LockBit 3.0 Ransomware Detection: Operation Revamped

LockBit 3.0

LockBit group returns, introducing a new strain of their ransomware, LockBit 3.0. Adversaries dubbed their latest release LockBit Black, enhancing it with new extortion tactics and introducing an option to pay in Zcash, adding to existing Bitcoin and Monero crypto payment options.

This time, LockBit hackers are making the headlines by kicking off the first bug bounty program ever launched by a cybercrime gang. In their appeal to hackers of all types, adversaries promise a monetary reward for a bug or improvement idea submission ranging from $1000 to $1 million. The highest price is also offered to anyone who would be the first to identify the affiliate manager, known as LockBitSupp.

Detect LockBit 3.0 Malware

To help organizations better protect their infrastructure, our keen Threat Bounty developer Kaan Yeniyol has recently released the dedicated Sigma rule that enables swift LockBit 3.0 malware detection. Security teams can download these rules from SOC Prime’s Detection as Code Platform:

Suspicious Lockbit Black (3.0) Ransomware Execution by Detection of Associated Commands (via cmdline)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Chronicle Security, LimaCharlie, SentinelOne, Microsoft Defender ATP, CrowdStrike, Apache Kafka ksqlDB, Carbon Black, Securonix, Snowflake, and Open Distro.

The rule is mapped to the MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter (T1059) as the primary technique.

Are you eager to craft your own Sigma and YARA rules to make the world safer? Join our Developer Program to get recurrent rewards for your valuable input!

The full list of Sigma rules to detect any ransomware strain associated with LockBit hackers is available to all registered Detection as Code Platform users. Press the Detect & Hunt button to explore thoroughly curated and verified detections. Non-registered users can access the LockBit ransomware dedicated rule kit and relevant contextual metadata by hitting the Explore Threat Context button.

Detect & Hunt Explore Threat Context

LockBit 3.0 Analysis

The LockBit group first surfaced in 2019, resurfacing in the June of 2021 with LockBit 2.0 ransomware strain. The operation is deemed one of the most vigorous in the threat landscape, getting ahead in the number of victims of such notorious groups as Black Basta, Hive, and Conti.

The LockBit team is continuously expanding its reach, introducing innovative solutions and appropriating tried-and-true formulas of the ransomware market. Security analysts warn that it is currently difficult to predict how many modifications implemented in the LockBit 3.0 operation still remain unknown. According to recently revealed research data, LockBit Black bears code resemblance to BlackMatter ransomware, used in many high-profile attacks last Summer. Researchers speculate that this might indicate that former BlackMatter developers could have taken part in writing the latest LockBit strain.

Among the recently introduced novelties such as payment in Zcash and a bug bounty program, LockBit now sells victim’s stolen data.

To timely hunt for signs of compromise by this and other emerging threats, leverage the benefits of collaborative cyber defense by joining our global cybersecurity community at SOC Prime’s Detection as Code platform. Avail accurate and timely detections delivered by seasoned professionals to supercharge your SOC team’s operations and security posture.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts