HC3 TLP Clear Analyst Note: LockBit 3.0 Ransomware - December 12, 2022

Executive Summary

LockBit 3.0 is the newest version of the LockBit ransomware that was first discovered in September 2019. The ransomware family has a history of using the Ransomware-as-a-service (RaaS) model and typically targets organizations that could pay higher ransoms. Historically, this ransomware employs a double extortion technique where sensitive data is encrypted and exfiltrated. The actor requests payment to decrypt data and threatens to leak the sensitive data if the payment is not made. With the new release, it appears that the ransomware is using a triple extortion model where the affected victim may also be asked to purchase their sensitive information. Since its appearance, HC3 is aware of LockBit 3.0 attacks against the Healthcare and Public Healthcare (HPH) sector. Due to the historical nature of ransomware victimizing the healthcare community, LockBit 3.0 should be considered a threat to the HPH sector.

Report

LockBit 3.0, also called LockBit Black, was discovered in June 2022. LockBit operates with the RaaS model, where they will work with affiliates who may not already have the resources for creating and deploying attacks. In this situation, a percentage of the ransom would go back to the affiliated hacker. Open-sourced reporting generates multiple variations of ransom cost, but numbers have been seen to go well into the millions of U.S. Dollars (USD). Like most ransomware groups, the motivation behind the attacks appears to be financial gain. The ransomware has been a challenge for many security researchers because the malware sometimes requires a unique 32-character password each time it is launched, giving it anti-analysis features. LockBit 3.0 is also protected against analysis due to many undocumented kernel level Windows functions, according to a report from VMware.