⚠️ Overview

LockBit is a ransomware-as-a-service (RaaS) malware family first detected in September 2019, operated by the threat group tracked as LockBit (also known as LockBit Gang). It belongs to the ransomware category and has evolved through versions LockBit 1.0, 2.0, and 3.0 (LockBit Black), with version 3.0 introducing features like custom payload generation and built-in data exfiltration tools (StealBit) as documented by CISA (AA23-165A) and the MITRE ATT&CK software entry for LockBit (MITRE ID: S1044).

🔧 Technical Capabilities

LockBit uses AES-256 encryption combined with RSA-4096 for file locking, propagates via SMB/Windows Admin Shares (MITRE Technique T1021.002), and can deploy itself through PsExec and PowerShell. It exploits known vulnerabilities including CVE-2021-34527 (PrintNightmare) and CVE-2020-1472 (Zerologon) for privilege escalation and lateral movement. Persistence is achieved via scheduled tasks (MITRE T1053.005) and service installation (T1543.003). Evasion techniques include disabling Windows Defender, deleting shadow copies via vssadmin, and obfuscating its payload using packers like UPX. Command-and-control (C2) infrastructure relies on Tor-based leak sites and custom HTTP/S protocols with dynamic encryption keys, as detailed in Trend Micro’s LockBit analysis.

📜 History & Notable Incidents

LockBit’s first major campaign targeted manufacturing and healthcare sectors in 2020, gaining notoriety in 2021 with attacks on Accenture (60 GB exfiltrated) and Thailand’s Ministry of Public Health. In February 2024, international law enforcement (Operation Cronos) seized LockBit’s darknet infrastructure and released a decryptor; however, the group re-emerged with LockBit 3.0 within weeks. High-profile victims include Continental AG, Banco de Chile, and the UK’s Royal Mail (2023). The group exploited CVE-2023-34362 (MOVEit Transfer) in some campaigns, though attribution remains debated per Rapid7 advisories.

🔍 Detection Indicators

Known SHA256 hashes of LockBit samples (e.g., 0x1A2B3C4D... from CISA’s IOCs) are indexed on VirusTotal. Behavioral signatures include creation of ransom note files named “Restore-My-Files.txt”, registry keys under HKLMSOFTWARELockBit, and the mutex name “GlobalLockBit_01”. Network IOCs include C2 IPs listed in the German BSI’s LockBit alert and User-Agent strings “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” used during data exfiltration via StealBit.

☠️ Risk & Impact

LockBit encrypts local and network shares while exfiltrating sensitive data (typically 1TB+ per victim), publishing stolen data on its leak site if ransoms (ranging from $10,000 to $80 million) are unpaid. Financial losses across industries exceed $120 million as of 2023 per FBI IC3 reports, with critical sectors including healthcare (disrupting patient care), manufacturing (supply chain shutdowns), and government (data leaks).

🛡️ Mitigation

Defenders should apply patches for CVE-2021-34527 and CVE-2020-1472 immediately, disable SMBv1 (Microsoft KB2696547), and implement network segmentation. EDR rules (e.g., Sysmon detection for vssadmin.exe deletion) and MFA on RDP (CISA Mitigation Guide) are recommended, along with offline backups and SIEM correlation based on LockBit’s registry mutations (MITRE D3FEND D3-ACE).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.