The Cyber999 Incident Response Centre observed an increase in various ransomware-related attacks, including attacks executed by well-identified ransomware known as LockBit 3.0. Lately, we have been receiving incidents involving a number of organisations in Malaysia hit by the LockBit 3.0 ransomware. Hence, this advisory is released to alert and advise organisations to apply necessary measures on prevention and mitigations if they are targeted or fall victim.
LockBit 3.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTP), creating significant challenges for defence and mitigation. LockBit 3.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. The attackers associated with the Lockbit 3.0 are believed to originate from Russia. According to a detailed analysis, the ransomware checks the default system language, avoids encryption and stops the attack if the victim system’s language is Russian or one of the countries nearby Russia.
We have previously released an advisory on Lockbit 3.0 ransomware, available at:
Additionally, it was also reported recently by security researchers and security organisations that the infamous LockBit 3.0 ransomware group was observed exploiting a critical unpatched Citrix NetScaler ADC and NetScaler Gateway vulnerability – CVE-2023-4966, referred to as "Citrix Bleed," increasing the urgency for enterprises to patch. Citrix Bleed was disclosed on October 10 2023, as a critical security issue that affects Citrix NetScaler ADC and Gateway, enabling unauthorised access to sensitive device information.
A joint advisory by CISA, FBI, MS-ISAC, and ASD’s ACSC was released on LockBit affiliates exploiting Citrix Bleed, available at:
The impacts of LockBit 3.0 are:
- Operations disruption with essential functions coming to a sudden halt.
- Extortion by the hackers for financial gain.
- Data theft and illegal publication as blackmail if the victim does not comply.
MyCERT recommends network defenders apply the following mitigations to reduce the risk of compromise by LockBit 3.0 ransomware:
1) Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
Note: Devices with local administrative accounts should implement a password policy requiring strong, unique passwords for each administrative account.
2) Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
3) Keep all operating systems and software up to date. Prioritize patching known exploited vulnerabilities. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
4) Apply security updates released by Citrix to address CVE-2023-4966 in NetScaler ADC and NetScaler Gateway.
5) Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, and these restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
6) Use a host-based firewall to only allow connections to administrative shares via server message block (SMB) from a limited set of administrator machines.
7) Enable protected files in the Windows Operating System to prevent unauthorized changes to critical files.
8) Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
9) Maintain offline backups of data and regularly maintain backup and restoration. By implementing this practice, the organisation ensures they will not be severely interrupted, and/or only have irretrievable data.
Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT