Introduction

MyCERT has observed an increase in ransomware-related attacks, including attacks executed by well-identified ransomware known as LockBit 3.0. Notably, a number of organisations in Malaysia were hit by the LockBit 3.0 ransomware in 2022.

LockBit 3.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTP), creating significant challenges for defence and mitigation. LockBit 3.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploits.

Prior to the LockBit 3.0, attackers began their operations in September 2019 as ABCD ransomware and then changed its name to Lockbit. The attackers made improvements and came back with even better ransomware on June 2021, known as Lockbit 2.0. We have seen that the Lockbit 2.0 ransomware introduced new features such as shadow copy and log file deletion to make a recovery harder for the victims. In addition, Lockbit 2.0 has the fastest encryption speed among the most popular ransomware, with around 25 thousand files that can be encrypted in below one minute. Beginning July 2022, it is known as LockBit 3.0 or LockBit Black.

The attackers associated with the Lockbit 3.0 is believed to originate from Russia. According to a detailed analysis, the ransomware checks the default system language avoids encryption and stops the attack if the victim system’s language is Russian or one of the countries nearby Russia.