{
	"id": "61fd1029-b6e6-465d-8d15-945e59cf96f4",
	"created_at": "2026-04-06T00:08:19.367989Z",
	"updated_at": "2026-04-12T02:21:03.344691Z",
	"deleted_at": null,
	"sha1_hash": "8783031f81fa7393b75d1736905913866a368160",
	"title": "Lockbit 3.0: Another Upgrade to World’s Most Active Ransomware - SOCRadar® Cyber Intelligence Inc.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70060,
	"plain_text": "Lockbit 3.0: Another Upgrade to World’s Most Active\r\nRansomware - SOCRadar® Cyber Intelligence Inc.\r\nPublished: 2023-04-17 · Archived: 2026-04-02 10:36:22 UTC\r\nLast Update: April 17, 2023\r\nLockBit Ransomware gang, also known as Bitwise Spider, are the cybercriminal masterminds behind the popular\r\nLockbit Ransomware-as-a-service. They are one of the most active ransomware gangs with generally multiple\r\nvictims per day, sometimes higher. On March 16, 2022, they began continuously announcing new victims on their\r\nDark Web site much faster than any ransomware group. SOCRadar has detected more than 22 victims in 48\r\nhours. \r\nOrigins of the LockBit Ransomware\r\nThey have begun their operations in September 2019 as ABCD ransomware and then changed its name to Lockbit.\r\nThey have rebranded and came back with even better ransomware on June 2021, as Lockbit 2.0. We have seen\r\nthat the Lockbit 2.0 ransomware introduced new features such as shadow copy and log file deletion to make\r\nrecovery harder for the victims. In addition, Lockbit has the fastest encryption speed among the most popular\r\nransomware gangs, with around 25 thousand files encrypted in under one minute.\r\nThe gang is believed to be originated in Russia. According to a detailed analysis of Lockbit 2.0, the ransomware\r\nchecks the default system language and avoids encryption, and stops the attack if the victim system’s language is\r\nRussian or the language of one of the nearby countries.\r\nLockbit 2.0 checks the language of the victim machine\r\nLockbit on Russia – Ukraine Cyberwar \r\nIn the cyber crisis between Russia and Ukraine, which began on February 23rd, 2022, Lockbit announced that it\r\nwould not participate in the cyberattacks. They announced that they would not take part in cyberattacks on\r\ninternational conflicts. They are only in it for the business and do not care about politics. Another very active\r\nransomware gang also believed to be from Russia, Conti, had stated that they would be siding with Russia, which\r\nsome members of Conti were not pleased with. Following the events, some insider members of Conti began\r\nleaking internal chat logs and source code for the Conti locker and decryptor. You can read more about the Conti\r\nLeaks in our blog post.\r\nLockbit’s announcement on the Russia-Ukraine Cyberwar\r\nA funny detail about the gang is that they are confident in their skills and arrogant. On March 25, 2022, a member\r\nof Lockbit has announced on a hacker forum that they’ll be giving a million dollars to an FBI agent who can doxx\r\nthem, placing a million-dollar bounty on its own head.\r\nhttps://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/\r\nPage 1 of 3\n\nA member of Lockbit placing bounty on its own head\r\nDark Web Gossips: Lockbit 3.0 Emerging \r\nFBI’s cyber division published an FBI Flash security advisory on Lockbit 2.0’s Indicators of Compromise\r\n(IOCs) on March 4th, 2022. After the FBI’s advisory, a user in a Dark Web forum has posted a forum entry with\r\nthe title “Kockbit fuckup thread.” In the post, the user addresses the bugs found in Lockbit 2.0 ransomware and a\r\nrecovery method for the victims, addressing the FBI’s advisory along with Microsoft’s Detection and Response\r\nTeam’s (DART’s) research on Lockbit. Below, you can find the links for Microsoft DART’s research. Microsoft\r\nDART researchers have discovered a method by uncovering and exploiting bugs found in the Lockbit 2.0\r\nransomware, enabling them to successfully revert the encryption process on an MSSQL database of one of\r\nLockbit’s victims.\r\nhttps://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-1-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254354\r\nhttps://techcommunity.microsoft.com/t5/security-compliance-and-identity/part-2-lockbit-2-0-ransomware-bugs-and-database-recovery/ba-p/3254421\r\nDark web forum post on Lockbit bugs and a recovery method\r\nA member of the Lockbit ransomware group has commented on the post explaining the reason for the MSSQL\r\nbug. The Lockbit member says the bug will not exist in Lockbit 3.0, signaling the newest version’s release.\r\nLockbit member’s comment on the post\r\nAfter a couple of days, on March 17, the cyber research team vx-underground has posted a screenshot of their\r\ntalks with one of Lockbit’s associates. On the screenshot, the vx-underground researcher asks when Lockbit 3.0 is\r\nbeing released, and the Lockbit affiliate says the newest version will be released in one or two weeks. \r\nSource: vx-underground\r\nLockBit Ransomware Gang Develops Encryptors Targeting MacOS For The First\r\nTime\r\nThe LockBit ransomware gang has created encryptors targeting macOS for the first time, making them the first\r\nmajor ransomware group to specifically target macOS. \r\nCybersecurity researchers discovered previously unknown encryptors for ARM, FreeBSD, MIPS, and SPARC\r\nCPUs, including an encryptor named ‘locker_Apple_M1_64’ [VirusTotal] for newer Macs running on Apple\r\nSilicon. \r\nThe encryptors appear to be in the testing phase and are not yet ready for deployment in actual attacks against\r\nmacOS devices. \r\nWardle, a macOS cybersecurity expert, confirmed that the macOS encryptor is based on the Linux version and is\r\nfar from complete, lacking the functionality to encrypt Macs properly. On Objective See, you can read Wardle’s\r\nhttps://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/\r\nPage 2 of 3\n\ncomprehensive technical analysis of the new Mac encryptor.\r\nThe LockBit ransomware gang has confirmed to BleepingComputer that they are actively developing a Mac\r\nencryptor, but given their history of misleading researchers, it is unclear whether this is true. If true, we may see\r\nmore sophisticated and production-ready versions of the Mac encryptor.\r\nThe Lockbit group is still using the Lockbit 2.0 name, but we can expect an update in the following month. It has\r\nbeen two weeks since vx-underground tweeted their conversation with the Lockbit affiliate, but the Lockbit team\r\nhas no deadline to uphold. They can release the new version whenever they want.\r\nThe new features and upgrades in Lockbit 3.0 is still a mystery. SOCRadar CTIA team will follow the updates\r\nregarding Lockbit 3.0 and bring you the latest updates.,\r\nStay Up-to-date About Lockbit and Other Ransomware Groups\r\nSOCRadar’s ThreatShare keeps you updated about ransomware gangs\r\nSOCRadar’s Extended Threat Intelligence module, ThreatShare, allows you to keep up to date with the\r\ndevelopments regarding ransomware groups by following communication channels such as deep and darknet\r\nforums, social media, Telegram, ICQ, etc. Shares along with screenshots and texts.\r\nSOCRadar’s analyst team translates the collected raw data into contextual intelligence and presents it in a\r\nsearchable interface. It helps your SOC team develop security strategies based on country, sector, or region.\r\nSource: https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/\r\nhttps://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/"
	],
	"report_names": [
		"lockbit-3-another-upgrade-to-worlds-most-active-ransomware"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-12T02:00:03.602556Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "cfdd35af-bd12-4c03-8737-08fca638346d",
			"created_at": "2022-10-25T16:07:24.165595Z",
			"updated_at": "2026-04-12T02:00:04.857156Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Cosmic Wolf",
				"Marbled Dust",
				"Silicon",
				"Teal Kurma",
				"UNC1326"
			],
			"source_name": "ETDA:Sea Turtle",
			"tools": [
				"Drupalgeddon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5",
			"created_at": "2022-10-25T16:07:23.797925Z",
			"updated_at": "2026-04-12T02:00:04.70216Z",
			"deleted_at": null,
			"main_name": "LockBit Gang",
			"aliases": [
				"Bitwise Spider",
				"Operation Cronos"
			],
			"source_name": "ETDA:LockBit Gang",
			"tools": [
				"3AM",
				"ABCD Ransomware",
				"CrackMapExec",
				"EmPyre",
				"EmpireProject",
				"LockBit",
				"LockBit Black",
				"Mimikatz",
				"PowerShell Empire",
				"PsExec",
				"Syrphid"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3940f08b-39aa-492c-8699-86bfe515fa70",
			"created_at": "2023-01-06T13:46:39.470535Z",
			"updated_at": "2026-04-12T02:00:03.405077Z",
			"deleted_at": null,
			"main_name": "BITWISE SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:BITWISE SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "33ae2a40-02cd-4dba-8461-d0a50e75578b",
			"created_at": "2023-01-06T13:46:38.947314Z",
			"updated_at": "2026-04-12T02:00:03.244893Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"COSMIC WOLF",
				"Marbled Dust",
				"SILICON",
				"Teal Kurma",
				"UNC1326"
			],
			"source_name": "MISPGALAXY:Sea Turtle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "62b1b01f-168d-42db-afa1-29d794abc25f",
			"created_at": "2025-04-23T02:00:55.22426Z",
			"updated_at": "2026-04-12T02:00:04.490902Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Sea Turtle",
				"Teal Kurma",
				"Marbled Dust",
				"Cosmic Wolf",
				"SILICON"
			],
			"source_name": "MITRE:Sea Turtle",
			"tools": [
				"SnappyTCP"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434099,
	"ts_updated_at": 1775960463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8783031f81fa7393b75d1736905913866a368160.pdf",
		"text": "https://archive.orkl.eu/8783031f81fa7393b75d1736905913866a368160.txt",
		"img": "https://archive.orkl.eu/8783031f81fa7393b75d1736905913866a368160.jpg"
	}
}