On February 4th, 2022, the FBI issued a flash report on LockBit 2.0 ransomware and its indicators of compromise (IOCs). Although Picus Labs updated the Picus Threat Library with attack simulations for LockBit 2.0 back in August 2021, the increasing number of attacks led us to write this blog post.
Test your security controls against LockBit Ransomware NOW!
The LockBit group is a Ransomware-as-a-Service (RaaS) operator and has been in active operations for nearly 3.5 years. They are formerly known as the ABCD ransomware group. For the last six months, they have been promoting their latest ransomware, LockBit 2.0. Since then, The threat actors have attacked more than 50 organizations in multiple industries using this ransomware. Lately, the number of developers and threat actors associated with the Lockbit group has been rising. As a result, more LockBit 2.0 ransomware attacks can be expected in the near future.
LockBit 2.0 is the latest ransomware released in August 2021 by the LockBit ransomware group. The advertisement of the group claims to provide the fastest encrypting ransomware. Also, the ransomware operators modify the ransomware per the threat actors' needs.
Figure 1: LockBit 2.0 Advertisement [1]
After execution, LockBit 2.0 encrypts the victim's files and appends the .lockbit extension. If the attack is successfully completed, LockBit 2.0 changes wallpaper to inform the victim and puts the ransom note Restore-My-Files.txt on the desktop.
Figure 2: Wallpaper of the victim after LockBit 2.0 attack [2]
The LockBit executable is encoded. Ransomware decodes required modules and strings as needed. Encoding the executable helps the ransomware to evade detection.
LockBit 2.0 ransomware looks up the system and user settings. If the language is set to specific languages, it does not attack the system. The list of languages that LockBit 2.0 does not attack is given below.
LockBit 2.0 ransomware deletes shadow copies using the commands below so that the victim cannot retrieve its data using built-in recovery services.
cmd.exe /c vssadmin Delete Shadows /All /Quiet |
Delete volume shadow copies |
cmd.exe /c bcdedit /set {default} recoveryenabled No |
Disable Windows recovery |
cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures |
Ignore boot failures |
LockBit 2.0 ransomware deletes itself and the log data so that the victim cannot investigate the attack afterward.
cmd.exe /c wevtutil cl security |
Delete security log |
cmd.exe /c wevtutil cl system |
Delete system log |
cmd.exe /c wevtutil cl application |
Delete application log |
cmd.exe /c del /f /q "<PATH>\Lsystem-234-bit.exe" |
Delete ransomware itself |
Using the Picus Continuous Security Validation Platform, you can test your security controls against the LockBit 2.0 ransomware. We advise you to simulate LockBit 2.0 ransomware attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats to simulate LockBit 2.0 ransomware variants.
Threat Name |
LockBit 2.0 Ransomware .EXE File Download (8 variants) |
Test your security controls against LockBit Ransomware in minutes!
Picus Threat Library also includes other ransomware threats of LockBit RaaS group:
Threat Name |
LockBit Ransomware .EXE File Download (5 variants) |
Initial Access
T1078 Valid Accounts
T1190 Exploit Public-Facing Application
Execution
T1047 Windows Management Instrumentation
T1059 Command and Scripting Interpreter
T1059.003 Windows Command Shell
Persistence
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege Escalation
T1055 Process Injection
Defense Evasion
T1055 Process Injection
T1070.004 Indicator Removal on Host: File Deletion
T1112 Modify Registry
T1497 Virtualization/Sandbox Evasion
Credential Access
T1056.004 Credential API Hooking
T1110 Brute Force
Discovery
T1012 Query Registry
T1018 Remote System Discovery
T1057 Process Discovery
Lateral Movement
T1021 Remote Services
T1021.001 Remote Services: Remote Desktop Protocol
T1021.002 Remote Services: SMB/Windows Admin Shares
Collection
T1056.004 Credential API Hooking
Command and Control (C2)
T1090.003 Proxy: Multi-hop Proxy
Exfiltration
T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
Impact
T1486 Data Encrypted for Impact
T1490 Inhibit System Recovery
MD5 |
SHA-1 |
SHA-256 |
af9ff037caca1f316e7d05db86dbd882 |
844e9b219aaecb26de4994a259f822500fb75ae1 |
f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae |
b7f1120bcff47ab77e74e387805feabe |
a185904a46b0cb87d38057fc591a31e6063cdd95 |
4de287e0b05e138ab942d71d1d4d2ad5fb7d46a336a446f619091bdace4f2d0a |
4d25a9242eac26b2240336fb94d62b1e |
c7b2d4a22f788b1b942f993fff33f233dca960ce |
f32e9fb8b1ea73f0a71f3edaebb7f2b242e72d2a4826d6b2744ad3d830671202 |
84866fca8a5ceb187bca8e257e4f875a |
038bc02c0997770a1e764d0203303ef8fcad11fb |
acad2d9b291b5a9662aa1469f96995dc547a45e391af9c7fa24f5921b0128b2c |
f91095ae0e0632b0f630e0c4eb12ba10 |
6c4040f2a76e61c649e1ff4ac564a5951c15d1fa |
717585e9605ac2a971b7c7537e6e311bab9db02ecc6451e0efada9b2ff38b474 |
b0916724ff4118bf213e31cd198c0afd |
12ac32d012e818c78d6db790f6e11838ca75db88 |
4bb152c96ba9e25f293bbc03c607918a4452231087053a8cb1a8accb1acc92fd |
6fc418ce9b5306b4fd97f815cc9830e5 |
95838a8beb04cfe6f1ded5ecbd00bf6cf97cd564 |
0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049 |
66b9ccb41b135f302b3143a5d53f4842 |
3d532697163e7c33c7c906e8efbb08282d3efd75 |
d089d57b8b2b32ee9816338e96680127babc5d08a03150740a8459c29ab3ba78 |
[1] “LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment,” Security Intelligence, 09-Sep-2021. [Online]. Available: https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/
[2] T. Meskauskas, “LockBit 2.0 Ransomware,” 15-Oct-2021. [Online]. Available: https://www.pcrisk.com/removal-guides/21605-lockbit-2-0-ransomware