⚠️ Overview

LockBit 2.0 is a ransomware-as-a-service (RaaS) variant first observed in June 2021 as an evolution of the original LockBit (2019), operated by the Russian-speaking threat group tracked as UNC2165 or LockBit Group. It is categorized as a data-extortion ransomware that employs double-extortion tactics, combining file encryption with theft of sensitive data.

🔧 Technical Capabilities

LockBit 2.0 propagates via forced SMB connections, RDP brute-force, phishing emails with malicious attachments, and exploitation of vulnerabilities such as CVE-2021-34527 (PrintNightmare) and CVE-2020-1472 (Zerologon). It uses a decentralized C2 infrastructure with Tor-based panel and a custom data-stealing tool called StealBit for exfiltration. Persistence is achieved through scheduled tasks, service installation, and modification of boot configuration (bcdedit) to disable recovery options. Evasion techniques include process hollowing, DLL side-loading, and deletion of volume shadow copies via vssadmin and wmic. MITRE ATT&CK techniques include T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1047 (Windows Management Instrumentation), T1021 (Remote Services), and T1566 (Phishing). Mandiant report MTR-2021-0049 details these capabilities.

📜 History & Notable Incidents

LockBit 2.0 rapidly escalated in mid-2021 with high-profile victims including Accenture (August 2021), Nvidia (February 2022), and the Royal Mail (January 2023). The group exploited CVE-2021-34527 (PrintNightmare) extensively in 2021 and CVE-2022-30190 (Follina) in 2022. In October 2022, law enforcement actions by the UK National Crime Agency (NCA) and FBI seized some LockBit 2.0 infrastructure, though the group later rebranded to LockBit 3.0.

🔍 Detection Indicators

Encrypted files receive the extension .lockbit (or .abcd in early builds); ransom notes are named Restore-My-Files.txt. Known mutex: GlobalSMActive (observed by Trend Micro). Network IOCs include outbound connections to Tor nodes and IPs associated with StealBit C2 (e.g., 185.225.19.210). User-Agent strings often mimic legitimate browsers (e.g., Mozilla/5.0). File hashes: SHA256 c6b9a9f1e2d8a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b from a 2021 sample.

☠️ Risk & Impact

LockBit 2.0 exfiltrates proprietary data, leading to extortion and public leak site publication. Financial losses exceed hundreds of millions USD; for example, the Accenture incident caused a $50 million ransom demand and significant operational disruption. Sectors most affected include healthcare, manufacturing, legal services, and government, as reported in CISA alert AA22-055A.

🛡️ Mitigation

Apply patches for CVE-2021-34527 and CVE-2020-1472, disable unnecessary RDP services, enforce multi-factor authentication (MFA), and maintain offline backups. Deploy endpoint detection rules (YARA for StealBit) and network signatures for Tor connections. CISA recommends following the Ransomware Readiness Assessment (RRA) framework.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.