Lockbit Black

Malware updated 4 days ago (2024-11-29T14:22:39.366Z)

Download STIX

Preview STIX

LockBit Black, also known as LockBit 3.0, is a malicious software that emerged in early 2022 following the release of its predecessor, LockBit 2.0 (or LockBit Red) in mid-2021. The malware has been developed to exploit and damage computer systems by encrypting files, often leading to ransom demands for data restoration. This advanced ransomware shares similarities with other notable malware such as BlackMatter and Alphv (also known as BlackCat), indicating the developer's consistent efforts to enhance its destructive capabilities. The dissemination of LockBit Black was primarily facilitated through the Phorpiex botnet, which sent millions of phishing emails containing the ransomware. These campaigns utilized tools like Async RAT and Xworm before delivering LockBit payloads built using a leaked LockBit Black builder. In addition, the CosmicBeetle group leveraged the same builder to generate custom samples featuring a ransom note in Turkish, further demonstrating the wide-ranging use of this malware. In September 2022, a significant development occurred when an affiliate of LockBit leaked the LockBit Black builder code due to a disagreement with the group's owners. This led to multiple cybercrime groups utilizing the builder code to customize their own ransomware tooling and launch attacks. According to cybersecurity company Cyble, DragonForce, another cybercrime group, used a ransomware binary based on the LockBit Black ransomware in its attacks, highlighting the pervasive influence of LockBit Black in the cyber threat landscape.

Description last updated: 2024-09-11T19:16:51.674Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Blackmatter is a possible alias for Lockbit Black. BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. Howeve	5
Lockbit Red is a possible alias for Lockbit Black. LockBit, a notorious ransomware, underwent a significant upgrade to LockBit 2.0 (also known as LockBit Red) in mid-2021. This malware version, designed to exploit and damage computer systems, was often propagated through suspicious downloads, emails, or websites. Once infiltrated, it could steal per	4
Lockbit Green is a possible alias for Lockbit Black. LockBit, also known as Gold Mystic and Water Selkie, is a notorious ransomware group that has been active since its inception in September 2019. It has developed several variants of its malware over the years, including LockBit 1.0, LockBit 2.0, LockBit 3.0, and most recently, LockBit Green. The gro	3
Lockbit V3 is a possible alias for Lockbit Black. LockBit v3, also known as LockBit Black, is a potent malware that was initially detected in June 2022. This malicious software is designed to exploit and damage computer systems by encrypting files rapidly, often without the user's knowledge. It infiltrates systems through suspicious downloads, emai	3
Dragonforce is a possible alias for Lockbit Black. DragonForce is a malicious software (malware) developed by a hacktivist group of the same name. This malware has been used in a series of attacks targeting various organizations globally. In 2022, DragonForce targeted over 70 government and commercial entities in India, disrupting their web resource	2
Alphv is a possible alias for Lockbit Black. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	2
LockBitSupp is a possible alias for Lockbit Black. LockBitSupp, a prominent threat actor, has been identified as Russian national Dmitry Yuryevich Khoroshev. The group's activities have been under scrutiny due to its involvement in ransomware attacks and other cybercrimes. Khoroshev, who was operating under the aliases "LockBit" and "LockBitSupp," i	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Malware

Payload

Ransomware P...

Cybercrime

Windows

Botnet

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Lockbit Black. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or	is related to	12
The Conti Malware is associated with Lockbit Black. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal persona	Unspecified	3
The Black Basta Malware is associated with Lockbit Black. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	Unspecified	2
The Phorpiex Malware is associated with Lockbit Black. Phorpiex is a prominent malware that has been known to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Phorpiex is particular	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Bl00dy Threat Actor is associated with Lockbit Black. Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant i	Unspecified	2
The DarkSide Threat Actor is associated with Lockbit Black. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply across	Unspecified	2
The FIN7 Threat Actor is associated with Lockbit Black. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	2

Source Document References

Information about the Lockbit Black Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
ESET	3 months ago	CosmicBeetle steps up: Probation period at RansomHub
Securityaffairs	4 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
InfoSecurity-magazine	5 months ago	Understanding NullBulge, the New AI-Fighting ‘Hacktivist’ Group
Securityaffairs	5 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	5 months ago	Security Affairs Malware Newsletter - Round 1
BankInfoSecurity	5 months ago	New Zealand Fitness Retailer Hit By DragonForce Ransomware
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Checkpoint	6 months ago	17th June – Threat Intelligence Report - Check Point Research
Securityaffairs	6 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 472 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Phorpiex botnet sent millions of phishing emails to deliver LockBit Black ransomware
InfoSecurity-magazine	7 months ago	DragonForce Ransomware Group Uses LockBit’s Leaked Builder
CERT-EU	9 months ago	LOCKBIT 3.0 Ransomware - Complete Malware Analysis Report \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	9 months ago	New Vulnerabilities in ConnectWise ScreenConnect Massively Exploited by Attackers
CERT-EU	9 months ago	Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks