{"id":47867,"date":"2022-07-25T00:00:00","date_gmt":"2022-07-25T00:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/"},"modified":"2022-07-25T00:00:00","modified_gmt":"2022-07-25T00:00:00","slug":"lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/","title":{"rendered":"LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities Threat Analyst Threats Analyst Threat Analyst Threat Analyst Threat Analyst Threat Analyst"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/lockbit-ransomware-group-augments-its-latest-variant,-lockbit-3-0,-with-blackmatter-capabilities\/LockBitBlack-072022-banner.jpg\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/lockbit-ransomware-group-augments-its-latest-variant,-lockbit-3-0,-with-blackmatter-capabilities\/LockBitBlack-072022-banner.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<div readability=\"32\">\n<div readability=\"9\">\n<p>As part of its encryption process, LockBit 3.0 appends the extension <i>HLJkNskOq<\/i> (Figure 3) and changes the icons of encrypted files to that of the aforementioned .ico file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"31.889189189189\">\n<div readability=\"12.940540540541\">\n<h2><span class=\"body-subhead-title\">Similarities to BlackMatter ransomware<\/span><\/h2>\n<p>Researchers have pointed out that portions of LockBit 3.0\u2019s code seem to be borrowed from <a href=\"https:\/\/twitter.com\/WhichbufferArda\/status\/1544005908518273024\" target=\"_blank\" rel=\"noopener\">the BlackMatter ransomware<\/a>, hence the nickname LockBit Black. Likewise, we found similarities between BlackMatter and the new LockBit variant during our debugging of the LockBit 3.0 sample. From our examination of <a href=\"https:\/\/twitter.com\/cPeterr\/status\/1543692271186579459\" target=\"_blank\" rel=\"noopener\">the unpacked sample<\/a> and an analysis provided by the researcher <a href=\"https:\/\/chuongdong.com\/reverse%20engineering\/2021\/09\/05\/BlackMatterRansomware\/\" target=\"_blank\" rel=\"noopener\">Chuong Dong<\/a>, we discovered that LockBit 3.0 requires a pass parameter to decrypt its main routine (Figure 6). Other ransomware families like Egregor have been observed exhibiting this same behavior, where an argument is required to proceed with the routine. This makes the binary harder to reverse if the parameter is not available.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"30.381381381381\">\n<div readability=\"10.882882882883\">\n<p>LockBit 3.0 performs API harvesting by hashing the API names of a DLL, and then comparing it to the list of the APIs that the ransomware needs (Figure 7). This routine is identical to that of BlackMatter (Figure 8), as <a href=\"https:\/\/www.nozominetworks.com\/blog\/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs\/\" target=\"_blank\" rel=\"noopener\">the externally available script<\/a> for renaming BlackMatter\u2019s APIs also works for LockBit 3.0 (Figures 9 and 10).&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"33\">\n<div readability=\"11\">\n<p>Instead of directly calling the addresses of the harvested APIs, LockBit 3.0 implements a trampoline pointer (Figure 11) to go to an allocated heap that contains a disassembly code that will then jump to the API address of the <i>NtTerminateProcess<\/i> API (Figure 12). The code contained in the heap is randomly chosen from this set of codes:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">ROR by random number<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ROL by random number<\/span><\/li>\n<li><span class=\"rte-red-bullet\">XOR to key<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ROR by random number, then XOR to key<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ROL by random number, then XOR to key<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div readability=\"32\">\n<div readability=\"9\">\n<p>LockBit 3.0 and BlackMatter also implement the same antidebugging technique: Both set the thread information to <i>ThreadHideFromDebugger<\/i> (0x11) via the <i>NtSetThreadInformation<\/i> API (Figure 13) to cause any debuggers to crash if a breakpoint is placed on this thread.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"35\">\n<div readability=\"15\">\n<p>Like BlackMatter, LockBit 3.0 employs threading when using an API instead of directly calling an API, which is likely an attempt to make it more difficult for researchers to analyze. The strings it uses are decrypted using a simple bitwise-XOR routine (Figure 14), a bitwise-XOR and NOT routine (Figure 15), or a decryption routine involving a linear congruential generator (LCG) algorithm to generate a pseudorandom key (Figure 16). This is also similar to how BlackMatter operates, except for the addition of the bitwise-XOR and NOT routine.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"40\">\n<div class=\"responsive-table-wrap\" readability=\"25\">\n<p>LockBit 3.0\u2019s configurations (Table 1) are decrypted using the same XOR routine and keys obtained from an LCG pseudorandom number generator, and then decompressed using a compression library called APLib.<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"526\">\n<tbody readability=\"9.5\">\n<tr>\n<td width=\"153\" valign=\"top\">\n<p><b>Configuration<\/b><\/p>\n<\/td>\n<td width=\"373\" valign=\"top\">\n<p><b>Description<\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"153\" valign=\"top\">\n<p>PUB_KEY[0x80]<\/p>\n<\/td>\n<td width=\"373\" valign=\"top\">\n<p>RSA public key&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"153\" valign=\"top\">\n<p>VICT_ID[0x10]<\/p>\n<\/td>\n<td width=\"373\" valign=\"top\" readability=\"6\">\n<p>Victim ID (This is based on BlackMatter\u2019s code, but is not used by LockBit 3.0.)