VERY IMPORTANT

LockBit 3.0 attacks and leaks reveal a number of similarities between the latest generation of the ransomware and the BlackMatter ransomware family, and how the malware has been developed. The threat actors behind this ransomware also use a package from GitHub called Backstab. As the name implies, the primary function of Backstab is to sabotage the tooling analysts in security operations centers use to monitor suspicious activity in real-time. The utility uses Microsoft’s own Process Explorer driver (signed by Microsoft) to terminate protected anti-malware processes and disable EDR utilities.