{
	"id": "4860b44a-5bfa-4b3a-a237-85b4c98f35da",
	"created_at": "2026-04-06T00:09:06.82492Z",
	"updated_at": "2026-04-10T03:21:15.034603Z",
	"deleted_at": null,
	"sha1_hash": "66c9e6fe00d33df8c3968787330d059dc9b07627",
	"title": "THREAT ANALYSIS: Assemble LockBit 3.0",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 482489,
	"plain_text": "THREAT ANALYSIS: Assemble LockBit 3.0\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-05 17:56:10 UTC\r\nCybereason issues Threat Analysis reports to investigate emerging threats and provide practical recommendations\r\nfor protecting against them.\r\nIn this Threat Analysis report, Cybereason investigates the LockBit 3.0 builder and DLL binaries, which are not\r\nwell known in the wild.\r\nKey Points\r\nExpanding the markets: The LockBit ransomware group provides various tools  with constant version\r\nupdates for specific purposes, such as exfiltrations. The ransomware group has expanded their region target\r\nby making the location check an option. These updates are made to appeal to wider audiences within the\r\nunderground market.\r\nBinary customizations: The LockBit builder provides a variety of options to build the LockBit\r\nransomware binaries. LockBit builder provides configuration settings to alter the LockBit behavior, as well\r\nas binary types. These options allow ransomware affiliates to customize LockBit to their operational needs.\r\nInvest in obfuscations: The LockBit 3.0 ransomware is well known for passphrase protection; however\r\nthe ransomware also has other obfuscation techniques such as removing debugger hooking and self\r\ndeletion. The ransomware is known to invest in its obfuscation and anti-analysis techniques to protect itself\r\nfrom the defenders.\r\nwhat's happening?\r\nThe LockBit ransomware operation group has been active since 2019. LockBit ransomware has been a popular\r\nchoice of Ransomware-as-a-Service (RaaS) amongst the ransomware affiliates community. Due to its popularity,\r\nthe group has updated and created various versions to meet the market demand.\r\nLockBit 3.0 affiliates operate following an initial access vector (RDP, Phishing campaigns or CVE exploitation).\r\nOnce in their victim network, they spread laterally using SMB, PsExec, and Group Policy.\r\nBefore executing ransomware that will encrypt the victim’s files, data exfiltration is carried out, employing tools\r\nlike Stealbit, Rclone or WinSCP, and data is uploaded either to private servers or public upload websites such as\r\nMEGA. Once LockBit 3.0 is executed, it erases logs, uses AES and RSA for hybrid encryption and tamper with\r\npotential data backup mechanisms.\r\nLockBit: Comes in different colors\r\nhttps://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3\r\nPage 1 of 8\n\nThe current known versions of LockBits targeting Windows are as follows:\r\nLockBit  \r\nLockBit 2.0 \r\nLockBit 3.0 (LockBit Black) \r\nSince 2023, two new versions were introduced : \r\nLockBit Green (Based on Conti ransomware)\r\nLockbit Red (which is actually Lockbit 2.0)\r\nLockBit ransomware launched the first version in September 2019, and updates were made constantly. Some\r\nnotable updates include the following: \r\nLockBit to Lockbit 2.0\r\nShadow copy deletion via vssadmin\r\nUser Account Control (UAC) Bypass\r\nRansom note printing via printers\r\nSelf-Propagation\r\nLockBit 2.0 to LockBit 3.0\r\nImplementing BlackMatter Ransomware logic\r\nShadow copy deletion via Windows Management Instrumentation (WMI)\r\nPassword protection \r\nPersistence via System Services \r\nAPI Harvesting \r\nPrints the ransom note as a Desktop Wallpaper\r\nThe LockBit ransomware group is heavily invested in the development of their own tool, which is evident from\r\nthe timely version updates as well as creating their own exfiltration tool StealBit. \r\nThe LockBit ransomware group is also keen to expand their market by adding additional target OS such as\r\nLockBit Linux/ESXi, which targets Linux machines. A MacOS X variant was also released in April 2023.\r\nThe LockBit ransomware group was also known to introduce a bug bounty program to  “improve” ransomware\r\ngroup’s operation. \r\nLockbit Builder\r\nhttps://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3\r\nPage 2 of 8\n\nDespite their active operations and meeting affiliates demands, in September 2022, Twitter/X user ali_qushji\r\n(account is now suspended) uploaded LockBit 3.0 builder to GitHub and made it available to the public for\r\ndownload. This leak allowed defenders to further analyze and better understand the ransomware. However, this\r\nleak also led to other ransomware gangs abusing builders such as BlooDy Ransomware Gang. \r\n Tweet on LockBit Builder leak by @3xp0rt\r\nAlthough the LockBit executable is the most common binary used by ransomware affiliates, the builder also\r\nprovides two additional executable types: \r\nLb3_rundll32.dll: Regular Dynamic-link library (DLL), having multiple exported functions to execute\r\nnecessary functionality of LockBit. \r\nLb3_reflectivedll_dllmain.dll: DLL designed to implement Reflective injection. \r\nIn this report, the technical analysis includes two sections: \r\nLockBit Builder Analysis: Overview of builder’s