LockBit V3.0 Ransomware

Lockbit is a ransomware written in C language that encrypts files stored locally and on network shares. Lockbit can also identify additional systems on a network and propagate via SMB.

The updated LockBit payloads retain all the prior functionality of LockBit 2.0.

• The initial delivery of the Lockbit ransomware relies on social engineering attacks or via 3rd party frameworks such as Cobalt Strike.
• Lockbit’s payloads will initiate a UAC bypass in case the execution doesn’t succeed with administrative privileges.
• Lockbit 3.0 persists on target hosts by installing system services. The following service names is associated with Lockbit 3.0: (SecurityHealthService, Sense, Sppsvc ,WdBoot ,WdFilter, WdNisDrv, WdNisSvc, WinDefend, Wscsvc, vmicvss, vmvss, VSS, EventLog)
• LockBit 3.0 deletes a few services to encrypt files and enumerates and deletes the Volume Shadow copies before the encryption to prevent attempts to restore the file system after the files are encrypted.
• As with previous versions, LockBit 3.0 will attempt to identify and terminate specific services if found. The following services names are targeted for termination by Lockbit 3.0: (Backup, GxBlr, GxCIMgr, GxCVD, GxFWD, GxVss, memtas, mepocs, msexchange, Sophos, SQL, svc$, veeam, VSS).
• LockBit 3.0 writes a copy of itself to the %programdata% directory, and subsequently launches from this process.
• The encryption phase is extremely rapid as the ransomware creates various threads to perform parallel tasks.
• LockBit 3.0 replaces the name of the file and its extension with random dynamic and static strings.
• Lockbit 3.0 anti-analysis techniques include code packing, obfuscation and
  dynamic resolution of function addresses, function trampolines, and antidebugging techniques.
• LockBit 3.0 payloads require a specific passphrase to execute. This passphrase is unique to each sample or campaign.