&nbsp;&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"153\" valign=\"top\">\n<p>AES_KEY[0x10]<\/p>\n<\/td>\n<td width=\"373\" valign=\"top\" readability=\"7\">\n<p>AES_KEY for the command-and-control (C&amp;C) server (This is based on BlackMatter\u2019s code, but is not used by LockBit 3.0.)&nbsp;&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"153\" valign=\"top\">\n<p>FLAGS[0x18]<\/p>\n<\/td>\n<td width=\"373\" valign=\"top\" readability=\"5\">\n<p>Flags for specific routines&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"153\" valign=\"top\">\n<p>OFFSET_ARRAY<\/p>\n<\/td>\n<td width=\"373\" valign=\"top\" readability=\"6\">\n<p>Array of the offset of Base64-encoded strings from this address (The length of the array is equal to the first value.)&nbsp;<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"8.5\">\n<td width=\"153\" rowspan=\"2\" valign=\"top\">\n<p>BASE64_STRING<\/p>\n<\/td>\n<td width=\"373\" rowspan=\"2\" valign=\"top\" readability=\"6\">\n<p>Array of Base64-encoded strings, which includes:&nbsp;<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Hashes of folders, files, and extensions to avoid<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Hashes of computer names to avoid&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Services and processes to kill&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">A list of C&amp;C servers&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Admin credentials&nbsp;&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The ransom note&nbsp;<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 1. A list of LockBit 3.0\u2019s configurations<\/span><\/center> <\/p>\n<p>LockBit 3.0 also checks the victim machine\u2019s UI language to avoid infecting machines with these languages:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Arabic (Syria)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Armenian (Armenia)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Azerbaijani (Cyrillic Azerbaijan)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Azerbaijani (Latin Azerbaijan)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Belarusian (Belarus)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Georgian (Georgia)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Kazakh (Kazakhstan)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Kyrgyz (Kyrgyzstan)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Romanian (Moldova)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Russian (Moldova)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Russian (Russia)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Tajik (Cyrillic Tajikistan)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Turkmen (Turkmenistan)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Tatar (Russia)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Ukranian (Ukraine)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Uzbek (Cyrillic Uzbekistan)<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Uzbek (Latin Uzbekistan)<\/span><\/li>\n<\/ul>\n<p>LockBit 3.0 also retains these BlackMatter routines for privilege escalation:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Uses UACMe\u2019s method of bypassing user account control (UAC), which is to use the ICMLuaUtil COM interface under <i>dllhost.exe<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Duplicates the <i>Explorer.exe<\/i> token for its own use<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Performs a 32-bit or 64-bit shellcode injection to elevate its token<\/span><\/li>\n<\/ul>\n<p>The string that both LockBit 3.0 and BlackMatter use as the encrypted file name extension, ransom note name, and wallpaper and icon name is a Base64-encoded hash (Figure 17). However, a key difference between the two pieces of ransomware is that LockBit 3.0 opts to use an RSA public key embedded in its configuration and hash it with MD5, whereas BlackMatter uses a MachineGUID hashed using the same algorithm for APIs. This makes the string similar for all machines infected by the same sample, which is likely an attempt by LockBit\u2019s operators to make it easier for them to identify which RSA private key pair is needed for an encrypted file.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"34.5\">\n<div readability=\"14\">\n<p>Like BlackMatter, LockBit 3.0 also performs these routines:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Attempts to log in using credentials from its configuration list to determine if the compromised system is a part of the domain admin that it will use for later routines<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Terminates and deletes processes and services from its configuration list, a routine similar to that of BlackMatter<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Wipes the recyle bin folder of every drive<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Checks a list of computer name hashes to avoid from its configuration list<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Connects to the C&amp;C server from its configuration list if the flag is