LockBit 3.0 Ransomware Unlocked
Tags
attack-pattern: Data Component Object Model - T1559.001 Data Destruction - T1662 Data Destruction - T1485 Data Encrypted For Impact - T1471 Data Encrypted For Impact - T1486 Default Accounts - T1078.001 Disable Or Modify System Firewall - T1562.004 Disable Or Modify Tools - T1562.001 Disable Windows Event Logging - T1562.002 Dns Server - T1583.002 Dns Server - T1584.002 Domains - T1583.001 Domains - T1584.001 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over C2 Channel - T1646 File And Directory Discovery - T1420 Impersonation - T1656 Internal Defacement - T1491.001 Malware - T1587.001 Malware - T1588.001 Process Discovery - T1424 System Information Discovery - T1426 Native Api - T1575 Registry Run Keys / Startup Folder - T1547.001 Rundll32 - T1218.011 Safe Mode Boot - T1562.009 Server - T1583.004 Server - T1584.004 Smb/Windows Admin Shares - T1021.002 Software - T1592.002 Web Protocols - T1071.001 Token Impersonation/Theft - T1134.001 Web Protocols - T1437.001 Tool - T1588.002 Execution Through Api - T1106 Exfiltration Over Command And Control Channel - T1041 File And Directory Discovery - T1083 Network Share Discovery - T1135 Peripheral Device Discovery - T1120 Process Discovery - T1057 Remote System Discovery - T1018 Rundll32 - T1085 System Information Discovery - T1082 Windows Management Instrumentation - T1047 Windows Admin Shares - T1077 Valid Accounts - T1078 Data Destruction Remote System Discovery Valid Accounts
Show in Graph
Common Information
Type Value
UUID c5fec3ba-dd78-45ac-a1db-c5e9881a57b6
Fingerprint b432c953262f2655
Analysis status DONE
Considered CTI value 2
Text language
Published June 2, 2022, midnight
Added to db Oct. 24, 2023, 1:36 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline LockBit 3.0 Ransomware Unlocked
Title LockBit 3.0 Ransomware Unlocked
Detected Hints/Tags/Attributes 128/1/63
Source URLs
Redirection Url
Details Source https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html
URL Provider
Details Provider Source level domain
Details vmware.com blogs.vmware.com
Attributes
Details Type #Events CTI Value
Details File 13 
build.bat
Details File 1 
decryption_id.txt
Details File 15 
lb3.exe
Details File 2 
lb3decryptor.exe
Details File 1 
lb3_pass.exe
Details File 1 
password_exe.txt
Details File 1 
lb3_relectivedll_dllmain.dll
Details File 3 
lb3_rundll32.dll
Details File 3 
lb3_rundll32_pass.dll
Details File 1 
password_dll.txt
Details File 5 
priv.key
Details File 5 
pub.key
Details File 8 
keygen.exe
Details File 16 
builder.exe
Details File 153 
config.json
Details File 1260 
explorer.exe
Details File 367 
readme.txt
Details md5 1 
ea4ee28880136cbc44dff4ad5a53561f
Details md5 2 
c2bc344f6dde0573ea9acdfb6698bf4c
Details md5 2 
71c3b2f765b04d0b7ea0328f6ce0c4e2
Details md5 2 
4d388f95a81f810195f6a8dfe86be755
Details md5 2 
87308ec0a44e79100db9dbec588260ec
Details md5 2 
4655a7ac60ed48df9b57648db2f567ef
Details md5 2 
23a30838502f5fadc97e81f5000c4190
Details sha1 2 
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77
Details sha1 2 
bf8ecb6519f16a4838ceb0a49097bcc3ef30f3c4
Details sha1 2 
cb6fdb25a15b7797890fadc2b823984f93da5368
