CISA Cybersecurity Alerts 3.18.23
Ep 45 | 3.18.23

CISA Alert AA23-075A – #StopRansomware: LockBit 3.0.


This is a CISA Cybersecurity Alert.

ID number Alpha Alpha Two Three tack Zero Seven Five Alpha. 

Original release date: March 16th, 2023.

CISA, FBI, and the Multi-State Information Sharing and Analysis Center are releasing this joint advisory to share known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.

The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service model and is a continuation of previous versions of the ransomware, LockBit 2.0, and the original LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit ransomware use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which make effective defense and mitigation challenging.

LockBit 3.0, also known as LockBit Black, is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware.

LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware.

The alert documentation linked in the show notes includes a full MITRE ATT&CK mapping of LockBit 3.0 actions and activities.

FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this alert to reduce the likelihood and impact of similar ransomware incidents. The alert documentation linked in the show notes includes additional technical details, IOCs, malicious actor TTPs, recovery guidance, mitigations, and response recommendations. 

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at, call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations.

A link to this report can be found in the show notes. 

This has been a CISA Cybersecurity Alert.