set<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Encrypts network shares and Exchange Mailbox if set in its configuration flag<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Obtains a list of files, folders, and extensions to be avoided from its configuration list<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Uses pointed files when encrypting .lnk files&nbsp;<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Prints the ransom note on any available printers and modifies the desktop wallpaper<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Uses the same encryption algorithm as BlackMatter<\/span><\/li>\n<\/ul>\n<p>LockBit 3.0\u2019s deletion of shadow copies (Figure 18) is clearly lifted from BlackMatter\u2019s code, as this is performed using Windows Management Instrumentation (WMI) through COM objects, as opposed to LockBit 2.0\u2019s use of <i>vssadmin.exe<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"51\">\n<div class=\"responsive-table-wrap\" readability=\"47\">\n<p>This latest LockBit iteration performs some routines only if a specific argument is provided. LockBit 3.0 accepts only the arguments listed in Table 2, while BlackMatter accepts only the <i>-safe<\/i>, <i>-wall<\/i>, and <i>-path<\/i> arguments.<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"7\">\n<tr>\n<td width=\"312\">\n<p><b>Argument<\/b><\/p>\n<\/td>\n<td width=\"312\">\n<p><b>Description<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\">\n<p>-pass {value}<\/p>\n<\/td>\n<td width=\"312\" readability=\"6\">\n<p>Uses the first 32 characters of the value as a key to decrypt the main routine (This is required for the ransomware to execute properly.)<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\">\n<p>-safe<\/p>\n<\/td>\n<td width=\"312\">\n<p>Reboots in SafeBoot<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"312\">\n<p>-wall<\/p>\n<\/td>\n<td width=\"312\" readability=\"5\">\n<p>Only sets the ransomware wallpaper and prints the ransom note on printers<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\">\n<p>-path {target}<\/p>\n<\/td>\n<td width=\"312\" readability=\"6\">\n<p>Specifically encrypts the target, which can be a file or folder<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"312\">\n<p>-gspd<\/p>\n<\/td>\n<td width=\"312\" readability=\"5\">\n<p>Performs group policy modification for lateral movement<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"312\">\n<p>-psex<\/p>\n<\/td>\n<td width=\"312\" readability=\"5\">\n<p>Performs lateral movement via admin shares<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"312\">\n<p>-gdel<\/p>\n<\/td>\n<td width=\"312\" readability=\"5\">\n<p>Deletes group policy updates<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"312\">\n<p>-del<\/p>\n<\/td>\n<td width=\"312\">\n<p>Deletes itself<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 2. A list of arguments that LockBit 3.0 accepts<\/span><\/center> <\/p>\n<p>The new LockBit variant checks arguments using hashing and based on the code. It\u2019s designed to perform only one routine from the arguments except for <i>-pass<\/i>, which needs to be performed before the other arguments can be checked. The routines to print the ransom note and change the victim machine\u2019s wallpaper is also similar to BlackMatter\u2019s routines if the <i>-wall<\/i> argument is provided. Like BlackMatter, LockBit 3.0 can also restart in safe mode and execute via the RunOnce registry, as long as the <i>-safe<\/i> argument is provided.<\/p>\n<p>However, there is one key difference between their configuration flags: BlackMatter has only nine flags while LockBit 3.0 has 24, as detailed in Table 3.<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"44\">\n<tr>\n<td width=\"312\" valign=\"top\">\n<p><b>Configuration flag<\/b><\/p>\n<\/td>\n<td width=\"312\" valign=\"top\">\n<p><b>Description<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"7.5\">\n<td width=\"312\" valign=\"top\" readability=\"5\">\n<p>ENCRYPT_LARGE_FILE\u00ad_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, a large file will be included in the encryption routine.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>RANDOM_FILE NAME_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, encrypted files will be renamed to random file names.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"7.5\">\n<td width=\"312\" valign=\"top\">\n<p>ATTEMPT_LOGON_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"8\">\n<p>If set, a login attempt will be made using credentials from LockBit 3.0\u2019s configuration list, and the credentials will be saved if these have domain admin rights.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>EXCLUDE_HIDDEN_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, hidden files will not be encrypted.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"312\" valign=\"top\">\n<p>CHECK_UI_LANGUAGE_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"7\">\n<p>If set, the victim machine\u2019s UI language will be checked and the ransomware will terminate if the machine is from any of the avoided countries.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"9\">\n<td width=\"312\" valign=\"top\" readability=\"5\">\n<p>MOUNT_VOL_ENC_EXCHANGE_SERVER_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"7\">\n<p>If set, all volumes for encryption will be mounted and available exchange servers will be encrypted.