Threat Groups

LockBit 3.0

1. Overview

LockBit 3.0, also known as LockBit Black, is one of the most dominant ransomware variants in operation today. Active since mid-2022, it represents the third major iteration of the LockBit malware family. The group operates a Ransomware-as-a-Service (RaaS) model, allowing affiliates to deploy LockBit while the core developers manage infrastructure and ransom negotiations.

LockBit 3.0 is known for its double extortion tactics—encrypting files and exfiltrating data—and for its customisable, modular payloads. It has targeted a wide range of industries, including healthcare, finance, government, manufacturing, and legal services. The group poses a significant threat to UK organisations, given its scale, automation capabilities, and growing affiliate base.

2. Origin and Evolution

The original LockBit group emerged in 2019, gaining momentum with the release of LockBit 2.0 in 2021, which introduced automated propagation and sandbox evasion techniques. In June 2022, the group released LockBit 3.0, also dubbed LockBit Black, featuring enhanced obfuscation, lateral movement tools, and a novel bug bounty programme—the first of its kind for a ransomware group.

LockBit 3.0 draws inspiration from previous strains like DarkSide and BlackMatter, incorporating modular configurations that allow affiliates to tailor ransom notes, encryption scope, and execution timing.

3. Tactics, Techniques, and Procedures (TTPs)

LockBit 3.0 exhibits highly automated and adaptable attack methods. Key behaviours include:

  • Initial Access: Phishing emails (MITRE T1566.001), exploitation of public-facing vulnerabilities (T1190), and credential brute forcing (T1110.001).
  • Lateral Movement: Use of Cobalt Strike, RDP, SMB, and Group Policy Object manipulation.
  • Data Exfiltration: Use of Rclone, WinSCP, and bespoke data exfiltration scripts (T1041).
  • Encryption: Custom payloads featuring multi-threaded AES + RSA encryption and selective targeting of file extensions.
  • Persistence & Evasion: Obfuscation, living-off-the-land binaries (LOLBins), and shadow copy deletion (T1490).

4. Targeting Profile

LockBit 3.0 does not target specific industries, instead focusing on victims of opportunity based on access, perceived ability to pay, and network exposure. However, sectors disproportionately impacted include:

  • Legal and accounting firms
  • Healthcare providers
  • Municipal and regional government
  • Logistics and manufacturing

UK-based organisations, particularly those without endpoint detection or adequate segmentation, have been repeatedly targeted.

5. Notable Campaigns and Victims

Some of the most significant LockBit 3.0 incidents to date include:

  • Royal Mail (UK, 2023): Disruption of international services and data leaks involving internal documentation.
  • Entrust (US, 2022): A major breach involving the exfiltration of internal security certificates and system documentation.
  • Italian Tax Agency (2022): Claims of data exfiltration and publication of confidential records.

6. Ransomware and Leak Site Behaviour

LockBit 3.0 operates a high-profile leak site on the dark web where victim data is published in stages. Its extortion model includes:

  1. System encryption using a highly configurable payload
  2. Data exfiltration to cloud storage or attacker-controlled servers
  3. Time-bound ransom demands, often with countdown clocks and public shaming tactics
  4. Direct chat portals over TOR for negotiation

LockBit’s bug bounty programme also invited external hackers to report weaknesses in its malware or infrastructure in exchange for cryptocurrency rewards—an unprecedented move.

7. Technical Indicators

Common indicators of LockBit 3.0 activity include:

  • Payloads named locker64.dll, build.exe, or custom .lockbit variants
  • Connections to C2 servers at IP ranges 185.225.69.x and 185.180.143.x
  • Use of Rundll32 and MSHTA for execution
  • Exfiltration via rclone.exe to cloud services like Mega, Dropbox, and pCloud

Threat intelligence feeds and YARA rules are available via UK Cyber Defence Ltd.

8. Defensive Measures and Recommendations

To defend against LockBit 3.0, we recommend:

  • Enforce multi-factor authentication (MFA) on all remote services
  • Monitor for LOLBins and lateral movement tools
  • Deploy advanced EDR/XDR platforms with real-time response capabilities
  • Disable macros and scripts in office applications
  • Maintain offline backups and test them regularly
  • Patch and update all public-facing services

9. Attribution and Alliances

LockBit 3.0 is believed to be operated by a core group of Russian-speaking cybercriminals. While there is no confirmed state sponsorship, the group avoids targeting CIS countries, suggesting a geopolitical filter.

Former affiliates of Conti and REvil are suspected to have joined LockBit following the collapse of those operations.

10. Conclusion

LockBit 3.0 remains one of the most dangerous and persistent ransomware threats globally. Its combination of technical agility, aggressive extortion tactics, and affiliate-driven scalability has made it a priority concern. UK organisations should adopt layered defences, threat hunting practices, and response playbooks to prepare for potential LockBit incidents.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 45 Views

you may also like

Kettering Health crippled by ransomware: 14 hospitals on emergency reroute

On May 20, 2025, Kettering Health’s network was hit by a ransomware attack, forcing 14 hospitals to switch to emergency reroutes and manual operations. The attack spread rapidly across critical systems due to undetected lateral movement, highlighting gaps in early threat detection. Patients reported suspicious calls, indicating potential data misuse. This incident underscores the urgent need for healthcare organizations to strengthen identity security, implement layered defenses, and prepare robust response plans.

Pro-Russian Cyber Activity: Hybrid Threats and the UK Response

An insights article assessing pro-Russian cyber activity with a situational briefing on hybrid threats to UK-aligned institutions. Includes a side-by-side comparison of key threat groups including KillNet, NoName057(16), and XakNet.

Donation-Based Ransomware Groups

An insights article comparing donation-model ransomware operators such as MalasLocker, exploring the ethics, tactics, and implications of threat actors who demand charitable giving instead of cryptocurrency payments.

Western Alliance Data Breach Tied to Cleo Software Flaw

Western Alliance Bank confirmed a data breach in April 2025 linked to a vulnerability in Cleo Integration Cloud. The breach, attributed to the Cl0p ransomware group, underscores the growing risks from third-party software vulnerabilities. Learn how the bank is responding and the increasing role of SOC in protecting financial institutions.

DBS Data Breach 2025: Ransomware Attack Exposes 11,000 Customers

An insights article examining the 2025 DBS data breach, focusing on how a ransomware attack on vendor Toppan Next Tech exposed thousands of customer records, and what it reveals about the growing threat of third-party supply chain vulnerabilities in the financial sector.

Emerging Ransomware Threats and Securing Open-Source Email Infrastructure

An insights article highlighting the rise of unconventional ransomware groups targeting open-source email platforms like Zimbra, including a technical bulletin with actionable guidance for UK organisations.

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence