{
	"id": "71bffd73-b05f-40a3-914d-6403a779e877",
	"created_at": "2026-04-06T00:22:31.499637Z",
	"updated_at": "2026-04-10T03:20:23.496537Z",
	"deleted_at": null,
	"sha1_hash": "ab7c424e5b8af8ebb3b66d79e6b0788408a4b8fb",
	"title": "Cyble - Lockbit 3.0 -  Ransomware Group Launches New Version",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1604528,
	"plain_text": "Cyble - Lockbit 3.0 -  Ransomware Group Launches New Version\r\nPublished: 2022-07-05 · Archived: 2026-04-05 15:54:50 UTC\r\nCyble analyzes the return of Lockbit ransomware as Lockbit 3.0/\"Lockbit Black\" and how it has been actively\r\ntargeting the BFSI sector.\r\nLockBit ransomware is currently one of the most popular and active ransomware groups in the wild. This\r\nransomware variant was first detected in September 2019 and used by Threat Actors (TAs) to target multiple\r\nsectors and organizations worldwide. The TAs behind LockBit operate under the Ransomware-as-a-Service\r\n(RaaS) business model.\r\nIn the figure below, we have prepared a breakdown of the industries targeted by the LockBit ransomware. As per\r\nour investigation, we determine that over 1/3rd of the ransomware gang’s victims are from the BFSI sector,\r\nfollowed by the Professional Services sector.\r\nFigure 1 – Industries Targeted by the LockBit Ransomware\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/\r\nPage 1 of 11\n\nIn August 2021, LockBit 2.0 ransomware was analyzed by Cyble Research Labs. In March 2022, the TAs behind\r\nLockBit announced that LockBit 3.0 would be released shortly. Last week, the TAs updated their leak site with\r\ninformation about their latest version and its features (shown below).\r\nFigure 2 – LockBit 3.0 Ransomware Functionalities\r\nWhile searching for the latest LockBit 3.0 sample, Cyble Research Labs came across a Twitter post wherein a\r\nresearcher mentioned that a new version of ransomware named “LockBit 3.0” (also referred to as “LockBit\r\nBlack”) is now active in the wild.\r\nLockBit 3.0 encrypts files on the victim’s machine and appends the extension of encrypted files as “HLJkNskOq.”\r\nLockBit ransomware requires a key from the command-line argument “-pass” to execute. The below figure shows\r\nthe process chain of the LockBit ransomware file.\r\nhttps://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/\r\nPage 2 of 11\n\nFigure 3 – LockBit 3.0 Ransomware Process Tree\r\nTechnical Analysis\r\nThe sample hash (SHA256), 80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932cewas\r\ntaken for this analysis.\r\nBased on static analysis, we identified that the ransomware is encrypted and decrypts the strings and code during\r\nruntime.\r\nThe ransomware resolves its API functions dynamically, as shown below.\r\nFigure 4 – Resolved API functions of LockBit 3.0\r\nAfter that, it creates a mutex to ensure that only one instance of malware is running on the victim’s system at any\r\ngiven time.\r\nThe malware exits if the mutex is already present. The below figure shows the created mutex name.\r\nFigure 5 – Mutex Creation\r\nThe ransomware creates multiple threads using the CreateThread() API to perform several tasks in parallel for\r\nfaster file encryption, as shown in Figure 6.\r\nhttps://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/\r\nPage 3 of 11\n\nEach thread is responsible for querying system information, getting drive details, ransom note creation, getting file\r\nattributes, deleting services, file search, encryption, etc.\r\nFigure 6 – Multiple Thread Creation\r\nBefore encrypting the files, the ransomware uses the WMI query to enumerate Volume Shadow copies using the\r\ncommand “select * from Win32_ShadowCopy”.\r\nIt then deletes the copies using “Win32_ShadowCopy.ID,” as shown in Figure 7.\r\nThe ransomware performs this operation to prevent any attempts at system restoration after encrypting the files.\r\nFigure 7 – Delete ShadowCopy\r\nLockBit 3.0 ransomware deletes a few services to encrypt the files successfully. To delete these services, the\r\nransomware calls the OpenSCManagerA() API to get the service control manager database access.\r\nAfter gaining access, the ransomware enumerates the services and fetches the service names from the victim’s\r\nmachine.\r\nIt then checks for the presence of these services and deletes them if they are actively running on the victim’s\r\nmachine. The below image shows the list of some service names targeted by ransomware.\r\nhttps://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/\r\nPage 4 of 11\n\nFigure 8 – List of Services for Deletion\r\nAfter deleting the services, the ransomware drops two files named “HLJkNskOq.ico” and “HLJkNskOq.bmp” in\r\nthe %programdata% location.\r\nThe ransomware creates a “DefaultIcon” registry key for the extension “HLJkNskOq” shown in the figure\r\nbelow.This operation changes the icons of the encrypted files, which have the extension “HLJkNskOq.”\r\nFigure 9 – Registry Modification of Default Icon\r\nBefore initiating the encryption process, the ransomware drops the below ransom note in multiple folders with the\r\nfile name “HLJkNskOq.README.txt.”