{ "id": "6c6de10e-78ba-4577-bdae-b350d61706cf", "created_at": "2026-04-06T00:10:43.612322Z", "updated_at": "2026-04-10T03:32:24.802997Z", "deleted_at": null, "sha1_hash": "13cdd4e99bf7672de346ea5f7823cfedc12ad3d0", "title": "LockBit 2.0: How This RaaS Operates and How to Protect Against It", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5863128, "plain_text": "LockBit 2.0: How This RaaS Operates and How to Protect Against\r\nIt\r\nBy Amer Elsad, JR Gumarin, Abigail Barr\r\nPublished: 2022-06-09 · Archived: 2026-04-05 15:51:13 UTC\r\nExecutive Summary\r\nLockBit 2.0 is ransomware as a service (RaaS) that first emerged in June 2021 as an upgrade to its predecessor\r\nLockBit (aka ABCD Ransomware), which was first observed in September 2019.\r\nSince its inception, the LockBit 2.0 RaaS attracted affiliates via recruitment campaigns in underground forums,\r\nand thus became particularly prolific during the third quarter of calendar year 2021. The LockBit 2.0 operators\r\nclaimed to have the fastest encryption software of any active ransomware strain as of June 2021, claiming\r\naccordingly that this added to its effectiveness and ability to disrupt the ransomware landscape.\r\nWhile several top-tier RaaS affiliate programs, such as Babuk, DarkSide and REvil (aka Sodinokibi) disappeared\r\nfrom the underground in 2021, LockBit 2.0 continued to operate and gradually became one of the most active\r\nransomware operations. While Conti was recognized as being the most prolific ransomware deployed in 2021 per\r\nour 2022 Unit 42 Ransomware Threat Report, LockBit 2.0 is the most impactful and widely deployed ransomware\r\nvariant we have observed in all ransomware breaches during the first quarter of 2022, considering both leak site\r\ndata and data from cases handled by Unit 42 incident responders.\r\nAccording to data analysis of ransomware groups’ dark web leak sites, LockBit 2.0 was the most impactful RaaS\r\nfor five consecutive months. As of May 25, LockBit 2.0 accounted for 46% of all ransomware-related breach\r\nevents for 2022. And the LockBit 2.0 RaaS leak site has the most significant number of published victims, with\r\nover 850 in total.\r\nAdditionally, LockBit 2.0 has affected many companies globally, with top victims based in the U.S., Italy and\r\nGermany. Its most highly targeted industry verticals include professional services, construction, wholesale and\r\nretail, and manufacturing.\r\nPalo Alto Networks customers receive protections against LockBit 2.0 attacks from Cortex XDR, as well as from\r\nthe WildFire cloud-delivered security subscription for the Next-Generation Firewall. (Please see the Conclusion\r\nsection for more detail.)\r\nLockBit 2.0 Overview\r\nLockBit 2.0 is another example of RaaS that leverages double extortion techniques as part of the attack to pressure\r\nvictims into paying the ransom.\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 1 of 20\n\nIn some cases, LockBit 2.0 operators have performed DDoS attacks on the victims' infrastructure as well as using\r\na leak site. This practice is known as triple extortion, a tactic observed in groups like BlackCat, Avaddon and\r\nSunCrypt in the past.\r\nLike other ransomware families such as BlackByte, LockBit 2.0 avoids systems that use Eastern European\r\nlanguages, including many written with Cyrillic alphabets.\r\nUnlike other RaaS programs that don't require the affiliates to be super technical or savvy, LockBit 2.0 operators\r\nallegedly only work with experienced penetration testers, especially those experienced with tools like Metasploit\r\nand Cobalt Strike. Affiliates are tasked with gaining initial access to the victim network, allowing LockBit 2.0 to\r\nconduct the rest of the attack.\r\nLockBit 2.0 has been observed changing infected computers’ backgrounds to a ransomware note. The ransomware\r\nnote was also used to recruit insiders from victim organizations. The notes claimed the threat actors would pay\r\n“millions of dollars” to insiders who provided access to corporate networks or facilitated a ransomware infection\r\nby opening a phishing email and/or launching a payload manually. The threat actors also expressed interest in\r\nother access methods such as RDP, VPN and corporate email credentials. In exchange, they offer a cut of the paid\r\nransom.\r\nVictimology\r\nLockBit 2.0 targets organizations opportunistically. The operators work with initial access brokers to save time\r\nand allow for a larger profit potential. While typically seeking victims of opportunity, LockBit 2.0 does appear to\r\nhave victim limitations. The group announced that they would not target healthcare facilities, social services,\r\neducational institutions, charitable organizations and other organizations that “contribute to the survival of the\r\nhuman race”. However, despite these claims, there have been instances of affiliates undermining these guidelines\r\nby still opting to attack industry verticals such as healthcare and education.