LockBit 3.0 Ransomware Threatens Health Sector, Feds WarnLatest Variant Uses Capabilities of BlackMatter, Other Malware
U.S. federal authorities are warning healthcare and public health sector organizations of attacks involving LockBit 3.0 ransomware, which includes features of other ransomware variants along with the threat of triple-extortion demands.
Entities in and serving the sector have already been hit by this latest variant of LockBit, including an August attack on technology vendor Advanced that disrupted IT services at the United Kingdom's National Health Service for weeks (see: Ransomware Attack Caused NHS Outage, Says Vendor).
The U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in a threat brief issued Monday says that since June, cybercriminals wielding LockBit 3.0 - also known as LockBit Black - have been targeting healthcare sector entities, which was the case with earlier versions of LockBit.
But while LockBit 3.0 contains many of the same functions as the earlier LockBit 2.0 variant, which was the subject of HHS HC3 and FBI alerts in February, the latest version of the ransomware-as-a-service malware also features capabilities of BlackMatter ransomware.
The government also warned the industry about BlackMatter, including an alert in January that said BlackMatter appeared to have shut down its operations, but that other ransomware groups were filling the void (see: HHS HC3: BlackMatter Threat to Health Sector 'Reduced').
HHS HC3 says that a recent report from security firm Sophos suggests that LockBit 3.0 could be reusing some BlackMatter code.
Sophos says its analysis of some recent LockBit 3.0 attacks and leaks reveals "wormable capabilities and tooling" similar to BlackMatter.
LockBit 3.0's similarities to BlackMatter include the ability to send ransom notes to a printer on the network, delete volume shadow copies and obtain the victim's operating system, along with several debugging features, HHS HC3 writes. "LockBit 3.0 will take additional steps to attempt to obfuscate itself," the alert adds.
LockBit 3.0 Details
LockBit 3.0 is a Win32.exe file that uses the
-pass argument for execution, HC3 says. The encryption uses a Base64-encoded hash and an RSA public key in its configuration and hashes it with MD5, according to HC3.
The malware is capable of targeting Windows and Linux systems, and its latest strain contains worm capabilities to spread itself without human interaction, HC3 writes.
"Encrypted files can only be unlocked with LockBit's decryption tool. Once on the network, the ransomware attempts to download command-and-control tools such as Cobalt Strike, Metasploit and Mimikatz."
The RaaS malware can use various infection techniques, HC3 says. Affiliates often purchase access to targets, obtained through phishing, brute-forcing remote desktop protocol accounts or exploiting other known vulnerabilities, including CVE-2018-13379 and CVE-2021-22986.
"After encryption is complete, the file extension changes to 'HLjkNskOq' and will alter the desktop wallpaper to inform the infected user of the compromise. Finally, there will be a dropped README.TXT with payment instructions," HC3 says.
"LockBit has targeted multiple organizations globally but has heavily victimized the U.S. and healthcare and public health sector," HC3 writes. In some previous attacks on healthcare sector entities, the attackers haves shared proof via screenshots that the networks were compromised and threatened to publish the stolen data after a set deadline.
Historically, LockBit ransomware employs a double-extortion technique in which sensitive data is encrypted and exfiltrated, HC3 writes. "The actor requests payment to decrypt data and threatens to leak the sensitive data if the payment is not made. With the new release, it appears that the ransomware is using a triple-extortion model where the affected victim may also be asked to purchase their sensitive information."
U.K.-based Advanced declined Information Security Media Group's request for comment about whether LockBit 3.0 threat actors in their August attack demanded ransoms from individuals whose data was compromised in the incident, which affected certain NHS clients.
Outside of the healthcare sector, LockBit 3.0 threat actors last month claimed responsibility for the ransomware attack that halted municipal services and shut down employee email accounts in Westmount, Quebec (see: LockBit 3.0 Says It's Holding a Canadian City for Ransom.
In September, the LockBit ransomware-as-a-service group paid the first payment of $50,000 as part of a $1 million bug bounty program announced in June for researchers willing to identify coding flaws or provide new ideas for vulnerabilities to exploit. The bug bounty program was tied to the cybercrime group's rollout of LockBit 3.0 (see: Keys to LockBit's Success: Self Promotion, Technical Acumen).