Today, CISA, the FBI, and MS-ISAC released a joint Cybersecurity Advisory (CSA) to provide network defenders with known LockBit 3.0 ransomware indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) identified through FBI investigations as recently as March 2023.

The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit affiliates have compromised a wide range of critical infrastructure organizations, including a water utility in Portugal last month. LockBit threat actors typically gain initial access via remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications.

The authoring agencies encourage network defenders to review the CSA and apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response. To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at CyWatch@fbi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CISAServiceDesk@cisa.dhs.gov. Access the full advisory at CISA.