Details sha1 2 
939ff7e5eeaccb0c2f4ee080a8e403e532b6317a
Details sha1 2 
02ea524429ba2aefac63fed27e924ab3659f8c00
Details sha1 2 
9c1142122370c9b28b13aa147c6e126b3be50845
Details sha256 4 
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db
Details sha256 3 
ea6d4dedd8c85e4a6bb60408a0dc1d56def1f4ad4f069c730dc5431b1c23da37
Details sha256 2 
cc3d006c2b963b6b34a90886f758b7b1c3575f263977a72f7c0d1922b7feab92
Details sha256 2 
03b8472df4beb797f7674c5bc30c5ab74e8e889729d644eb3e6841b0f488ea95
Details sha256 3 
a0db5cff42d0ee0de4d31cff5656ed1acaa6b0afab07d19f9f296d2f72595a56
Details sha256 2 
ae993930cb5d97caa5a95b714bb04ac817bcacbbf8f7655ec43e8d54074e0bd7
Details sha256 1 
c2529655c36f1274b6aaa72911c0f4db7f46ef3a71f4b676c4500e180595cac6
Details sha256 1 
5202e3fb98daa835cb807cc8ed44c356f5212649e6e1019c5481358f32b9a8a7
Details MITRE ATT&CK Techniques 31 
T1559.001
Details MITRE ATT&CK Techniques 239 
T1106
Details MITRE ATT&CK Techniques 310 
T1047
Details MITRE ATT&CK Techniques 380 
T1547.001
Details MITRE ATT&CK Techniques 44 
T1134.001
Details MITRE ATT&CK Techniques 298 
T1562.001
Details MITRE ATT&CK Techniques 20 
T1562.002
Details MITRE ATT&CK Techniques 70 
T1562.004
Details MITRE ATT&CK Techniques 28 
T1562.009
Details MITRE ATT&CK Techniques 41 
T1078.001
Details MITRE ATT&CK Techniques 585 
T1083
Details MITRE ATT&CK Techniques 176 
T1135
Details MITRE ATT&CK Techniques 188 
T1120
Details MITRE ATT&CK Techniques 433 
T1057
Details MITRE ATT&CK Techniques 243 
T1018
Details MITRE ATT&CK Techniques 1006 
T1082
Details MITRE ATT&CK Techniques 139 
T1021.002
Details MITRE ATT&CK Techniques 442 
T1071.001
Details MITRE ATT&CK Techniques 163 
T1573
Details MITRE ATT&CK Techniques 422 
T1041
Details MITRE ATT&CK Techniques 93 
T1485
Details MITRE ATT&CK Techniques 472 
T1486
Details MITRE ATT&CK Techniques 30 
T1491.001
Details Yara rule 1 
import "pe"

rule LockBit_3_dll {
	meta:
		author = "VMware TAU"
		date = "2022-Oct-12"
		description = "Identifies LockBit 3.0 DLL encryptor by exported function names."
		rule_version = "1"
		yara_version = "4.2.3"
		exemplar_hash = "c2529655c36f1274b6aaa72911c0f4db7f46ef3a71f4b676c4500e180595cac6"
	condition:
		pe.exports("del") and pe.exports("gdel") and pe.exports("gdll") and pe.exports("gmod") and pe.exports("pmod") and pe.exports("sdll") and pe.exports("wdll")
}
Details Yara rule 1 
import "pe"

rule LockBit_3_exe {
	meta:
		author = "VMware TAU"
		date = "2022-Oct-12"
		description = "Identifies LockBit 3.0 exe encryptor section names, and artifact section names."
		rule_version = "1"
		yara_version = "4.2.3"
		exemplar_hash = "5202e3fb98daa835cb807cc8ed44c356f5212649e6e1019c5481358f32b9a8a7"
	strings:
		$text = ".text" ascii wide
		$itext = ".itext" ascii wide
		$data = ".data" ascii wide
		$rdata = ".rdata" ascii wide
		$idata = ".idata" ascii wide
		$xyz = ".xyz" ascii wide
		$reloc = ".reloc" ascii wide
		$bss = ".bss" ascii wide
	condition:
		#text > 2 and #itext > 1 and #data > 1 and #rdata > 2 and #idata > 3 and $reloc and $bss and $xyz and not for any i in (0 .. pe.number_of_sections - 1) : ( pe.sections[i].name == ".xyz" or pe.sections[i].name == ".bss" )
}