\r\nOrganizations in Europe and the U.S. are hit more often by LockBit 2.0 than those in other countries, likely due to\r\nthe high profitability and insurance payouts.\r\nLeak Site Data\r\nDuring the first calendar year quarter of 2022, LockBit 2.0 persisted as the most impactful and the most deployed\r\nransomware variant we observed in all ransomware breaches shared on leak sites.\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 2 of 20\n\nFigure 1. Ransomware leak site data from the first calendar year quarter of 2022.\r\nAccording to leak site data analysis, LockBit 2.0 was the most impactful RaaS for five consecutive months. As of\r\nMay 25, LockBit 2.0 accounted for 46% of all ransomware-related breach events for 2022 shared on leak sites.\r\nAdditionally, the LockBit 2.0 RaaS leak site has the most significant number of published victims, with over 850\r\nin total. The site itself typically features information such as victim domains, a time tracker and measures of how\r\nmuch data was compromised.\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 3 of 20\n\nFigure 2. LockBit 2.0 leak site extortion site.\r\nLockBit 2.0 claims that they have demanded ransom from at least 12,125 companies, as shown in the figure\r\nbelow.\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 4 of 20\n\nFigure 3. Source: VX-underground.\r\nAccording to leak site data for LockBit 2.0, since its inception in June 2021, the RaaS has affected many\r\ncompanies globally, with top victims based in the U.S., Italy and Germany.\r\nFigure 4. LockBit 2.0 geographical impact chart.\r\nLockBit 2.0 has also impacted various victims across multiple industry verticals. Its most highly targeted industry\r\nverticals include professional services, construction, wholesale and retail and manufacturing.\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 5 of 20\n\nFigure 5. LockBit 2.0 impacted industry vertical chart.\r\nWhen looking at leak site data across all ransomware families, we’ve observed LockBit 2.0 targeting the highest\r\nnumber of organizations in the following regions: JAPAC, EMEA, and LATAM.\r\nUnit 42 Incident Response Data on LockBit 2.0\r\nCases handled by Unit 42 security consultants involving LockBit 2.0 since its appearance in June 2021\r\ndemonstrate shorter dwell times and less flexibility in negotiation in the beginning of FY 2022 (measured\r\nOctober-September) in comparison to the end of FY 2021. The following data is broken into fiscal years and\r\nquarters based on when the threat actor breached the network, not when the activity was noticed by a client.\r\nLockBit 2.0 has shown a decrease in dwell time in FY 2022. From the last two quarters of FY 2021 to the first two\r\nquarters of FY 2022, there has been an average 37-day difference.\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 6 of 20\n\nFigure 6. LockBit 2.0 average dwell time by fiscal quarter.\r\nThe difference in initial and final ransom demands over the past fiscal year has been converted to percentages and\r\nthen averaged. The graph below demonstrates that at the end of FY 2021, threat actors using LockBit 2.0 were\r\nmuch more open to negotiations of ransom amounts; during that time the ransom was dropped approximately 83%\r\nfrom the initial ask on average. In comparison, we see less flexibility in FY 2022 Q1 and Q3 – threat actors only\r\noffered an average of about 30% as a price drop. FY 2022 Q2 is not included due to lack of sufficient information.\r\nFigure 7. LockBit 2.0 average difference in initial vs final ransom amount, shown as percentages.\r\nLockBit 2.0 Tactics, Techniques and Procedures\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 7 of 20\n\nTechnically speaking, we have observed LockBit 2.0 affiliates leveraging the following tactics, techniques and\r\nprocedures:\r\nTA0001 Initial Access\r\nT1078 Valid Accounts\r\nCredentials that have either been reused across multiple platforms or have\r\npreviously been exposed. Additionally, this includes VPN accounts – not\r\njust domain and local accounts.\r\nT1133 External Remote\r\nServices\r\nAffiliates have been seen brute forcing exposed RDP services and\r\ncompromising accounts with weak passwords.\r\nT1190 Exploit Public-Facing\r\nApplications\r\nVulnerabilities such as ProxyShell (CVE-2021-34473) and improper SQL\r\nsanitization (CVE-2021-20028) have been observed being utilized as\r\nfootholds into the environment.\r\nTA0002 Execution\r\nT1053.005 Scheduled Task/Job Scheduled Task. LockBit 2.0 can be executed via scheduled tasks.