Search Again
Bitwise Spider
Description of SOCRadar: Bitwise Spider, identified as LockBit 3.0 is a Ransomware-as-a-Service (RaaS) group that continues the legacy of LockBit and LockBit 2.0. From January 2020, LockBit adopted an affiliate-based ransomware approach, where its affiliates use various tactics to target a wide range of businesses and critical infrastructure organizations. LockBit has been highly active in deploying models such as double extortion, initial access broker affiliates, and advertising on hacker forums. They have even been known to recruit insiders and make contests in forums for recruiting skilled hackers; such expansionist policies have attracted numerous affiliates, have victimized thousands of entities, and continue their malicious acts.
Bitwise Spider
LockBit Gang
Target Countries
Korea, Democratic People's Republic of
Spain
Germany
China
British Indian Ocean Territory
+7
Target Sectors
Accommodation
Air Transportation
Manufacturing
Public Administration
Educational Services
+11
Associated Malware/Software
Quantum
oblique_rat
anubis
expiro
Remote Access
+100
️Related CVEs
ATT&CK IDs:
T1204 - User Execution
T1068 - Exploitation for Privilege Escalation
T1567 - Exfiltration Over Web Service
T1112 - Modify Registry
T1070 - Indicator Removal on Host
+132
| Tactic | Id | Technique | |||
|---|---|---|---|---|---|
| Collection | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1213 | Data from Information Repositories |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1530 | Data from Cloud Storage |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1005 | Data from Local System |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1560 | Archive Collected Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1113 | Screen Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1557 | Adversary-in-the-Middle |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1123 | Audio Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1119 | Automated Collection |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1102 | Web Service |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1095 | Non-Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1105 | Ingress Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1219 | Remote Access Tools |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1572 | Protocol Tunneling |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1090 | Proxy |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1556 | Modify Authentication Process |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1187 | Forced Authentication |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1110 | Brute Force |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1552 | Unsecured Credentials |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1040 | Network Sniffing |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1212 | Exploitation for Credential Access |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1003 | OS Credential Dumping |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1557 | Adversary-in-the-Middle |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1556 | Modify Authentication Process |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1553 | Subvert Trust Controls |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1562 | Impair Defenses |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1480 | Execution Guardrails |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1070 | Indicator Removal |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1027 | Obfuscated Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1014 | Rootkit |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1548 | Abuse Elevation Control Mechanism |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1036 | Masquerading |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1222 | File and Directory Permissions Modification |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1564 | Hide Artifacts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1218 | System Binary Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1033 | System Owner/User Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1007 | System Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1012 | Query Registry |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1082 | System Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1046 | Network Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1040 | Network Sniffing |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1135 | Network Share Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1083 | File and Directory Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1018 | Remote System Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1049 | System Network Connections Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1087 | Account Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1057 | Process Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1016 | System Network Configuration Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1069 | Permission Groups Discovery |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1569 | System Services |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1072 | Software Deployment Tools |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1047 | Windows Management Instrumentation |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1106 | Native API |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1204 | User Execution |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1203 | Exploitation for Client Execution |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1537 | Transfer Data to Cloud Account |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1030 | Data Transfer Size Limits |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1029 | Scheduled Transfer |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1567 | Exfiltration Over Web Service |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1489 | Service Stop |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1561 | Disk Wipe |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1485 | Data Destruction |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1491 | Defacement |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1498 | Network Denial of Service |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1486 | Data Encrypted for Impact |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1531 | Account Access Removal |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1490 | Inhibit System Recovery |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1496 | Resource Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1566 | Phishing |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1195 | Supply Chain Compromise |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1189 | Drive-by Compromise |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1199 | Trusted Relationship |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1210 | Exploitation of Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1072 | Software Deployment Tools |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1570 | Lateral Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1556 | Modify Authentication Process |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1176 | Software Extensions |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1137 | Office Application Startup |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1136 | Create Account |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1060 | Registry Run Keys / Startup Folder |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1505 | Server Software Component |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1589 | Gather Victim Identity Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1590 | Gather Victim Network Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1592 | Gather Victim Host Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1595 | Active Scanning |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1588 | Obtain Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1583 | Acquire Infrastructure |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1587 | Develop Capabilities |
Sub Techniques |
Detections |
Mitigations |
Copyright © 2025 SOCRadar Cyber Intelligence Inc.
All rights
reserved.
