| Stage | Techniques | Detection Example |
| Initial Access | Valid Accounts (T1078) Exploit External Remote Services (T1133) Drive-by Compromise (T1189) Exploit Public-Facing Application (T1190) Phishing (T1566) | Reference [29] on creating a ransomware signature database and developing a dataset for machine learning-based prediction provides critical tools for detecting early-stage ransomware attacks. By incorporating SHA-256 hash values of ransomware identifiers into the database, this work enables the identification of specific ransomware variants at this stage. Additionally, the machine learning model trained on this dataset can help predict and flag activities related to techniques like phishing or exploiting public-facing applications, which are commonly utilized by LockBit 3.0. |
| Execution | Command and Scripting Interpreter: Windows Command Shell (T1059.003) System Services: Service Execution (T1059.002) | Reference [30] focuses on using machine learning techniques to categorize ransomware, particularly through the implementation of a Random Forest classifier. By extracting features from the raw bytes of an executable file, the method is effective in identifying ransomware-related activities, such as those involving Windows Command Shell or service execution. |
| Persistence | Boot or Logo Autostart Execution (T1547) Valid Accounts (T1078) | Reference [31] leverages sequential pattern mining and machine learning techniques to effectively identify ransomware at the Persistence stage. By focusing on specific events like registry modifications, Dynamic Link Library (DLL) interactions, and scheduled tasks, the system can rapidly distinguish between benign applications and ransomware. Achieving a high F-measure and Area Under the Curve (AUC) value, this approach ensures accurate and early detection of ransomware behaviors such as those involving command line parameters and registry artifacts used by LockBit 3.0. |
| Privilege Escalation | Abuse Elevation Control Mechanism (T1548) Boot or Logo Autostart Execution (T1547) Domain Policy Modification: Group Policy Modification (T1484.001) Valid Accounts (T1078) | Reference [32] proposes AMAL, an automated malware analysis system. AMAL’s AutoMal subsystem excels in collecting detailed behavioral artifacts from the file system, memory, network, and especially the registry, which are critical in identifying changes made by LockBit 3.0, particularly group policy modifications. By analyzing these artifacts, AMAL can effectively differentiate between normal system modifications and malicious alterations linked to ransomware tactics. Furthermore, MaLabel, the classification component of AMAL, leverages these detailed artifacts to accurately classify malware samples into families, aiding in the quick identification of LockBit 3.0 based on its unique behavior patterns observed during privilege escalation activities. |
| Defense Evasion | Domain Policy Modification: Group Policy Modification (T1484.001) Impair Defenses: Disable or Modify Tools (T1562.001) Indicator Removal: Clear Windows Event Logs (T1070.001) Indicator Removal: File Deletion (T1070.004) Obfuscated Files or Information (T1027) | Reference [33] introduces a method for detecting ransomware attacks at early stages by analyzing behavioral patterns, such as file paths, dropped files, and network activities, which are critical in identifying defense evasion techniques used by LockBit 3.0. By employing machine learning algorithms, particularly the random forest classifier, this approach achieves high accuracy in classifying ransomware based on extracted features, including those related to Group Policy modifications and obfuscation methods observed. |
| Credential Access | OS Credential Dumping: LSASS Memory (T1003.001) Brute Force (T1110) | The research on the Pre-Encryption Detection Algorithm (PEDA) [29] which utilizes SHA-256 hashing to compare potential malicious files against a comprehensive database of ransomware signatures, effectively identifying known ransomware-related files such as lsass.dmp and mimikatz.exe before the ransomware is activated. |
| Discovery | Network Service Discovery (T1046) System Information Discovery (T1082) System Location Discovery: System Language Discovery (T1614.001) | Further applying the PEDA [29] previously utilized in the Credential Access stage, this approach extends its detection capabilities into the Discovery stage. By employing SHA-256 hashing, PEDA effectively compares incoming file signatures against a database of known ransomware identifiers. This enables the early identification of tools like Netscan.exe and tniwinagent.exe, which LockBit 3.0 employs for Network Service Discovery and System Information Discovery techniques. |
| Lateral Movement | Remote Services: Remote Desktop Protocol (T1021.001) Remote Services: Server Message Block (SMB)/Admin Windows Shares (T1021.002) | The DeepRan system [34] utilizes an innovative Term Frequency-Inverse Document Frequency (TF-IDF) approach combined with an attention-based BiLSTM network to detect anomalies in network behavior that indicate unauthorized Remote Desktop Protocol (RDP) or Server Message Block (SMB) activities, commonly exploited by LockBit 3.0 for spreading across the network. When LockBit employs techniques such as modifying group policies or using admin shares for lateral movements, DeepRan can identify these deviations by comparing them against typical host patterns, thus preventing the ransomware from infecting additional hosts within the network. |
| Collection | Archive Collected Data: Archive via Utility (T1560.001) | Continuing to leverage the PEDA [29] established in earlier stages, which can use SHA-256 hashing to swiftly identify and flag suspicious utilities like 7z.exe, which LockBit 3.0 may use for archiving collected data. By comparing the signatures of files associated with Archive via Utility techniques against its extensive ransomware signature database, PEDA helps prevent the unauthorized consolidation of sensitive information. |
| Command and Control | Application Layer Protocol: File Transfer Protocols (T1071.002) Application Layer Protocol: Web Protocols (T1071.001) Protocol Tunneling (T1572) Remote Access Software (T1219) | Reference [35] puts forward a SDN-based detection system that identifies ransomware communication by analyzing HTTP traffic patterns, focusing on message sequences and sizes. By inspecting outgoing HTTP POST data, it effectively detects connections between infected hosts and C2 servers. |
| Exfiltration | Exfiltration Over Web Service (T1567) Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) | Reference [36] introduces NetConverse, a machine learning-based system particularly effective in monitoring and analyzing network traffic associated with Windows ransomware. This system specializes in detecting anomalous data transfers that occur during the Exfiltration stage of a ransomware attack, such as those introduced by LockBit 3.0. By analyzing network conversations that emerge when ransomware attempts to exfiltrate data to cloud storage or other web services, NetConverse can identify suspicious activity with a high degree of accuracy. |
| Impact | Data Destruction (T1485) Data Encrypted for Impact (T1485) Defacement: Internal Defacement (T1491.001) Inhibit System Recovery (T1490) Service Stop (T1489) | The Threat Detection Technology [37] proposed by Intel mines low-level hardware telemetry directly from the CPU’s Performance Monitoring Unit (PMU). It identifies the distinct operational fingerprint of malware execution such as encryption in real time with minimal disruption. The RWGuard system, as outlined in Reference [38] , provides a robust method to combat ransomware during the Impact stage. This system utilizes a combination of decoy files, process monitoring, and file change monitoring to quickly detect and counter ransomware activities aimed at data destruction and encryption. |