S1202: LockBit 3.0
LockBit 3.0 is an evolution of the LockBit Ransomware-as-a-Service (RaaS) offering with similarities to BlackMatter and BlackCat ransomware. LockBit 3.0 has been in use since at least June 2022 and features enhanced defense evasion and exfiltration tactics, robust encryption methods for Windows and VMware ESXi systems, and a more refined RaaS structure over its predecessors such as LockBit 2.0.[1][2][3][4]
Analyst context for executives and security teams
LockBit 3.0 matters because ATT&CK describes it as a Windows-focused ransomware-as-a-service evolution with defense evasion, exfiltration-related behavior, and strong encryption capabilities. For leaders, the practical issue is not a single malware signature; it is whether the organization can detect and contain the chain of behaviors commonly associated with ransomware operations: credential abuse, lateral movement over SMB/admin shares, discovery of systems and shares, impairment of recovery, and encryption for impact.
Executive priority
Treat this as a resilience and incident-readiness priority. The supplied ATT&CK relationships point to behaviors that can turn one compromised Windows host into broader operational disruption: SMB-based lateral movement, Group Policy modification, service stopping, recovery inhibition, and data encryption. Executives should ask whether identity controls, backup recoverability, Windows logging, EDR visibility, and IR decision paths are proven under ransomware conditions, not merely documented for audit.
Technical view
SOC and IR teams should validate coverage around the related ATT&CK techniques: PowerShell execution, native API use, Windows service creation or modification, registry modification, CMSTP abuse, software packing and encoded/encrypted files, process/system/file/share discovery, SMB/Windows Admin Shares, local account abuse, web-protocol C2, service stop, recovery inhibition, and data encryption for impact. Because official detection text is not provided, detection engineering should be behavior-led and environment-specific, with special attention to chained signals rather than isolated alerts.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell execution and script block/module logging where available
- Windows service creation, modification, and stop events
- Registry modification events
- SMB/admin share access and lateral movement evidence
Detection direction
- Correlate discovery activity followed by SMB/admin share access, service creation, registry modification, or PowerShell execution.
- Tune for ransomware-impact sequences: service stopping, recovery inhibition, and rapid file modification/encryption patterns across local or shared storage.
- Validate monitoring of Group Policy changes because the relationship set includes Group Policy Modification and this can materially affect domain-wide control posture.
- Account for evasion behaviors such as software packing, encrypted or encoded files, deobfuscation, execution guardrails, and mutex-based execution control; static signatures alone are unlikely to be sufficient.
- Review false positives from legitimate administration tools, PowerShell, CMSTP, Windows services, and SMB usage by comparing against approved admin workflows and maintenance windows.
Mitigation priorities
- Prioritize resilient, tested backups and recovery paths that are protected from routine administrative compromise.
- Harden and monitor administrative identity, especially local accounts and accounts able to use SMB/admin shares or modify services, registry, and Group Policy.
- Restrict and audit lateral movement paths over SMB and Windows admin shares where business operations allow.
- Apply least privilege and change control around Group Policy, Windows services, and registry-sensitive areas.
- Improve PowerShell and living-off-the-land monitoring without assuming all such activity is malicious.
Analyst notes and limits
The object is ATT&CK malware S1202, LockBit 3.0, version 1.1 in ATT&CK release 19.1. The official description identifies it as an evolution of LockBit RaaS with similarities to BlackMatter and BlackCat and notes enhanced defense evasion, exfiltration tactics, and robust encryption methods. The strongest defensive value comes from the relationships to techniques spanning execution, discovery, lateral movement, defense evasion, persistence/privilege escalation, command and control, and impact.
Official detection is not provided, tactics are not specified on the malware object, and the listed platform is Windows. Some related techniques include other platforms, and the description references VMware ESXi encryption capabilities, but local applicability must be validated against the organization’s actual Windows, virtualization, identity, logging, and backup architecture. This summary does not assert current exploitation, attribution, customer exposure, or guaranteed detection coverage.
