IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

CISA, FBI, MS-ISAC Issue LockBit 3.0 Ransomware Advisory

The federal joint advisory details indicators of compromise and tactics, techniques and procedures associated with the disruptive ransomware variant, as well as advising on improving cyber defenses.

An abstract image of a virtual skull made of computer code over a blurred city skyline.
CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued new advice about the ransomware group LockBit yesterday.

The joint advisory details tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) that the FBI has found to be correlated with a ransomware variant from that group, including examples seen as recently as this month. It also outlines steps organizations can take to better defend themselves.

LockBit has claimed credit for high-profile attacks, such as those against the U.K.’s Royal Mail and a Canadian hospital (it reportedly apologized for the latter). It is also allegedly behind attacks on U.S. local and state government agencies, with recent instances including two agencies in Pierce County, Wash., California’s Department of Finance and the Housing Authority of the City of Los Angeles.

Since January 2020, LockBit has been used by affiliates, per the advisory. Affiliates are malicious actors who deploy ransomware against victims but who did not themselves develop it. According to WIRED, LockBit affiliates collect extortion from victims, then pay a fee to the core developer team.

“Affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging,” per the joint advisory.

The advisory focuses specifically on LockBit 3.0, or LockBit Black, which it describes as “more modular and evasive than ... previous versions” of the ransomware. LockBit 3.0 shares “similarities with BlackMatter and BlackCat ransomware.”


  • Maintain multiple copies of important data and servers in physically separate, segmented, secure locations to enable recovery and maintain offline backups
  • Ensure backup data is encrypted and immutable
  • Practice restoring from backups

Account and Access Control
  • Follow strong password practices and management
  • Require phishing-resistant MFA on as many services as possible, and at least on those accounts and services that access critical systems
  • Audit accounts with admin privileges and adopt a “principle of least privilege” approach to access control
  • Check for unrecognized or new accounts in domain controllers, servers, workstations and active directories
  • Make higher-level access privileges time-based, so that access is only granted for the time needed to complete a specific task

  • Regularly and promptly patch firmware, operating systems and software
    • Prioritize mitigating known exploited vulnerabilities
  • Segment networks, to impede ransomware’s spread
  • “Disable command-line and scripting activities and permissions” to reduce ransomware actors’ abilities to move laterally and escalate their privileges

Catch Attempts & Reduce Attack Surfaces
  • Use a network monitoring tool to “identify, detect and investigate abnormal activity” and potential lateral movement of ransomware actors
  • Use — and regularly update — antivirus software, and turn on real-time detection features
  • Disable unused ports
  • “Disable hyperlinks in received emails” and consider adding banners to emails that alert recipients if they were sent from outside the organization.

Validate Security
  • Test your organization’s security controls against the MITRE ATT&CK techniques associated with LockBit 3.0

Find more detailed advice and explanations in the joint advisory here.
Jule Pattison-Gordon is a senior staff writer for Government Technology. She previously wrote for PYMNTS and The Bay State Banner, and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.