configurations and the process of creating the binaries. \r\nhttps://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3\r\nPage 3 of 8\n\nLockBit Binary Analysis: The analysis covers DLL binaries’ key points. \r\nDETECTION AND PREVENTION OF THE LOCKBIT RANSOMWARE\r\nThe Cybereason Defense Platform is able to detect and prevent infections with LockBit using multi-layer\r\nprotection that detects and blocks malware with threat intelligence, machine learning, and Next-Gen Antivirus\r\n(NGAV) capabilities:\r\nThe Cybereason Defense Platform creates a MalOp based ransomware behavior\r\nCybereason Recommendations:\r\nFollow and hunt Lockbit’s affiliates activity in order to identify pre-ransomware behaviors. \r\nCISA provides valuable insights about common behaviors of this Threat Actor.\r\nMonitor and patch Common Vulnerabilities and Exposures (CVEs) exploited by this Threat Actor such as\r\n:\r\nCVE-2023-0669: Fortra GoAnyhwere Managed File Transfer (MFT) Remote Code Execution\r\nVulnerability \r\nCVE-2023-27350: PaperCut MF/NG Improper Access Control Vulnerability \r\nCVE-2018-13379: Fortinet FortiOS Secure Sockets Layer (SSL) Virtual Private Network (VPN)\r\nPath Traversal Vulnerability\r\nPromote cybersecurity best practices such as multifactor authentication and patch management.\r\nFor Cybereason customers on the Cybereason Defense Platform:\r\nEnable Application Control to block the execution of malicious files.\r\nhttps://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3\r\nPage 4 of 8\n\nEnable Anti-Ransomware in your environment’s policies, set the Anti-Ransomware mode to\r\nPrevent, and enable Shadow Copy detection to ensure maximum protection against ransomware.\r\nEnable Variant Payload Prevention with prevent mode on Cybereason Behavioral execution\r\nprevention.\r\nMITRE ATT\u0026CK MAPPING\r\nTactic Techniques / Sub-Techniques\r\nTA0002: Execution T1047 – Windows Management Instrumentation\r\nTA0002: Execution T1106 - Native API\r\nTA0003: Persistence T1543.003 – Create or Modify System Process: Windows Service\r\nTA0003: Persistence\r\nT1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup\r\nFolder\r\nTA0004: Privilege\r\nEscalation\r\nT1078.001 – Valid Accounts: Default Accounts\r\nTA0004: Privilege\r\nEscalation\r\nT1078.002 – Valid Accounts: Domain Accounts\r\nTA0004: Privilege\r\nEscalation\r\nT1548.002 – Abuse Elevation Control Mechanism: Bypass User Account\r\nControl\r\nTA0005: Defense Evasion T1055 – Process Injection\r\nTA0005: Defense Evasion T1070.001 – Indicator Removal on Host: Clear Windows Event Logs\r\nTA0005: Defense Evasion T1218.003 – System Binary Proxy Execution: CMSTP\r\nhttps://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3\r\nPage 5 of 8\n\nTA0005: Defense Evasion T1406.002 – Obfuscated Files or Information: Software Packing\r\nTA0005: Defense Evasion T1620 - Reflective Code Loading\r\nTA0005: Defense Evasion T1622 – Debugger Evasion\r\nTA0006: Credential Access T1003.001 – OS Credential Dumping: LSASS Memory\r\nTA0008: Lateral\r\nMovement\r\nT1021.002 - Remote Service: SMB/Windows Admin Shares\r\nTA0009: Collection T1119 – Automated Collection\r\nTA0040: Impact T1485 – Data Destruction\r\nTA0040: Impact T1489 – Service Stop\r\nTA0040: Impact T1490 – Inhibit System Recovery\r\nCybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere. Learn more about Cybereason XDR, check out our Extended Detection and Response (XDR) Toolkit,\r\nor schedule a demo today to learn how your organization can benefit from an operation-centric approach to\r\nsecurity.\r\nDOWNLOAD THE FULL THREAT ANALYSIS \r\nThis blog post is a summary of a full 35-page Threat Analysis Report, which can be downloaded below.\r\nhttps://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3\r\nPage 6 of 8\n\nClick here to read the full report.\r\nAbout the Researcher\r\nKotaro Ogino, Senior Security Analyst, Cybereason Global SOC\r\nhttps://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3\r\nPage 7 of 8\n\nKotaro Ogino is a Senior Security Analyst with the Cybereason Global SOC team. He is involved in threat hunting,\r\nadministration of Security Orchestration, Automation, and Response (SOAR) systems, and Extended Detection and Response\r\n(XDR). Kotaro has a bachelor of science degree in information and computer science\r\nAbout the Author\r\nCybereason Global SOC Team\r\nThe Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on\r\nevery continent. Led by cybersecurity experts with experience working for government, the military and multiple\r\nindustry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive\r\nthreats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle\r\nmoves.\r\nAll Posts by Cybereason Global SOC Team\r\nSource: https://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3\r\nhttps://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3"
	],
	"report_names": [
		"threat-analysis-assemble-lockbit-3"
	],
	"threat_actors": [],
	"ts_created_at": 1775434146,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/66c9e6fe00d33df8c3968787330d059dc9b07627.pdf",
		"text": "https://archive.orkl.eu/66c9e6fe00d33df8c3968787330d059dc9b07627.txt",
		"img": "https://archive.orkl.eu/66c9e6fe00d33df8c3968787330d059dc9b07627.jpg"
	}
}