S1202 LockBit 3.0
LockBit 3.0 is an evolution of the LockBit Ransomware-as-a-Service (RaaS) offering with similarities to BlackMatter and BlackCat ransomware. LockBit 3.0 has been in use since at least June 2022 and features enhanced defense evasion and exfiltration tactics, robust encryption methods for Windows and VMware ESXi systems, and a more refined RaaS structure over its predecessors such as LockBit 2.0.4123
| Item | Value |
|---|---|
| ID | S1202 |
| Associated Names | LockBit Black |
| Type | MALWARE |
| Version | 1.1 |
| Created | 05 February 2025 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| LockBit Black | 124 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | LockBit 3.0 can bypass UAC to execute code with elevated privileges through an elevated Component Object Model (COM) interface.2 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | LockBit 3.0 can use HTTP to send victim host information to C2.23 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.004 | Winlogon Helper DLL | LockBit 3.0 can enable automatic logon through the `SOFTWARE\Microsoft\Windows |
| NT\CurrentVersion\Winlogon` Registry key.2 | |||
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | LockBit 3.0 can use PowerShell to apply Group Policy changes.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | LockBit 3.0 can install system services for persistence.4 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | LockBit 3.0 can Base64-encode C2 communication.2 |
| enterprise | T1486 | Data Encrypted for Impact | LockBit 3.0 can encrypt targeted data using the AES-256, ChaCha20, or RSA-2048 algorithms.1423 |
| enterprise | T1622 | Debugger Evasion | LockBit 3.0 can check heap memory parameters for indications of a debugger and stop the flow of events to the attached debugger in order to hinder dynamic analysis.4 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | The LockBit 3.0 payload is decrypted at runtime.423 |
| enterprise | T1484 | Domain or Tenant Policy Modification | - |
| enterprise | T1484.001 | Group Policy Modification | LockBit 3.0 can enable options for propogation through Group Policy Objects.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | LockBit 3.0 can encrypt C2 communications with AES.2 |
| enterprise | T1480 | Execution Guardrails | LockBit 3.0 can make execution dependent on specific parameters including a unique passphrase and the system language of the targeted host not being found on a set exclusion list. 142 |
| enterprise | T1480.002 | Mutual Exclusion | LockBit 3.0 can create and check for a mutex containing a hash of the MachineGUID value at execution to prevent running more than one instance.2 |
| enterprise | T1083 | File and Directory Discovery | LockBit 3.0 can exclude files associated with core system functions from encryption.2 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | LockBit 3.0 can disable security tools to evade detection including Windows Defender.123 |
| enterprise | T1562.009 | Safe Mode Boot | LockBit 3.0 can reboot the infected host into Safe Mode.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | LockBit 3.0 can delete log files on targeted systems.12 |
| enterprise | T1070.004 | File Deletion | LockBit 3.0 can delete itself from disk.12 |
| enterprise | T1490 | Inhibit System Recovery | LockBit 3.0 can delete volume shadow copies.123 |
| enterprise | T1680 | Local Storage Discovery | LockBit 3.0 can enumerate local drive configuration.2 |
| enterprise | T1112 | Modify Registry | LockBit 3.0 can change the Registry values for Group Policy refresh time, to disable SmartScreen, and to disable Windows Defender.23 |
| enterprise | T1106 | Native API | LockBit 3.0 has the ability to directly call native Windows API items during execution.43 |
| enterprise | T1135 | Network Share Discovery | LockBit 3.0 can identify network shares on compromised systems.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | LockBit 3.0 can use code packing to hinder analysis.43 |
| enterprise | T1027.013 | Encrypted/Encoded File | The LockBit 3.0 payload includes an encrypted main component.42 |
| enterprise | T1120 | Peripheral Device Discovery | LockBit 3.0 has the ability to discover external storage devices.2 |
| enterprise | T1057 | Process Discovery | LockBit 3.0 can identify and terminate specific services.41 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | LockBit 3.0 can use SMB for lateral movement.2 |
| enterprise | T1489 | Service Stop | LockBit 3.0 can terminate targeted processes and services related to security, backup, database management, and other applications that could stop or interfere with encryption.1423 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.003 | CMSTP | LockBit 3.0 can attempt a CMSTP UAC bypass if it does not have administrative privileges.4 |
| enterprise | T1082 | System Information Discovery | LockBit 3.0 can enumerate system hostname and domain.2 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | LockBit 3.0 will not affect machines with language settings matching a defined exlusion list of mainly Eastern European languages.12 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | LockBit 3.0 can use PsExec to execute commands and payloads.1 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.003 | Local Accounts | LockBit 3.0 can use a compromised local account for lateral movement.2 |
References
-
CISA et al. (2023, June 14). UNDERSTANDING RANSOMWARE THREAT ACTORS: LOCKBIT. Retrieved February 5, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩
-
FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
INCIBE-CERT. (2024, March 14). LockBit: response and recovery actions. Retrieved February 5, 2025. ↩↩↩↩↩↩↩↩↩↩
-
Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