Lockbit 2.0 Ransomware: TTPs Used in Emerging Ransomware Campaigns

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


On February 4th, 2022, the FBI issued a flash report on LockBit 2.0 ransomware and its indicators of compromise (IOCs). Although Picus Labs updated the Picus Threat Library with attack simulations for LockBit 2.0 back in August 2021, the increasing number of attacks led us to write this blog post.

Test your security controls against LockBit Ransomware NOW!

LockBit Ransomware Group

The LockBit group is a Ransomware-as-a-Service (RaaS) operator and has been in active operations for nearly 3.5 years. They are formerly known as the ABCD ransomware group. For the last six months, they have been promoting their latest ransomware, LockBit 2.0. Since then, The threat actors have attacked more than 50 organizations in multiple industries using this ransomware. Lately, the number of developers and threat actors associated with the Lockbit group has been rising. As a result, more LockBit 2.0 ransomware attacks can be expected in the near future.

What is LockBit 2.0 Ransomware?

LockBit 2.0 is the latest ransomware released in August 2021 by the LockBit ransomware group. The advertisement of the group claims to provide the fastest encrypting ransomware. Also, the ransomware operators modify the ransomware per the threat actors' needs.

Figure 1: LockBit 2.0 Advertisement [1]

After execution, LockBit 2.0 encrypts the victim's files and appends the .lockbit extension. If the attack is successfully completed, LockBit 2.0 changes wallpaper to inform the victim and puts the ransom note Restore-My-Files.txt on the desktop.

Figure 2: Wallpaper of the victim after LockBit 2.0 attack [2]

Technical Details of LockBit 2.0

1. LockBit 2.0 uses encoding for defense evasion

The LockBit executable is encoded. Ransomware decodes required modules and strings as needed. Encoding the executable helps the ransomware to evade detection.

2. LockBit 2.0 does not attack systems using certain languages

LockBit 2.0 ransomware looks up the system and user settings. If the language is set to specific languages, it does not attack the system. The list of languages that LockBit 2.0 does not attack is given below.

  • Russian 
  • Belarusian
  • Tajik
  • Armenian
  • Azeri-Latin
  • Georgian
  • Kazakh
  • Kyrgyz - Cyrillic
  • Turkmen
  • Uzbek - Latin
  • Russian - Moldova
  • Azeri - Cyrillic
  • Uzbek - Cyrill


3. LockBit 2.0 damages built-in recovery and logging mechanisms

LockBit 2.0 ransomware deletes shadow copies using the commands below so that the victim cannot retrieve its data using built-in recovery services.

cmd.exe /c vssadmin Delete Shadows /All /Quiet

Delete volume shadow copies

cmd.exe /c bcdedit /set {default} recoveryenabled No

Disable Windows recovery

cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures

Ignore boot failures

4. LockBit 2.0 deletes itself and log data

LockBit 2.0 ransomware deletes itself and the log data so that the victim cannot investigate the attack afterward.

cmd.exe /c wevtutil cl security

Delete security log

cmd.exe /c wevtutil cl system

Delete system log

cmd.exe /c wevtutil cl application

Delete application log

cmd.exe /c del /f /q "<PATH>\Lsystem-234-bit.exe"

Delete ransomware itself

How Picus Helps Simulate LockBit 2.0 Ransomware?

Using the Picus Continuous Security Validation Platform, you can test your security controls against the LockBit 2.0 ransomware. We advise you to simulate LockBit 2.0 ransomware attacks and determine whether your security controls can prevent them or not. Picus Threat Library includes the following threats to simulate LockBit 2.0 ransomware variants.

Threat Name

LockBit 2.0 Ransomware .EXE File Download (8 variants)

Test your security controls against LockBit Ransomware in minutes!

Picus Threat Library also includes other ransomware threats of LockBit RaaS group:

Threat Name

LockBit Ransomware .EXE File Download (5 variants)

MITRE ATT&CK Techniques Used by LockBit 2.0 Ransomware

Initial Access

T1078 Valid Accounts

T1190 Exploit Public-Facing Application


T1047 Windows Management Instrumentation

T1059 Command and Scripting Interpreter

T1059.003 Windows Command Shell


T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Privilege Escalation

T1055 Process Injection

Defense Evasion

T1055 Process Injection

T1070.004 Indicator Removal on Host: File Deletion

T1112 Modify Registry

T1497 Virtualization/Sandbox Evasion

Credential Access

T1056.004 Credential API Hooking

T1110 Brute Force


T1012 Query Registry

T1018 Remote System Discovery

T1057 Process Discovery

Lateral Movement

T1021 Remote Services

T1021.001 Remote Services: Remote Desktop Protocol

T1021.002 Remote Services: SMB/Windows Admin Shares


T1056.004 Credential API Hooking

Command and Control (C2)

T1090.003 Proxy: Multi-hop Proxy


T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage


T1486 Data Encrypted for Impact

T1490 Inhibit System Recovery

Indicators of Compromise (IOCs)





























[1] “LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment,” Security Intelligence, 09-Sep-2021. [Online]. Available: https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/

[2] T. Meskauskas, “LockBit 2.0 Ransomware,” 15-Oct-2021. [Online]. Available: https://www.pcrisk.com/removal-guides/21605-lockbit-2-0-ransomware