LockBit 3.0
LockBit 3.0 is an evolution of the LockBit Ransomware-as-a-Service (RaaS) offering with similarities to BlackMatter and BlackCat ransomware. LockBit 3.0 has been in use since at least June 2022 and features enhanced defense evasion and exfiltration tactics, robust encryption methods for Windows and VMware ESXi systems, and a more refined RaaS structure over its predecessors such as LockBit 2.0.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | The LockBit 3.0 payload is decrypted at runtime.CitationSentinel Labs LockBit 3.0 JUL 2022CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023CitationINCIBE-CERT LockBit MAR 2024 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | LockBit 3.0 can encrypt C2 communications with AES.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | LockBit 3.0 can bypass UAC to execute code with elevated privileges through an elevated Component Object Model (COM) interface.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | LockBit 3.0 can enable options for propogation through Group Policy Objects.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1059.001 | PowerShell Sub-technique | LockBit 3.0 can use PowerShell to apply Group Policy changes.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1112 | Modify Registry | LockBit 3.0 can change the Registry values for Group Policy refresh time, to disable SmartScreen, and to disable Windows Defender.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023CitationINCIBE-CERT LockBit MAR 2024 |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | LockBit 3.0 can create and check for a mutex containing a hash of the `MachineGUID` value at execution to prevent running more than one instance.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | The LockBit 3.0 payload includes an encrypted main component.CitationSentinel Labs LockBit 3.0 JUL 2022CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1027.002 | Software Packing Sub-technique | LockBit 3.0 can use code packing to hinder analysis.CitationSentinel Labs LockBit 3.0 JUL 2022CitationINCIBE-CERT LockBit MAR 2024 |
| Enterprise | T1680 | Local Storage Discovery | LockBit 3.0 can enumerate local drive configuration.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1543.003 | Windows Service Sub-technique | LockBit 3.0 can install system services for persistence.CitationSentinel Labs LockBit 3.0 JUL 2022 |
| Enterprise | T1569.002 | Service Execution Sub-technique | LockBit 3.0 can use PsExec to execute commands and payloads.CitationJoint Cybersecurity Advisory LockBit JUN 2023 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | LockBit 3.0 can use HTTP to send victim host information to C2.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023CitationINCIBE-CERT LockBit MAR 2024 |
| Enterprise | T1106 | Native API | LockBit 3.0 has the ability to directly call native Windows API items during execution.CitationSentinel Labs LockBit 3.0 JUL 2022CitationINCIBE-CERT LockBit MAR 2024 |
| Enterprise | T1480 | Execution Guardrails | LockBit 3.0 can make execution dependent on specific parameters including a unique passphrase and the system language of the targeted host not being found on a set exclusion list. CitationJoint Cybersecurity Advisory LockBit JUN 2023CitationSentinel Labs LockBit 3.0 JUL 2022CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | LockBit 3.0 can delete log files on targeted systems.CitationJoint Cybersecurity Advisory LockBit JUN 2023CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1070.004 | File Deletion Sub-technique | LockBit 3.0 can delete itself from disk.CitationJoint Cybersecurity Advisory LockBit JUN 2023CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1218.003 | CMSTP Sub-technique | LockBit 3.0 can attempt a CMSTP UAC bypass if it does not have administrative privileges.CitationSentinel Labs LockBit 3.0 JUL 2022 |
| Enterprise | T1685 | Disable or Modify Tools | LockBit 3.0 can disable security tools to evade detection including Windows Defender.CitationJoint Cybersecurity Advisory LockBit JUN 2023CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023CitationINCIBE-CERT LockBit MAR 2024 |
| Enterprise | T1083 | File and Directory Discovery | LockBit 3.0 can exclude files associated with core system functions from encryption.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1082 | System Information Discovery | LockBit 3.0 can enumerate system hostname and domain.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1135 | Network Share Discovery | LockBit 3.0 can identify network shares on compromised systems.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | LockBit 3.0 can Base64-encode C2 communication.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1622 | Debugger Evasion | LockBit 3.0 can check heap memory parameters for indications of a debugger and stop the flow of events to the attached debugger in order to hinder dynamic analysis.CitationSentinel Labs LockBit 3.0 JUL 2022 |
| Enterprise | T1489 | Service Stop | LockBit 3.0 can terminate targeted processes and services related to security, backup, database management, and other applications that could stop or interfere with encryption.CitationJoint Cybersecurity Advisory LockBit JUN 2023CitationSentinel Labs LockBit 3.0 JUL 2022CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023CitationINCIBE-CERT LockBit MAR 2024 |
| Enterprise | T1547.004 | Winlogon Helper DLL Sub-technique | LockBit 3.0 can enable automatic logon through the `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon` Registry key.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1057 | Process Discovery | LockBit 3.0 can identify and terminate specific services.CitationSentinel Labs LockBit 3.0 JUL 2022CitationJoint Cybersecurity Advisory LockBit JUN 2023 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | LockBit 3.0 will not affect machines with language settings matching a defined exlusion list of mainly Eastern European languages.CitationJoint Cybersecurity Advisory LockBit JUN 2023CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1120 | Peripheral Device Discovery | LockBit 3.0 has the ability to discover external storage devices.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1486 | Data Encrypted for Impact | LockBit 3.0 can encrypt targeted data using the AES-256, ChaCha20, or RSA-2048 algorithms.CitationJoint Cybersecurity Advisory LockBit JUN 2023CitationSentinel Labs LockBit 3.0 JUL 2022CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023CitationINCIBE-CERT LockBit MAR 2024 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | LockBit 3.0 can use SMB for lateral movement.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1688 | Safe Mode Boot | LockBit 3.0 can reboot the infected host into Safe Mode.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1078.003 | Local Accounts Sub-technique | LockBit 3.0 can use a compromised local account for lateral movement.CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023 |
| Enterprise | T1490 | Inhibit System Recovery | LockBit 3.0 can delete volume shadow copies.CitationJoint Cybersecurity Advisory LockBit JUN 2023CitationJoint Cybersecurity Advisory LockBit 3.0 MAR 2023CitationINCIBE-CERT LockBit MAR 2024 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 263dad5fbbfd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Sentinel Labs LockBit 3.0 JUL 2022
Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025.
Open source URL -
[2]
Joint Cybersecurity Advisory LockBit JUN 2023
CISA et al. (2023, June 14). UNDERSTANDING RANSOMWARE THREAT ACTORS: LOCKBIT. Retrieved February 5, 2025.
Open source URL -
[3]
Joint Cybersecurity Advisory LockBit 3.0 MAR 2023
FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
Open source URL -
[4]
INCIBE-CERT LockBit MAR 2024
INCIBE-CERT. (2024, March 14). LockBit: response and recovery actions. Retrieved February 5, 2025.
Open source URL -
[5]
LockBit Black
(Citation: Joint Cybersecurity Advisory LockBit JUN 2023)(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)(Citation: Sentinel Labs LockBit 3.0 JUL 2022)
-
[6]
mitre-attack S1202Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.