Advisory November 10, 2023

LockBit 3.0 Increased Ransomware Attacks

Recently, an increased number of attacks from LockBit ransomware has been observed in several organizations around the globe. Specifically, the version LockBit 3.0 was observed.



LockBit ransomware is malicious software designed to block user access to computer systems by encryption, in exchange for a ransom payment. LockBit offers RaaS (Ransomware as a Service). It searches for valuable targets, spreads the infection, and encrypts all accessible computer systems on a network. This ransomware is mainly targeted against enterprises and other organizations. There is no geographical limit regarding the targets.

The present version LockBit 3.0 is a continuation of versions LockBit 2.0, and LockBit. It is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware.

The ransomware group uses the following threats against the victims:

  • Operations disruption with essential functions coming to a sudden halt.
  • Extortion for the hacker’s financial gain.
  • Data theft and illegal publication as blackmail if the victim does not comply.

LockBit Ransomware Group is accountable for over one-third of all ransomware attacks in the latter half of the previous year,  and for almost 300 attacks in the first quarter of 2023. LockBit was also identified as the most active global ransomware group based on the victims on their data leak site in 2022.

At present, they focus on financial organizations – this doesn’t mean they won’t target other sectors – as threat intelligence platform Falcon Feed reported that 2 new victims appeared on the dark web portal of LockBit. The first is Fawry, Egypt’s leading electronic payment network which crashed on Thursday 9th of November, and the second is Amber Hill Group, a global investment group. LockBit is also suspected to be behind the ransomware attack against the Industrial and Commercial Bank of China (ICBC).



To prevent LockBit and other ransomware attacks, it is recommended to take the following measures:

  • Back up your data regularly and store it offline or separately, to restore them without paying the ransom if you get infected.
  • Update your software and systems to the latest versions and apply security patches as soon as they are available to prevent ransomware from exploiting known vulnerabilities.
  • Use endpoint security solutions such as antivirus and endpoint detection and response (EDR) software to detect and block ransomware before it encrypts your data.
  • Limit user privileges and access to the minimum necessary for their roles. This can reduce the risk of ransomware spreading to other devices or systems through compromised accounts.