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>ENC_SHARED_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, shared folders will be encrypted.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>TERMINATE_PROCESS_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, processes from LockBit 3.0\u2019s configuration list will be terminated.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>DELETE_SERVICE_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, services from LockBit 3.0\u2019s configuration list will be deleted.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"312\" valign=\"top\">\n<p>CREATE_MUTEX_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"7\">\n<p>If set, a check will be done to see whether mutex is already created and the ransomware will terminate if it is.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>PRINT_RANSOM_NOTE_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, the ransom note will be printed on available printers.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>CHANGE_WALLPAPER_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, the victim\u2019s wallpaper will be changed.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>CHANGE_ICON_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, the icons of encrypted files will be changed.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>CONNECT_TO_CNC_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, communication will be done with a C&amp;C server from LockBit 3.0\u2019s configuration list.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>DELETE_SELF_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, the ransomware will delete itself using a dropped .tmp file.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>DELETE_AV_SERVICE_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, AV services matching the hashes will be terminated.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"9\">\n<td width=\"312\" valign=\"top\" readability=\"5\">\n<p>CREATE_TEMP_MAX_DISKSPACE<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"7\">\n<p>If set, another .tmp file (from the same .tmp file used in <i>DELETE_SELF_FLAG<\/i> flag) will be created on each drive with random contents and sizes based on <i>DiskFreeSpace<\/i>.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>HAS_ADMIN_CRED_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, an attempt will be made to use admin credentials obtained from the <i>ATTEMPT_LOGON_FLAG<\/i> flag.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>RUN_AS_ADMIN_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, commands will be executed as admin using credentials from the <i>ATTEMPT_LOGON_FLAG<\/i> flag.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"7.5\">\n<td width=\"312\" valign=\"top\" readability=\"5\">\n<p>FORCE_GPUPDATE_VIA_POWERSHELL_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, group policy updates will be forced on all active directories using a PowerShell command.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"312\" valign=\"top\">\n<p>DELETE_TEMP_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"7\">\n<p>If set, the same .tmp file used in the <i>DELETE_SELF_FLAG<\/i> flag will be deleted via<i> MoveFileExW<\/i> and the victim machine will be restarted.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>DISABLE_EVENTLOG_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>If set, <i>EventLog<\/i> will be disabled via registry and service.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"312\" valign=\"top\">\n<p>DELETE_GPO_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"7\">\n<p>If set and the <i>-gspd<\/i> parameter is used, the victim machine\u2019s sleep time will be set to 1 minute before performing routines that will delete group policy updates.<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"312\" valign=\"top\">\n<p>UNUSED_FLAG<\/p>\n<\/td>\n<td width=\"312\" valign=\"top\" readability=\"6\">\n<p>An extra flag that\u2019s not used in the analyzed binary (or possibly an indicator of the end of flags).<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 3. The flags that can be set in LockBit 3.0\u2019s configuration<\/span><\/center> <\/p>\n<p>One notable behavior for this third LockBit version is its file deletion technique: Instead of using <i>cmd.exe<\/i> to execute a batch file or command that will perform the deletion, it drops and executes a .tmp file decrypted from the binary. It has, however, retained some of LockBit 2.0\u2019s features, like the earlier version\u2019s ability for lateral movement through a group policy update, as long as there is a <i>-gspd<\/i> parameter provided.<\/p>\n<p>The executed .tmp file overwrites the contents of the ransomware binary and then renames the binary multiple times (Figure 19), with the new file names based on the length of the original file name. For example, a file named <i>1.exe<\/i>, which has five characters (including the file name extension), is renamed as <i>AAAAA,<\/i> and then <i>BBBBB<\/i>, up to <i>ZZZZZ<\/i>. After renaming the file, LockBit 3.0 finally deletes it (Figure 20). This routine is probably the LockBit ransomware group\u2019s attempt to avoid recovery by forensic tools and cover their tracks by completely removing any trace of the ransomware.