\r\nT1059 Command and\r\nScripting Interpreter\r\nLockBit 2.0 is typically executed via command line arguments via a hidden\r\nwindow.\r\nWindows SysInternals PsExec has been utilized for both persistence and\r\nexecution purposes. Its ability to execute processes on other systems spread\r\nthe ransomware and assisted in reconnaissance activities. \r\nTA0003 Persistence\r\nT1053.005 Scheduled Task/Job\r\nScheduled Task. It was quite common to see scheduled tasks used to create\r\npersistence for the ransomware executable, PsExec, and occasionally some\r\ndefense evasion batch scripts.\r\nT1078 Valid Accounts Compromised accounts may be used to maintain access to the network.\r\nT1136.001 Create Account\r\nIn rare cases, LockBit 2.0 has been observed to create accounts for\r\npersistence with simple names, such as “a.”\r\nT1505.003 Server Software\r\nComponent\r\nWith the upsurgence of ProxyShell, webshells have become more common\r\nentry points.\r\nTA0004 Privilege Escalation\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 8 of 20\n\nT1068 Exploitation for\r\nPrivilege Escalation\r\nThe ProxyShell elevation of privilege on the Exchange PowerShell\r\nBackend (CVE-2021-34523), Windows Background Intelligent Transfer\r\nService (BITS) improperly handling symbolic links (CVE-2020-0787), and\r\nabusing the CMSTPLUA COM interface have all been seen as methods of\r\nprivilege escalation.\r\nT1548.002 Abuse Elevation\r\nControl Mechanism: Bypass\r\nUser Account Control\r\nLockBit 2.0 has utilized a UAC bypass tool.\r\nTA0005 Defense Evasion\r\nT1070 Indicator Removal on\r\nHost\r\nIndicators, such as logs in Windows Event Logs or malicious files, are\r\ntypically removed using wevtutil, a batch script, or CCleaner.\r\nT1140 Deobfuscate/Decode\r\nFiles or Information\r\nMost PowerShell scripts involved in LockBit 2.0 cases are Base64\r\nencoded.\r\nT1484.001 Domain Policy\r\nModification: Group Policy\r\nModification\r\nLockBit 2.0 has been seen using the PowerShell module InvokeGPUpdate\r\nto update the group policy.\r\nT1562.001 Impair Defenses:\r\nDisable or Modify Tools\r\nWindows Defender, other anti-malware solutions and monitoring tools are\r\ndisabled utilizing a process explorer tool, a batch script or a specially\r\ncrafted command line script.\r\nT1564.003 Hide Artifacts:\r\nHidden Window\r\nAffiliates use hidden windows to hide malicious activity from plain sight.\r\nTA0006 Credential Access\r\nT1003 OS Credential Dumping\r\nAs seen with other ransomware cases, Mimikatz is a key player in dumping\r\ncredentials but LockBit 2.0 has been occasionally seen utilizing MiniDump\r\nas well.\r\nT1555 Credentials from\r\nPassword Stores\r\nLockBit 2.0 has been seen utilizing numerous tools to dump passwords\r\nfrom password stores and Chrome using GrabChrome and GrabRFF.\r\nTA0007 Discovery\r\nT1046 Network Service\r\nDiscovery\r\nBoth Advanced Port Scanner and NetScan have been used to discover local\r\nnetwork infrastructure devices and services running on remote hosts.\r\nActive Directory queries for remote systems have been performed by\r\nADFind.\r\nT1057 Process Discovery\r\nProcess Explorer, Process Monitor and PCHunter have been utilized to\r\ndiscover any anti-malware or monitoring software and terminate it.\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 9 of 20\n\nT1082 System Information\r\nDiscovery\r\nLockBit 2.0 enumerates system information such as hostname, shares, and\r\ndomain information.\r\nT1614 System Location\r\nDiscovery\r\nAttempts to check the language settings.\r\nTA00008 Lateral Movement\r\nT1021 Remote Services\r\nAlthough Cobalt Strike has many capabilities beneficial to threat actors in\r\nransomware attacks, it was mainly seen in LockBit 2.0 investigations\r\nacting as a command and control beacon, a method of lateral movement\r\nand a tool for downloading/executing files.\r\nT1021.002 Remote Services:\r\nSMB/Windows Admin Shares\r\nLockBit 2.0 has been known to self-propagate via SMB.\r\nTA0010 Exfiltration\r\nT1030 Data Transfer Size\r\nLimits\r\nIn some cases, LockBit 2.0 will limit the data transfer sizes to fly under the\r\nradar of any monitoring services a client may have set up.\r\nT1041 Exfiltration over C2\r\nChannel\r\nMEGASync is the leading way for LockBit 2.0 affiliates to exfiltrate data\r\nfrom clients with it being occasionally replaced by RClone.\r\nTA0011 Command and Control\r\nT1219 Remote Access\r\nSoftware\r\nAnyDesk has been the most common legitimate desktop software used to\r\nestablish an interactive command and control channel, with ConnectWise\r\nseen slightly less frequently.\r\nTA0040 Impact\r\nT1486 Data Encrypted for\r\nImpact\r\nLockBit 2.0 is known for its extortion tactics, encrypting devices and\r\ndemanding a ransom.