LockBit 3.0 (also known as LockBit Black) represented the most technically advanced iteration of the LockBit ransomware family before the group's infrastructure was disrupted by law enforcement in February 2024. This analysis examines the malware's internals based on samples collected from incident response engagements handled by our team.
Anti-Analysis and Evasion
LockBit 3.0 employs multiple layers of protection against analysis. The binary is encrypted with a per-build unique key that must be provided as a command-line argument; without it, the sample cannot execute or be statically analyzed. This design prevents sandbox detonation and makes sharing IOCs between organizations less effective since each victim receives a unique build.
At runtime, the malware uses API hashing (CRC32-based) to resolve Windows API functions dynamically, avoiding static import table analysis. It also implements direct syscalls to bypass user-mode API hooks commonly deployed by EDR solutions, and employs a custom thread pool architecture that makes behavioral analysis more difficult.
Encryption Implementation
The encryption scheme uses ChaCha20 for file encryption with a per-file randomly generated key, which is then encrypted with an RSA-2048 public key embedded in the build. Files under 256KB are fully encrypted, while larger files use intermittent encryption, encrypting only portions of the file at calculated intervals. This approach dramatically speeds up encryption while rendering files equally unrecoverable.
Lateral Movement and Impact Maximization
LockBit 3.0 includes built-in capabilities for network propagation via SMB and Group Policy Object (GPO) abuse. The malware can enumerate Active Directory using LDAP queries, identify high-value targets (domain controllers, file servers, backup systems), and deploy itself across the network using compromised admin credentials. It specifically targets Volume Shadow Copy Service and backup applications to eliminate recovery options before beginning encryption.
MITRE ATT&CK Mapping
We have mapped all observed TTPs to the MITRE ATT&CK framework, covering 14 techniques across 8 tactics. The complete mapping, along with Sigma detection rules for each technique, is available through our Strobes Threat Intel platform. Organizations should focus detection efforts on the lateral movement and defense evasion phases, where LockBit 3.0's behavior is most distinguishable from legitimate administrative activity.