LockBit Ransomware Gang

By Suleyman Ozarslan, PhD August 22, 2022 Ransomware

LockBit is a prominent ransomware group known for technically advanced and high impact variants. Formerly called the ABCD group, LockBit operates a Ransomware as a Service model that recruits affiliates and accelerates development through public bug bounty style programmes. The group advertises itself as the fastest encrypting ransomware in the market, a claim that attracts a large affiliate base and increases the volume of attacks. LockBit relies on double extortion, which combines data theft with file encryption to pressure victims into payment. High profile incidents have included Accenture, the Ministry of Justice in France, and Bangkok Airways.

LockBit affiliates use a broad playbook. Initial access often comes from phishing, exposed remote services, valid accounts purchased from initial access brokers, or exploitation of known vulnerabilities. Once inside a network, operators perform discovery, move laterally, and escalate privileges using living off the land binaries and common admin tools. Many intrusions include the theft of credentials, the disabling of security software, and the removal of backups or shadow copies to maximise impact. LockBit variants support Windows, Linux, and VMware ESXi, which allows encryption across mixed environments. The operation maintains a leak site for publishing stolen data and manages negotiations through structured playbooks. Organisations can reduce risk by enforcing multi factor authentication, hardening remote access, patching exposed services, segmenting critical assets, monitoring for data exfiltration, and continuously validating controls against real attacker techniques.

Metadata

Associated Groups	Aliases - ABCD, Bitwise Spider, Water Selkie Affiliates - UNC2165
Associated Country	Russia
First Seen	September 2019
Target Sectors	Education, Energy, Financial Services, Government, Healthcare, Legal, Manufacturing, Retail, Technology,Telecommunication, Transportation
Target Countries	United States, Italy, Australia, Brazil, France, India, Mexico, Morocco, Taiwan, United Arab Emirates, United Kingdom

Modus Operandi

Business Models	Ransomware-as-a-service (RaaS) Double Extortion Initial Access Brokers (IABs) Cooperation with other groups (e.g., Maze) Company Insiders Criminal Bug Bounty
Extortion Tactics	File Encryption Data Leakage
Initial Access Methods	Exploit Public-Facing Application Phishing
Impact Methods	Data Encryption Data Exfiltration

Exploited Applications and Vulnerabilities by LockBit

Application	Vulnerability	CVV	CVSS
Microsoft Exchange	ProxyShell RCE	CVE-2021-34473	9.8 Critical
Microsoft Exchange	ProxyShell Privilege Escalation	CVE-2021-34523	9.8 Critical
Microsoft Exchange	ProxyShell Security Feature Bypass	CVE-2021-31207	7.2 High
F5 BIG-IP	iControl REST API RCE	CVE-2022-22986	8.8 High
Fortinet FortiGate SSL VPN	Path Traversal	CVE-2018-13379	9.8 Critical
SonicWall SSLVPN	SQL Injection	CVE-2021-20028	9.8 Critical

Utilized Tools and Malware by LockBit

MITRE ATT&CK Tactic	Tools
Execution	PowerShell PowerShell Empire PSExec Windows Task Scheduler Windows Command Shell
Persistence	Reg.exe
Privilege Execution	UACme
Defence Evasion	GMER GPEdit.msc Invoke-GPUpdate mshta Process Hacker wewtutil
Credential Access	Comsvcs.dll Minidump Hakops Keylogger Mimikatz
Discovery	ADfind.exe Advanced Port Scanner PsGetSi
Lateral Movement	PSExec
Command and Control	AnyDesk Metasploit Meterpreter
Exflitration	Mega StealBit infostealer malware
Impact	LockBit ransomware Vssadmin BCDEdit

[1] S. Özarslan, “MITRE ATT&CK T1086 PowerShell.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1086-powershell (accessed Jul. 06, 2022).
[2] “GitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent,” GitHub. https://github.com/EmpireProject/Empire (accessed Jul. 06, 2022).
[3] “PsExec - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (accessed Jul. 06, 2022).
[4] S. Özarslan, “MITRE ATT&CK T1053 Scheduled Task.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-1053-scheduled-task (accessed Jul. 06, 2022).
[5] H. C. Yüceel, “T1059 Command and Scripting Interpreter of the MITRE ATT&CK Framework.” https://www.picussecurity.com/resource/t1059-command-and-scripting-interpreter-of-the-mitre-attck-framework (accessed Jul. 06, 2022).
[6] S. Özarslan, “MITRE ATT&CK T1060 Registry Run Keys / Startup Folder.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1060-registry-run-keys-startup-folder (accessed Jul. 06, 2022).
[7] “GitHub - hfiref0x/UACME: Defeating Windows User Account Control,” GitHub. https://github.com/hfiref0x/UACME (accessed Jul. 06, 2022).
[8] “GMER - Rootkit Detector and Remover.” http://www.gmer.net (accessed Jul. 06, 2022).
[9] “Website.” [Online]. Available: https://raw.githubusercontent.com/DISREL/Conti-Leaked-Playbook-TTPs/main/Conti-Leaked-Playbook-TTPs.pdf
[10] JasonGerend, “Invoke-GPUpdate.” https://docs.microsoft.com/en-us/powershell/module/grouppolicy/invoke-gpupdate (accessed Jul. 06, 2022).
[11] H. C. Yüceel, “T1218 Signed Binary Proxy Execution of the MITRE ATT&CK Framework.” https://www.picussecurity.com/resource/t1218-signed-binary-proxy-execution-of-the-mitre-attck-framework (accessed Jul. 06, 2022).
[12] P. Hacker, “Process Hacker.” https://processhacker.sourceforge.io (accessed Jul. 06, 2022).
[13] H. C. Yüceel, “Lockbit 2.0 Ransomware: TTPs Used in Emerging Ransomware Campaigns.” https://www.picussecurity.com/resource/lockbit-2.0-ransomware-ttps-used-in-emerging-ransomware-campaigns (accessed Jul. 06, 2022).
[14] S. Özarslan, “MITRE ATT&CK T1003 Credential Dumping.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1003-credential-dumping (accessed Jul. 05, 2022).
[15] “HAKOPS Keylogger 16 - 12.04.2018,” TurkHackTeam, Apr. 12, 2018. https://www.turkhackteam.org/konular/hakops-keylogger-16-12-04-2018.1699779/ (accessed Jul. 06, 2022).
[16] “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).
[17] “AdFind.” http://www.joeware.net/freetools/tools/adfind/index.htm (accessed Jul. 06, 2022).
[18] “Advanced Port Scanner – free and fast port scanner.” https://www.advanced-port-scanner.com (accessed Jul. 06, 2022).
[19] “PsGetSid - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psgetsid (accessed Jul. 06, 2022).
[20] “The Fast Remote Desktop Application –,” AnyDesk. https://anydesk.com/en (accessed Jul. 06, 2022).
[21] “Metasploit,” Metasploit. https://www.metasploit.com/ (accessed Jul. 06, 2022).
[22] “MEGA.” https://mega.io/ (accessed Jul. 06, 2022).
[23] F. Fkie, “StealBit (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit (accessed Jul. 06, 2022).
[24] H. C. Yüceel, “MITRE ATT&CK T1490 Inhibit System Recovery - The Ransomware’s Favorite.” https://www.picussecurity.com/resource/mitre-attck-t1490-inhibit-system-recovery-the-ransomwares-favorite (accessed Jul. 06, 2022).

LockBit Ransomware Gang

Share this article:

Share this article:

Table of Contents

Get the Latest InsightsDelivered Straight to Your Inbox

Get the Latest Insights
Delivered Straight to Your Inbox