r\nConti after the latter’s fractious fallout in the wake of the Russian invasion of Ukraine.\r\nhttps://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nPage 10 of 12\n\nLockBit’s developers have shown that they are quick to respond to problems in the product they are offering and\r\nthat they have the technical know-how to keep evolving. The recent claim to be offering a ‘bug bounty’, whatever\r\nits true merits, displays a savvy understanding of their own audience and the media landscape that surrounds the\r\npresent tide of crimeware and enterprise breaches.\r\nShort of intervention by law enforcement, we expect to see LockBit around for the forseeable future and further\r\niterations of what is undoubtedly a very successful RaaS operation. As with all ransomware, prevention is better\r\nthan cure, and defenders are encouraged to ensure that they have comprehensive ransomware protection in place.\r\nSentinelLabs will continue to offer updates and reports on LockBit activity as it develops.\r\nIndicators of Compromise\r\nSHA256\r\nf9b9d45339db9164a3861bf61758b7f41e6bcfb5bc93404e296e2918e52ccc10\r\na56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e\r\nd61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee\r\nSHA1\r\nced1c9fabfe7e187dd809e77c9ca28ea2e165fa8\r\n371353e9564c58ae4722a03205ac84ab34383d8c\r\nc2a321b6078acfab582a195c3eaf3fe05e095ce0\r\n.ONION domains\r\nlockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead[.]onion\r\nlockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd[.]onion\r\nlockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd[.]onion\r\nlockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd[.]onion\r\nlockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd[.]onion\r\nlockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd[.]onion\r\nlockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid[.]onion\r\nlockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd[.]onion\r\nlockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd[.]onion\r\nlockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd[.]onion\r\nlockbitsupa7e3b4pkn4mgkgojrl5iqgx24clbzc4xm7i6jeetsia3qd[.]onion\r\nlockbitsupdwon76nzykzblcplixwts4n4zoecugz2bxabtapqvmzqqd[.]onion\r\nlockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd[.]onion\r\nlockbitsupo7vv5vcl3jxpsdviopwvasljqcstym6efhh6oze7c6xjad[.]onion\r\nlockbitsupq3g62dni2f36snrdb4n5qzqvovbtkt5xffw3draxk6gwqd[.]onion\r\nlockbitsupqfyacidr6upt6nhhyipujvaablubuevxj6xy3frthvr3yd[.]onion\r\nlockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd[.]onion\r\nlockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd[.]onion\r\nlockbitsupxcjntihbmat4rrh7ktowips2qzywh6zer5r3xafhviyhqd[.]onion\r\nhttps://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nPage 11 of 12\n\nMITRE ATT\u0026CK\r\nT1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nT1543.003 – Create or Modify System Process: Windows Service\r\nT1055 – Process Injection\r\nT1070.001 – Indicator Removal on Host: Clear Windows Event Logs\r\nT1622 – Debugger Evasion\r\nT1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control\r\nT1485 – Data Destruction\r\nT1489 – Service Stop\r\nT1490 – Inhibit System Recovery\r\nT1003.001 – OS Credential Dumping: LSASS Memory\r\nT1078.002 – Valid Accounts: Domain Accounts\r\nT1078.001 – Valid Accounts: Default Accounts\r\nT1406.002 – Obfuscated Files or Information: Software Packing\r\nT1218.003 – System Binary Proxy Execution: CMSTP\r\nT1047 – Windows Management Instrumentation\r\nT1119 – Automated Collection\r\nSource: https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nhttps://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.sentinelone.com/labs/lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques"
	],
	"report_names": [
		"lockbit-3-0-update-unpicking-the-ransomwares-latest-anti-analysis-and-evasion-techniques"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434184,
	"ts_updated_at": 1775826700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5ba63dbcc8660a03c98d95f0c3196e1d2aa13e8d.pdf",
		"text": "https://archive.orkl.eu/5ba63dbcc8660a03c98d95f0c3196e1d2aa13e8d.txt",
		"img": "https://archive.orkl.eu/5ba63dbcc8660a03c98d95f0c3196e1d2aa13e8d.jpg"
	}
}