Getty Images/iStockphoto

CISA, FBI, MS-ISAC Warn Critical Infrastructure of LockBit 3.0 Ransomware Attacks

LockBit 3.0 ransomware operations as a RaaS model and is known to attack a wide range of sectors, including those in critical infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) issued a joint cybersecurity advisory (CSA) regarding LockBit 3.0 ransomware tactics.

LockBit 3.0, which operates under a Ransomware-as-a-Service (RaaS) model, is a more sophisticated version of its predecessors, LockBit and LockBit 2.0. The latest version functions as an affiliate-based ransomware variant and is described as “more modular and evasive” than previous versions.

The CSA is based on threat intelligence and FBI investigations as recently as March 2023. In a December 2022 alert, the Health Sector Cybersecurity Coordination Center (HC3) said it was aware of LockBit 3.0 attacks against the healthcare sector in particular.

The latest alert shed more light on the variant and its indicators of compromise (IOCs). Initial access is typically achieved by LockBit 3.0 actors via remote desktop protocol (RDP) exploitation, phishing, abuse of valid accounts, drive-by compromise, or exploitation of public-facing applications, the alert stated.

LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware,” the alert noted, pointing out the flexibility of the variant.

“For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise). If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware.”

If privileges prove insufficient, LockBit 3.0 actors will attempt to escalate the required privileges by launching commands, deleting log files, or enumerating system information.

The variant also leverages its own custom exfiltration tool, known as StealBit, in order to exfiltrate sensitive data prior to encryption. LockBit affiliates have also been observed using open-source tools to aid their attacks.

The CSA contains detailed IOCs, the text of a LockBit 3.0 ransom note, and other information about techniques.

The FBI, CISA, and the MS-ISAC urged organizations to implement a strong recovery plan, align password standards with those of the National Institute for Standards and Technology (NIST), and employ network segmentation.

“In addition to applying mitigations, the FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory,” the advisory continued.

“The FBI, CISA, and the MS-ISAC authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.”

Finally, the authoring entities strongly discouraged paying a ransom to LockBit 3.0 or any other ransomware actors.

Next Steps

Dig Deeper on Cybersecurity strategies