SOCRadar® Cyber Intelligence Inc. | The Story of Lockbit Ransomware


Aug 02, 2021
6 Mins Read

The Story of Lockbit Ransomware

After penetrating the network, the attackers take several steps to ensure that the Ransomware attack is successful. They want to infect as many systems as possible, stop business processes and urge victims to pay ransom. The Ransomware is executed by means of UAC bypass, which runs in the background while the device is encrypted. 


Ransomware attackers love to force their victims to pay by bank transfer or cryptocurrency as money transfers are harder for law enforcement to track. Ransomware operators use malware that encrypts and locks systems to steal sensitive data during an attack. If you lose money or the second system fails to respond, the affected company is attacked with a second volley designed to put pressure on you.


Interesting in this case is that there is its own host, which downloads the Ransomware itself. The attacker only needs access to a system account and has enough permissions to download other computers in the network and run the ransomware. 


Many large ransomware gangs’ online presence tends to be limited to things like affiliate recruitment and their own private networks. Over the years, Lockbit ransomware operations have been active online, with gang representatives promoting the operation and providing support in hacker forums. Like most Ransomware, the Lockbit Group maintains forums on topics that are known as underground web boards to advertise their products.


What is LockBit ransomware?


Lockbit is a new family of ransomware that exploits widely available protocols and tools such as SMB and PowerShell. Lockbit Ransomware Services operations were launched in September 2019, and Lockbit Ransomware is recruited by penetrating networks of encrypted devices. In these operations, ransomware services threaten actors to be recruited by breaking through networks of encryption devices.


The Lockbit ransomware is a malicious software developed to deny users access to computers in exchange for a ransom payment. It is considered by many authorities as part of the Lockergoga and Megacortex malware families. Lockbit examines valuable targets before it spreads the infection by encrypting all publicly accessible computer systems on the network. 

The new variant of Lockbit 2.0 Ransomware is able to encrypt Windows domains with Active Directory Group Policy policies. Researchers from MalwareHunterTeam, Bleepingcomputer and malware expert Vitali Kremez report that they have discovered a new version of the worm known as Lockbit 2.0. 


The new version of Lockbit 2.0 Ransomware automates the interaction and subsequent encryption of Windows domains with Active Directory group policies. It adds a novel approach to interact with Active Directory to spread rogue malware to local domains by creating an updated global policy that disables antivirus, making it easier for new malware operators to engage in operations. The Lockbit 2.0 has some interesting features that can be used in an Egregor Ransomware operation.


How LockBit Operates?


Lockbit, which was first spotted in late 2019 under the name ABCD Virus, is more of an overhaul and evolution than previous attacks. Researchers are taking a closer look at Lockbit, one of the latest ransomware groups to work in the field. Lockbit operates in a RaaS structure, providing a central control panel for affiliated groups to create new Lockbit samples, manage their victims, post blog posts, and compile statistics about the success and failure of their attacks.


Once an initial foothold is established, it can come to compromises in administrative references, internal reconnaissance and lateral movement of encryption files, whereby the Lockbit Ransomware can steam through digital systems in just a few hours. This identification serves as a last reminder that ransomware campaigns can move at a speed through organizations that exceed the human response, demonstrating the need for automatic responses at machine speed to contain the threat before the damage is done. 


Research has shown that Lockbit partners gain Remote Desktop Protocol (RDP) access to their servers as the first vector of attack using common phishing and credentialing techniques. These exploits are used to compromise vulnerable systems, such as Fortinet VPN vulnerabilities, which have not been patched on the target machines. According to forensic investigations, the machines attacked by Lockbit-linked threat groups are trying to identify mission-critical systems such as NAS devices, backup servers, and domain controllers.


The actions of the Himalayas and Lockbit are indicative of the things to come as the ransomware threat continues its explosive growth trend and criminals are able to escape arrest and prosecution. 


The list of processes that LockBit will check are:


wxServer         wxServerView

sqlservr           RAgui

supervise         Culture

RTVScan         DefWatch

sqlbrowser       winword

QBW32           QBDBMgr

qbupdate         QBCFMonitorService

axlbridge         QBIDPService

httpd    fdlauncher

MsDtSrvr         tomcat6

zhudongfangyu           vmware-usbarbitator64

vmware-converter       dbsrv12


What can be done against Lockbit?


Furthermore, you’ll need to put in place countermeasures to guarantee that your business is resistant to ransomware or malicious assaults from the start. Here are some techniques to defend:


  • Strong passwords should be implemented. 
  • Activate multi-factor authentication. 
  • Reassess user account permissions. 
  • Clean out outdated and unused user accounts.
  • Ensure system configurations are following all security procedures.
  • Always have system-wide backups and clean local machine images prepared.
  • Be sure to have a comprehensive enterprise cyber security solution in place.



Technique ID  Technique Description

T1107  File Deletion

T1055  Process Injection

T1112  Modify Registry

T1215  Kernel Modules and Extensions

T1060  Registry Run Keys / Start Folder

T1179  Hooking

T1055  Process Injection

T1179  Hooking

T1124  System Time Discovery

T1046  Network Service Scanning

T1083  File and Directory Discovery

T1016  System Network Configuration Discovery

T1012  Query Registry

T1082  System Information Discovery

T1057  Process Discovery

T1063  Security Software Discovery

T1047  Windows Management Instrumentation

T1035  Service Execution

T1075  Pass the Hash



SHA256                                                                                                          Compile TimeStamp

ffbb6c4d8d704a530bdd557890f367ad904c09c03f53fda5615a7208a0ea3e4d            1992:06:20

286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f            2009:02:12

76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78            2009:02:12

faa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869            2009:02:12

70cb1a8cb4259b72b704e81349c2ad5ac60cd1254a810ef68757f8c9409e3ea6            2019:11:29

ec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d            2019:12:01

13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0            2019:12:11

6fedf83e76d76c59c8ad0da4c5af28f23a12119779f793fd253231b5e3b00a1a            2019:12:17

c8205792fbc0a5efc6b8f0f2257514990bfaa987768c4839d413dd10721e8871            2019:12:18

15a7d528587ffc860f038bb5be5e90b79060fbba5948766d9f8aa46381ccde8a            2020:01:23

0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51            2020:01:23

0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f            2020:01:23

410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677            2020:02:12

e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877            2020:02:16

0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335            2020:02:16

1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18            2020:02:17

26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739            2020:02:17

69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997            2020:02:17

0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76            2020:02:17

1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770            2020:02:17

5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db            2020:02:20

ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75            2020-02-20

Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Try for free