MyCERT has observed an increase in ransomware-related attacks, including attacks executed by well-identified ransomware known as LockBit 3.0. Notably, a number of organisations in Malaysia were hit by the LockBit 3.0 ransomware in 2022.
LockBit 3.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTP), creating significant challenges for defence and mitigation. LockBit 3.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploits.
Prior to the LockBit 3.0, attackers began their operations in September 2019 as ABCD ransomware and then changed its name to Lockbit. The attackers made improvements and came back with even better ransomware on June 2021, known as Lockbit 2.0. We have seen that the Lockbit 2.0 ransomware introduced new features such as shadow copy and log file deletion to make a recovery harder for the victims. In addition, Lockbit 2.0 has the fastest encryption speed among the most popular ransomware, with around 25 thousand files that can be encrypted in below one minute. Beginning July 2022, it is known as LockBit 3.0 or LockBit Black.
The attackers associated with the Lockbit 3.0 is believed to originate from Russia. According to a detailed analysis, the ransomware checks the default system language avoids encryption and stops the attack if the victim system’s language is Russian or one of the countries nearby Russia.
The impacts of LockBit 3.0 are:
- Operations disruption with essential functions coming to a sudden halt.
- Extortion by the hackers for financial gain.
- Data theft and illegal publication as blackmail if the victim does not comply.
3.0 Indicators of Compromise
LockBit 3.0 ransomware is considered by many authorities to be part of the “LockerGoga & MegaCortex” malware family. This means that it shares behaviours with these established forms of targeted ransomware. As a quick explanation, we understand that these attacks are:
- Self-spreading within an organization rather than requiring manual direction.
- Targeted rather than spread in a scattershot fashion like spam malware.
- Using similar tools to spread, like Windows Powershell and Server Message Block (SMB).
Significantly, it is able to self-propagate, meaning it spreads on its own. In its programming, LockBit 3.0 is directed by pre-designed automated processes. This makes it unique from many other ransomware attacks, driven by manually residing in the network — sometimes for weeks — to complete recon and surveillance.
After the attacker manually infects a single host, it can find other accessible hosts, connect them to infected ones, and share the infection using a script. This is completed and repeated entirely without human intervention.
Furthermore, it uses tools in patterns native to nearly all Windows computer systems. Endpoint security systems have a hard time flagging malicious activity. It also hides the executable encrypting file by disguising it as the common PNG image file format, further deceiving system defences.
The indicators of compromise (IOCs) and malware characteristics outlined below were derived
from field analysis, and the following samples are as of February 2022.
MyCERT recommends network defenders apply the following mitigations to reduce the risk of
compromise by LockBit 3.0 ransomware:
1) Require all accounts with password logins (e.g., service accounts, admin accounts, and
domain admin accounts) to have strong, unique passwords. Passwords should not be
reused across multiple accounts or stored on the system where an adversary may have
access. Note: Devices with local administrative accounts should implement a password
policy requiring strong, unique passwords for each administrative
2) Require multi-factor authentication for all services to the extent possible, particularly
for webmail, virtual private networks, and accounts that access critical systems.
3) Keep all operating systems and software up to date. Prioritize patching known
exploited vulnerabilities. Timely patching is one of the most efficient and cost-effective
steps an organization can take to minimize its exposure to cybersecurity threats.
4) Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If
ADMIN$ and C$ are deemed operationally necessary, and these restrict privileges to only the
necessary service or user accounts and perform continuous monitoring for anomalous
5) Use a host-based firewall to only allow connections to administrative shares via server
message block (SMB) from a limited set of administrator machines.
6) Enable protected files in the Windows Operating System to prevent unauthorized
changes to critical files.
Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please get in touch with MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT