LockBit is recognized as one of the most prominent and pervasive Ransomware-as-a-Service (RaaS) operations, operating since 2019 and consistently growing to become a significant global cyber threat. The operation functions using an affiliate model and frequently targets numerous critical sectors worldwide, including the financial, healthcare, manufacturing, and technology industries. A double extortion tactic is employed, wherein data is encrypted on victim systems, and the victims are simultaneously threatened with the public release of stolen data if the ransom is not paid.
The ransomware itself is highly complex, featuring sophisticated anti-analysis and obfuscation techniques. Heavy obfuscation is utilized through methods such as dynamic API resolution via hashing, and in recent versions (like LockBit 5.0), payloads are loaded through DLL reflection.
In February 2024, a major international law enforcement action (Operation Cronos) significantly disrupted the group's infrastructure. The operation led to the compromise of the administration panel and the public release of internal affiliate and victim data. Following the disruption, victim decryption keys were offered, and it was revealed that stolen data was frequently retained even after ransoms had been paid. Subsequently, a clear drop in new infections was observed, and efforts to maintain the illusion of normal operation included reposting old victims to new leak sites.
The current status of LockBit is characterized by its resilience and aggressive resurgence following the major law enforcement disruption. Despite the reputational damage and initial setback, the group resurfaced for its sixth anniversary in early September 2025, announcing and deploying LockBit 5.0. LockBit 5.0 is considered significantly more dangerous than its predecessors [1], indicating the group is actively evolving its codebase and remains a potent cyber threat.
In this blog, we will examine the technical characteristics of LockBit ransomware and its evolution over the years.
The technical analysis of LockBit v3.0, also known as LockBit Black, reveals a sophisticated ransomware variant that incorporates custom cryptographic implementations and advanced anti-analysis techniques. This variant is modeled after the BlackMatter family, which itself originated from the Darkside ransomware family [2].
LockBit v3.0 employs a hybrid cryptographic approach, utilizing both symmetric and asymmetric encryption to secure the files and the keys used for encryption [2].
The sample uses a modified version of the Salsa20 algorithm. It uses a 64-byte key for file encryption, whereas the standard Salsa20 uses a 32-byte key.
The ransomware uses a custom implementation of the RSA algorithm at a 1024-bit key size to encrypt critical key material. The 1024-bit public key is embedded within the ransomware configuration, and this implementation uses no padding.
The encryption system follows a layered key-management structure [2]. At the lowest level, each file’s data is encrypted in chunks using a 64-byte file_encryption_key with the modified Salsa20 algorithm. The file_encryption_key itself is not stored in plaintext; instead, a separate 64-byte random Salsa20 key is generated to protect the file_encryption_key, and this second key is designated as the key_encryption_key.
To secure this further, the key_encryption_key is encrypted using a built-in 1024-bit RSA public key. This forms the top layer of protection, ensuring that only a holder of the corresponding RSA private key can recover the key_encryption_key. As an optimization to limit the number of expensive RSA operations, the same key_encryption_key is reused across 1,000 files before a new one is generated.
Files are processed by dividing them into chunks of 0x20000 bytes. These chunks form alternating groups: before group, skip group, and after group [2].
Chunks in the before and after groups are encrypted using Salsa20. Chunks in the skip group are left unencrypted. The overall structure ends with a footer, which contains the structures necessary for decryption.
LockBit v3.0 includes numerous techniques to thwart analysis and maximize impact.
LockBit 3.0 uses the Trusted Installer service access token to enumerate, stop, and delete predefined Windows Security Services (including SecurityHealthService, WinDefend, and various Windows Defender drivers) that were listed in its configuration.
If required privileges are not found (specifically Domain Admin membership), it attempts to gain access by locating the operating system process, such as explorer.exe, and duplicating its access token using functions like ZwOpenProcessToken and NtDuplicateToken [3]:
|
status = (*ntdll.NtOpenProcess) |
The ransomware includes checks to prevent operation in certain countries, including Russia, Ukraine, Belarus, and others. It also checks if the system started in safe mode, setting a registry key to run on the next normal boot if necessary.
LockBit 3.0 performs encryption in a multi-threaded manner.
Files that are encrypted receive a unique extension (e.g., .IzYqBW5pa). The ransomware modifies the file system icon association in the registry (HKEY_CLASSES_ROOT) and drops an icon file (e.g., C:\ProgramData\IzYqBW5pa.ico) to change the icons of encrypted files to the LockBit "B" logo.
A ransom note ([unique ID].README.txt) (e.g., xEC9do6g6.README.txt) is dropped in every target directory. The content of the note is decrypted at runtime [3].
When configured, the sample communicates with a C2 server over TLS 1.2 using the HTTP POST method. Variables and values within the POST request data are AES-encrypted, and the User-Agent string is randomized.
During the February 2024 law enforcement takedown of the LockBit server, authorities discovered an advanced prototype known as LockBit-NG-Dev, which was likely intended to become LockBit 4.0.
Unlike previous versions written in C/C++, this new version is written in .NET and appears to be compiled using CoreRT [4].
Also, the binary is packed using MPRESS, likely a measure to evade static file detections.
Unlike variants that hardcode behavior directly into the main execution flow, LockBit-NG-Dev relies on an embedded JSON configuration that is decrypted at runtime. This configuration dictates the entire operational scope, including target dates, encryption modes, and ransom note details [4].
|
{ |
Upon initialization, the malware establishes a mutex using the ID value found in the configuration. If this mutex already exists, the process terminates immediately to prevent concurrent infections [4].
Before the encryption phase begins, the malware executes several routines to ensure maximum impact and hinder recovery efforts.
The malware checks the StopProcesses and StopServices flags. If enabled, it iterates through the ProcessesToStop and ServicesToStop lists provided in the JSON configuration and terminates them. This action ensures that file handles held by active applications (such as databases or security tools) are released, allowing them to be encrypted [4].
To prevent victims from restoring files via local recovery options, LockBit-NG-Dev executes specific commands based on the configuration flags DeleteVolumeShadowCopies and DeleteWindowsSystemBackups [4].
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" vssadmin Delete Shadows /All /Quiet "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wbadmin DELETE BACKUP -keepVersions:0 -quiet |
To remove forensic evidence after the attack execution, the malware checks the SelfDelete flag. If enabled, it executes a PowerShell command that terminates the ransomware process and overwrites the executable's on-disk data with null bytes using fsutil [4].
|
powershell.exe -Stop-Process -Id {process_id} -Force; fsutil.exe file setZeroData offset=0 length=9999999999 "{Path_of_ransomware}" |
LockBit-NG-Dev utilizes AES for file encryption, with the AES keys subsequently encrypted using the RSA public key embedded in the configuration. The malware supports three distinct encryption modes [4]:
When ChangeFilename is set to true, the encrypted files are renamed to a random string. To allow for potential decryption, the original filename is preserved within the file structure [4].
A new iteration of the LockBit ransomware family, version 5.0, has been identified in the wild. This version represents a continued evolution of the group's capabilities, targeting Windows, Linux, and VMware ESXi environments [5]. Analysis indicates that while the core functionalities have been preserved to maintain operational consistency, significant technical improvements and evasion techniques have been introduced. These updates aim to complicate analysis and delay the development of detection signatures.
The ransomware maintains a consistent command-line interface across its Windows, Linux, and ESXi variants, allowing operators to deploy it with similar parameters regardless of the operating system. Most remarkable ones are given below [5]:
To evade detection and impede forensic investigation, LockBit 5.0 implements several countermeasures [5]:
The malware patches the EtwEventWrite API in user mode by overwriting the function's beginning with a 0xC3 (RET) instruction. This effectively disables Windows Event Tracing, preventing security solutions from monitoring its activities.
It contains a hardcoded list of 63 service name hashes. The malware hashes the names of running services and compares them against this list. If a match is found, the service is terminated to disable security tools or backup solutions.
Example Service Hashes: FEF56F15, BEC3470B, 9757464D, 88CE6B8E, 826AC445...
Upon the completion of the encryption process, the EvtClearLog API is used to wipe all event logs, removing traces of the attack.
The ransomware encrypts files and appends a randomized 16-character extension to the filenames (e.g., .1a2b3c4d5e6f7g8h).
A ransom note is generated, directing victims to a Tor-based data leak site. This site includes a "Chat with Support" section, streamlining the negotiation process between the attackers and the victim [5].
We also strongly suggest simulating LockBit Ransomware Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as HybridPetya, Yurei, BlackNevas, and CyberVolk, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for the LockBit Ransomware Campaign:
|
Threat ID |
Threat Name |
Attack Module |
|
41037 |
LockBit 5.0 Ransomware Download Threat |
Network Infiltration |
|
40664 |
LockBit 5.0 Ransomware Email Threat |
E-mail Infiltration |
|
73178 |
LockBit 4.0 Ransomware Download Threat |
Network Infiltration |
|
75649 |
LockBit 4.0 Ransomware Email Threat |
E-mail Infiltration |
|
74169 |
LockBit Green Ransomware Download Threat |
Network Infiltration |
|
43227 |
LockBit Green Ransomware Email Threat |
E-mail Infiltration |
|
33121 |
LockBit Black Ransomware Download Threat |
Network Infiltration |
|
42440 |
LockBit Black Ransomware Email Threat |
E-mail Infiltration |
|
24168 |
LockBit 3.0 Ransomware Download Threat - 1 |
Network Infiltration |
|
71275 |
LockBit 3.0 Ransomware Email Threat - 1 |
E-mail Infiltration |
|
89603 |
LockBit 3.0 Ransomware Download Threat - 2 |
Network Infiltration |
|
22700 |
LockBit 3.0 Ransomware Email Threat - 2 |
E-mail Infiltration |
|
76668 |
LockBit 3.0 Malware Downloader Download Threat |
Network Infiltration |
|
30789 |
LockBit 3.0 Malware Downloader Email Threat |
E-mail Infiltration |
|
56526 |
LockBit 2.0 Ransomware Download Threat |
Network Infiltration |
|
42142 |
LockBit 2.0 Ransomware Email Threat |
E-mail Infiltration |
|
55537 |
LockBit Ransomware Download Threat - 1 |
Network Infiltration |
|
59891 |
LockBit Ransomware Email Threat - 1 |
E-mail Infiltration |
|
46488 |
LockBit Ransomware Download Threat - 2 |
Network Infiltration |
|
89233 |
LockBit Ransomware Email Threat - 2 |
E-mail Infiltration |
|
51639 |
LockBit Ransomware Campaign |
macOS Endpoint |
|
46724 |
LockBit Ransomware Campaign |
Linux Endpoint |
|
36990 |
LockBit Malware Attack Campaign |
Windows Endpoint |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] “New LockBit 5.0 Targets Windows, Linux, ESXi,” Trend Micro. Accessed: Nov. 25, 2025. [Online]. Available: https://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html
[2] N. Huỳnh, H. Nguyen, and T. Duong, “Dissecting LockBit v3 ransomware,” Calif. Accessed: Nov. 25, 2025. [Online]. Available: https://blog.calif.io/p/dissecting-lockbit-v3-ransomware
[3] D. Behling, “LockBit 3.0 Ransomware Unlocked,” VMware Security Blog. Accessed: Nov. 25, 2025. [Online]. Available: https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html
[4] “LockBit attempts to stay afloat with a new version.” Accessed: Nov. 26, 2025. [Online]. Available: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf
[5] “New LockBit 5.0 Targets Windows, Linux, ESXi,” Trend Micro. Accessed: Nov. 26, 2025. [Online]. Available: https://www.trendmicro.com/tr_tr/research/25/i/lockbit-5-targets-windows-linux-esxi.html