<i><\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"32.20325203252\">\n<div readability=\"12.313008130081\">\n<h2><span class=\"body-subhead-title\">LockBit 3.0 on VirusTotal<\/span><\/h2>\n<p>A researcher recently spotted <a href=\"https:\/\/twitter.com\/petrovic082\/status\/1549626142142898177\" target=\"_blank\" rel=\"noopener\">another LockBit 3.0 sample<\/a> on VirusTotal (Figure 21), with 19 detections at the time of this writing. This specific sample is a PowerShell script containing two layers of obfuscated code (Figures 22 and 23). After deobfuscating the script (Figure 24), we found that LockBit 3.0 is capable of injecting a DLL into memory via reflective loading (Figure 25), using code that is identical to BlackMatter\u2019s own PowerShell code (Figure 26).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"35\">\n<div readability=\"15\">\n<p>This particular sample has a payload that is compressed and encrypted via Base64 (Figure 27).&nbsp;To access it, we modified the script to dump the payload instead of executing it (Figure 28).&nbsp;By dumping the payload, we were able to obtain LockBit 3.0\u2019s main binary (Figure 29).&nbsp;<\/p>\n<p>When it is executed, the script exhibits the same behavior as the previously discovered LockBit 3.0 sample. This specific sample appends <i>19MqZqZ0s<\/i> to the file names of encrypted files (Figure 30).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"35\">\n<div readability=\"15\">\n<p>The payload of this specific LockBit 3.0 sample checks for only three hashed arguments (Figure 31), while the previous LockBit 3.0 sample checks for eight. Its DLL payload is reflectively loaded, and the codes of its propagation routine via admin shares and group policy are designed for PE (Portable Executable) binaries, not for a PowerShell script, which might explain why some of the routines don\u2019t work. Another possibility is that LockBit 3.0\u2019s ransomware builder might have the option to disable certain routines. This LockBit 3.0 sample with the PowerShell script doesn\u2019t need a pass \u201ckey\u201d to run even if there is a check for the <i>-pass<\/i> argument, although the rest of its routines are the same as those in the abovementioned sample with a Win32 .exe file.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div readability=\"39.71882446386\">\n<div readability=\"29.789118347895\">\n<h2><span class=\"body-subhead-title\">Locking out ransomware attacks<\/span><\/h2>\n<p>The LockBit ransomware gang <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/ransomware-by-the-numbers\/lockbit-conti-and-blackcat-lead-pack-amid-rise-in-active-raas-and-extortion-groups-ransomware-in-q1-2022\" target=\"_blank\" rel=\"noopener\">led the ransomware-as-a-service (Raas) scene in the first quarter of 2022<\/a>, with 220 self-reported successful RaaS and extortion attacks. One headline-making attack reportedly took place in January, during which LockBit operators claimed to have <a href=\"https:\/\/www.politico.eu\/article\/infamous-ransomware-group-claims-it-hacked-frances-justice-ministry\/#:~:text=An%20infamous%20cybercriminal%20group%20said,on%20a%20data%20leak%20site.\" target=\"_blank\" rel=\"noopener\">breached France\u2019s Ministry of Justice<\/a>. It would be no surprise if some of BlackMatter\u2019s affiliates had joined the ranks of the LockBit group, considering LockBit\u2019s recent rise in notoriety, which would explain the many similarities between the two pieces of ransomware.<\/p>\n<p>With the release of this latest variant \u2014 and the launch of LockBit\u2019s bug bounty program, which rewards its affiliates \u2014 we expect the LockBit ransomware group to be even more active in the coming days. We advise organizations and end users to be wary of this new variant, especially since the bug bounty program might help the operators in making their ransomware an even more formidable one. Best practices for mitigating the risk of a ransomware attack include:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Following the&nbsp;<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/world-backup-day-the-3-2-1-rule\/\" target=\"_blank\" rel=\"noopener\">3-2-1 rule<\/a>, which involves backing up files in three copies in two different formats, with one copy stored off-site. This is a precautionary measure to avoid data loss in case of a ransomware attack.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Remaining vigilant against&nbsp;<a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/definition\/social-engineering\" target=\"_blank\" rel=\"noopener\">socially engineered<\/a>&nbsp;emails to reduce the risk of a ransomware infection, as ransomware is commonly spread through malicious spam email attachments.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Keeping applications and programs up to date. Regular <a href=\"https:\/\/www.trendmicro.com\/vinfo\/tmr\/?\/us\/security\/news\/security-technology\/security-101-virtual-patching\" target=\"_blank\" rel=\"noopener\">patching<\/a> ensures that software vulnerabilities that ransomware actors could exploit as entry points can be addressed in a timely fashion.<\/span><\/li>\n<\/ul>\n<p>Organizations can benefit from a multilayered approach that can help guard possible entry points into a system (endpoint, email, web, and network). Trend Micro offers a suite of security solutions that can detect malicious components and suspicious behavior, and improve an enterprise\u2019s security posture. <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/detection-response.