Lockbit Black

Malware Profile Updated 2 days ago
Download STIX
Preview STIX
LockBit Black, also known as LockBit 3.0, is a malware that emerged in early 2022 as the third version of the LockBit group's ransomware. The developer has consistently worked to improve this malicious software, with the previous version, LockBit 2.0 (also known as LockBit Red), being released in mid-2021. This new variant shares similarities with other notable ransomwares like BlackMatter and Alphv (also known as BlackCat). It works by encrypting files once the executable payload within compressed ZIP archives is initiated. Since April, threat actors have been leveraging the Phorpiex botnet to spread LockBit Black ransomware through millions of phishing emails, according to reports from New Jersey’s Cybersecurity and Communications Integration Cell (NJCCIC) and various cybersecurity experts. The Phorpiex botnet, notorious for its large-scale spam campaigns, has been instrumental in delivering the ransomware to unsuspecting victims. These emails typically contain ZIP archives which, upon execution, start the encryption process with LockBit Black ransomware. Despite Operation Cronos, an international law enforcement operation, successfully taking down the LockBit group's infrastructure in February 2024, the LockBit Black builder remains available for use by anyone. Cyble Research & Intelligence Labs (CRIL) discovered that DragonForce has been utilizing the leaked builder to develop its own toolset, after observing striking similarities in the code structure and functions of its ransomware payload and LockBit Black. This highlights the growing threat posed by the abuse of leaked malware-building tools in cyberattacks, amplifying the global risk landscape for organizations.
What's your take? (Question 1 of 5)
5549c961-bc05-43fe-9b36-317cf5756e73 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Lockbit
11
LockBit is a malicious software, or malware, that has been significantly active in recent years. It is designed to infiltrate systems and cause significant damage by stealing sensitive information, disrupting operations, and holding data hostage for ransom. In 2023, security firm Rapid7 named LockBi
Blackmatter
5
BlackMatter, a threat actor known for its malicious activities in the cybersecurity landscape, emerged as a variant of the notorious "DarkSide" ransomware. In May 2021, after launching an attack on Colonial Pipeline, the group rebranded itself from DarkSide to BlackMatter. However, due to increased
Lockbit Red
4
LockBit, a notorious ransomware, underwent a significant upgrade to LockBit 2.0 (also known as LockBit Red) in mid-2021. This malware version, designed to exploit and damage computer systems, was often propagated through suspicious downloads, emails, or websites. Once infiltrated, it could steal per
Lockbit V3
3
LockBit v3, also known as LockBit Black, is a potent malware that was initially detected in June 2022. This malicious software is designed to exploit and damage computer systems by encrypting files rapidly, often without the user's knowledge. It infiltrates systems through suspicious downloads, emai
Lockbit Green
3
LockBit, also known as Gold Mystic and Water Selkie, is a notorious ransomware group that has been active since its inception in September 2019. It has developed several variants of its malware over the years, including LockBit 1.0, LockBit 2.0, LockBit 3.0, and most recently, LockBit Green. The gro
Alphv
2
AlphV, also known as BlackCat, is a significant threat actor within the cybercrime landscape. Throughout 2023, AlphV has been responsible for numerous high-profile ransomware attacks, stealing significant amounts of data from various organizations. The group claimed responsibility for hacking Clario
LockBitSupp
2
LockBitSupp, also known as Dmitry Yuryevich Khoroshev, is a notorious threat actor and the mastermind behind the prolific LockBit ransomware attacks. Operating under various aliases including "LockBit" and "putinkrab," Khoroshev has been actively involved in cybercrime for over 14 years, with his ac
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Ransom
Cybercrime
Windows
Payload
Ransomware P...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ContiUnspecified
3
Conti is a malware program known for its disruptive capabilities, including stealing personal information and holding data hostage for ransom. It gained notoriety as part of the arsenal of ITG23, a cybercrime group that used it in conjunction with other malicious software like Trickbot, BazarLoader,
Black BastaUnspecified
2
Black Basta is a malicious ransomware program that has been active since April 2022. It operates using a double-extortion attack model, infecting systems and holding data hostage for ransom. The malware typically infiltrates systems through suspicious downloads, emails, or websites, often without th
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Bl00dyUnspecified
2
Bl00dy is a notable threat actor in the cybersecurity landscape, known for its malicious activities aimed at exploiting vulnerabilities and executing ransomware attacks. Recently, this entity has been identified as one of the key players exploiting the recent bugs found in ConnectWise ScreenConnect,
DarkSideUnspecified
2
DarkSide is a notorious threat actor that has been associated with significant cyber attacks, most notably the ransomware attack on the US Colonial Pipeline in 2021. This group was known for its adoption of the ransomware-as-a-service (RaaS) model and had reportedly netted over $90 million in Bitcoi
FIN7Unspecified
2
FIN7, a prominent threat actor in the cybersecurity landscape, has been linked to a series of malicious activities over recent years. In November 2022, Sentinel Labs researchers reported a connection between the financially motivated hacking group FIN7 and the Black Basta ransomware gang. This disco
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Lockbit Black Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
3 months ago
Black Basta, Bl00dy ransomware gangs join ScreenConnect attacks
CERT-EU
a year ago
AuKill - A Malware That Kills EDR Clients To Attack Windows Systems
CERT-EU
9 months ago
Leaked LockBit 3.0 ransomware builder used by multiple threat actors | IT Security News
InfoSecurity-magazine
a month ago
DragonForce Ransomware Group Uses LockBit’s Leaked Builder
InfoSecurity-magazine
9 months ago
LockBit 3.0 Ransomware Variants Surge Post Builder Leak
CERT-EU
9 months ago
Leaked LockBit 3.0 ransomware builder used by multiple actors
CERT-EU
a year ago
Ransomware review: April 2023
CERT-EU
a year ago
LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
CERT-EU
5 months ago
Top 10 Notorious Ransomware Gangs of 2023 | #ransomware | #cybercrime | National Cyber Security Consulting
Malwarebytes
a year ago
LockBit ransomware on Mac: Should we worry?
Recorded Future
a year ago
Semiconductor Companies Targeted by Ransomware | Recorded Future
CERT-EU
3 months ago
New Vulnerabilities in ConnectWise ScreenConnect Massively Exploited by Attackers
Securityaffairs
a year ago
LockBit Green ransomware variant borrows code from Conti one
Securityaffairs
2 days ago
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
CERT-EU
3 months ago
Operation Cronos: Who Are the LockBit Admins
Fortinet
10 months ago
Meet LockBit: The Most Prevalent Ransomware in 2022 | FortiGuard Labs
CERT-EU
a year ago
New LockBit variant targets MacOS, another relies on Conti source code
Securityaffairs
9 days ago
Security Affairs newsletter Round 472 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
14 days ago
Phorpiex botnet sent millions of phishing emails to deliver LockBit Black ransomware
CERT-EU
a year ago
Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation | #ransomware | #cybercrime | National Cyber Security Consulting