\r\nhttps://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/\r\nPage 5 of 11\n\nFigure 10 – LockBit 3.0 Ransomware Note\r\nThe ransomware then encrypts the victim’s files, appends the extension “.HLJkNskOq,” and changes the file’s\r\nicon as shown below.\r\nFigure 11 – Encrypted Files\r\nhttps://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/\r\nPage 6 of 11\n\nFinally, the ransomware changes the victim’s wallpaper leveraging the file “HLJkNskOq.bmp” using the\r\nsystemparametersinfoW() API function.\r\nFigure 12 – LockBit 3.0 Changing Desktop Background\r\nIn the dropped ransom note, victims are instructed on how to pay the ransom to decrypt their encrypted files.\r\nAdditionally, the TAs threaten the victims stating that their personal data will be posted on their leak site if the\r\nransom is not paid within the specified window.\r\nAfter visiting the TOR link mentioned in the ransom note, it opens the TA’s leak site page, which is updated with\r\nnew features containing a Twitter icon to search for posts related to this ransomware on Twitter.\r\nAdditionally, TAs created a link on their leak site, redirecting users to a page where they have announced the Bug\r\nBounty program. This program invites all\r\nsecurity researchers/ethical and unethical hackers to find flaws in their ransomware project to make it bug-free and\r\nmore stable.\r\nhttps://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/\r\nPage 7 of 11\n\nFigure 13 – LockBit 3.0 Ransomware Home Page\r\nThe affiliate rules page of the leak site includes ransomware functionalities and affiliate program details, which\r\nsupport languages such as English, Chinese, Spanish, etc.\r\nThe TAs behind LockBit 3.0 suggest that their victims buy Bitcoin using the payment options shown in the figure\r\nbelow.\r\nhttps://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/\r\nPage 8 of 11\n\nFigure 14 – Ways to Buy Bitcoin to decrypt files\r\nThe figure below shows the chat option on the leak site for communication with the TAs. Also, the “Trial\r\nDecrypt” option is available to victims to test an encrypted file’s decryption.\r\nFigure 15 – Trial Decryption \u0026 Chat Options\r\nConclusion\r\nRansomware is becoming an increasingly common and effective attack method to target organizations and\r\nadversely impact their productivity.\r\nhttps://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/\r\nPage 9 of 11\n\nLockBit 3.0 is a highly sophisticated form of ransomware that uses various techniques to conduct its\r\noperations. Cyble will closely monitor the campaign and continue to update our readers with the latest information\r\non ransomware.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nSafety Measures Needed to Prevent Ransomware Attacks\r\nConduct regular backup practices and keep those backups offline or in a separate network.\r\n    Turn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic. \r\n    Use a reputed anti-virus and Internet security software package on your connected devices, including\r\nPC, laptop, and mobile.\r\n    Refrain from opening untrusted links and email attachments without verifying their authenticity.\r\nUsers Should Take the Following Steps After the Ransomware Attack\r\n    Detach infected devices on the same network.\r\n    Disconnect external storage devices if connected.\r\n    Inspect system logs for suspicious events.\r\nImpacts And Cruciality of LockBit 3.0 Ransomware\r\n    Loss of Valuable data.\r\n    Loss of the organization’s reputation and integrity.\r\n    Loss of the organization’s sensitive business information.\r\n    Disruption in organization operation.\r\n    Financial loss.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nExecution T1204 User Execution\r\nDefence Evasion\r\nT1112\r\nT1497\r\nModify Registry\r\nVirtualization/Sandbox Evasion\r\nDiscovery\r\nT1082\r\nT1083\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nImpact T1486 Data Encrypted for Impact\r\nCNC T1071 Application Layer Protocol\r\nhttps://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/\r\nPage 10 of 11\n\nDefense Evasion T1070 Indicator Removal on Host\r\nIndicator Of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n38745539b71cf201bb502437f891d799\r\nf2a72bee623659d3ba16b365024020868246d901\r\n80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce\r\nMD5\r\nSHA1\r\nSha256\r\nLockBit 3.0\r\nEXE file\r\nSource: https://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/\r\nhttps://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/07/05/lockbit-3-0-ransomware-group-launches-new-version/"
	],
	"report_names": [
		"lockbit-3-0-ransomware-group-launches-new-version"
	],
	"threat_actors": [],
	"ts_created_at": 1775434951,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ab7c424e5b8af8ebb3b66d79e6b0788408a4b8fb.pdf",
		"text": "https://archive.orkl.eu/ab7c424e5b8af8ebb3b66d79e6b0788408a4b8fb.txt",
		"img": "https://archive.orkl.eu/ab7c424e5b8af8ebb3b66d79e6b0788408a4b8fb.jpg"
	}
}