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Vision One\u2122<\/a> provides multilayered protection and behavior detection, which helps block suspicious behavior early in a system before a ransomware infection can do irreversible damage. <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/email-and-collaboration\/email-inspector.html\" target=\"_blank\" rel=\"noopener\">Trend Micro\u2122 Deep Discovery\u2122 Email Inspector<\/a>&nbsp;uses custom sandboxing and advanced analysis techniques to block malicious emails, including phishing emails that are common entry points for ransomware. Additionally, <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection\/sps\/endpoint.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Apex One\u2122<\/a>&nbsp;offers automated threat detection and response to protect endpoints from more advanced concerns such as fileless threats and ransomware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/g\/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In June 2022, LockBit revealed version 3.0 of its ransomware. In this blog entry, we discuss the findings from our own technical analysis of this variant and its behaviors, many of which are similar to those of the BlackMatter ransomware. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":47868,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9534,9539],"class_list":["post-47867","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-latest-news","tag-trend-micro-research-ransomware"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities Threat Analyst Threats Analyst Threat Analyst Threat Analyst Threat Analyst Threat Analyst 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities Threat Analyst Threats Analyst Threat Analyst Threat Analyst Threat Analyst Threat Analyst 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-25T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/lockbit-ransomware-group-augments-its-latest-variant,-lockbit-3-0,-with-blackmatter-capabilities\/LockBitBlack-072022-banner.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities Threat Analyst Threats Analyst Threat Analyst Threat Analyst Threat Analyst Threat Analyst\",\"datePublished\":\"2022-07-25T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\\\/\"},\"wordCount\":2514,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Latest News\",\"Trend Micro Research : Ransomware\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\\\/\",\"name\":\"LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities Threat Analyst Threats Analyst Threat Analyst Threat Analyst Threat Analyst Threat Analyst 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst.jpg\",\"datePublished\":\"2022-07-25T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/08\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst.jpg\",\"width\":641,\"height\":350},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities Threat Analyst Threats Analyst Threat Analyst Threat Analyst Threat Analyst Threat Analyst\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities Threat Analyst Threats Analyst Threat Analyst Threat Analyst Threat Analyst Threat Analyst 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/","og_locale":"en_US","og_type":"article","og_title":"LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities Threat Analyst Threats Analyst Threat Analyst Threat Analyst Threat Analyst Threat Analyst 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-07-25T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/g\/lockbit-ransomware-group-augments-its-latest-variant,-lockbit-3-0,-with-blackmatter-capabilities\/LockBitBlack-072022-banner.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities Threat Analyst Threats Analyst Threat Analyst Threat Analyst Threat Analyst Threat Analyst","datePublished":"2022-07-25T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/"},"wordCount":2514,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/08\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Latest News","Trend Micro Research : Ransomware"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/","url":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/","name":"LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities Threat Analyst Threats Analyst Threat Analyst Threat Analyst Threat Analyst Threat Analyst 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/08\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst.jpg","datePublished":"2022-07-25T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/08\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/08\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst.jpg","width":641,"height":350},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0-with-blackmatter-capabilities-threat-analyst-threats-analyst-threat-analyst-threat-analyst-threat-analyst-threat-analyst\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities Threat Analyst Threats Analyst Threat Analyst Threat Analyst Threat Analyst Threat Analyst"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47867","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=47867"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47867\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/47868"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=47867"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=47867"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=47867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}