\r\nT1489 Service Stop\r\nDuring the defense evasion phase, anti-malware and monitoring software is\r\noften disabled. Firewall rules have occasionally been seen being disabled\r\nas well.\r\nLockBit 2.0 Technical Details\r\nLockBit 2.0 was developed using the Assembly and Origin C programming languages and leverages advanced\r\nencryption standard (AES) and elliptic-curve cryptography (ECC) algorithms to encrypt victim data. It can affect\r\nboth Windows and Linux OS, as the operator released a Linux version of LockBit 2.0 to target VMware ESXi\r\nhypervisor systems in October 2021, coded exclusively in the C programming language.\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 10 of 20\n\nThe LockBit group claimed that LockBit 2.0 is “the fastest encryption software all over the world” and provided a\r\ncomparative table showing the encryption speed of various ransomware samples.\r\nFigure 8. LockBit encryption comparative table | Source: LockBit blog.\r\nLockBit 2.0 also contains a self-spreading feature, clears logs and can print the ransom note on network printers\r\nuntil the paper runs out.\r\nA management panel that affiliates can use to manage victims and affiliate accounts, generate new ransomware\r\nbuilds and generate the decryptor if the demanded ransom is paid also exists.\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 11 of 20\n\nFigure 9. LockBit 2.0 management panel. Source: ProDaft.\r\nLockBit 2.0 operators also released an information-stealer dubbed StealBit, which was developed to support\r\naffiliates of the LockBit 2.0 RaaS when exfiltrating data from breached companies.\r\nStealBit contains the following capabilities:\r\nOperates as a file grabber and dumps/uploads victim data to the LockBit victim-shaming site.\r\nNo reliance on third-party cloud file-sharing services, where data can be easily removed if the victim\r\nsubmitted a complaint.\r\nThe download speed is limited only by internet connection bandwidth, so it is possible to clone folders\r\nfrom corporate networks and upload them to the LockBit victim shaming blog quickly.\r\nThe operator of LockBit 2.0 has provided a comparative table speed showing the information stealer compared to\r\nother tools.\r\nFigure 10. LockBit 2.0 download speed, according to LockBit 2.0 operator.\r\nLockBit 3.0\r\nThere was a bug that existed in LockBit 2.0 that allowed researchers to revert the encryption process on an\r\nMSSQL database. After the bug’s disclosure, LockBit forum members discussed how the bug will not exist in\r\nLockBit’s next iteration. Moreover, on March 17, LockBit forum members mentioned the release of LockBit’s\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 12 of 20\n\nnext version in one or two weeks. On March 25, VX underground posted a tweet with details of this new version,\r\ndubbed LockBit Black.\r\nFigure 11. LockBit Black post-infection desktop wallpaper (Source: VX-underground).\r\nCourses of Action\r\nSeveral adversarial techniques were observed in this activity and the following measures are suggested within\r\nPalo Alto Networks products and services to ensure mitigation of threats related to LockBit 2.0 ransomware, as\r\nwell as other malware using similar techniques:\r\nProduct / Service Course of Action\r\nInitial Access, Execution, Persistence, Privilege Escalation, Defense Evasion\r\nThe courses of action below mitigate the following techniques:\r\nExploit Public-Facing Application [T1190], Command and Scripting Interpreter [T1059], Local Account\r\n[T1136.001], Web Shell [T1505.003], Exploitation for Privilege Escalation [T1068], Indicator Removal on\r\nHost [T1070], Deobfuscate/Decode Files or Information [T1140], Disable or Modify Tools [T1562.001],\r\nHidden Window [T1564.003], Valid Accounts [T1078], External Remote Services [T1133], Scheduled Task\r\n[T1053.005], Bypass User Account Control [T1548.002], Group Policy Modification [T1484.001]\r\nTHREAT PREVENTION Ensure a secure Vulnerability Protection Profile is applied to all security rules\r\nallowing traffic\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 13 of 20\n\nEnsure a Vulnerability Protection Profile is set to block attacks against critical\r\nand high vulnerabilities, and set to default on medium, low, and informational\r\nvulnerabilities\r\nEnsure DNS sinkholing is configured on all anti-spyware profiles in use\r\nEnsure an anti-spyware profile is configured to block on all spyware severity\r\nlevels, categories, and threats\r\nEnsure a secure anti-spyware profile is applied to all security policies\r\npermitting traffic to the internet\r\nEnsure passive DNS monitoring is set to enabled on all anti-spyware profiles\r\nin use\r\nCORTEX XSOAR\r\nDeploy XSOAR Playbook Cortex XDR - Isolate Endpoint\r\nDeploy XSOAR Playbook - Block Account Generic\r\nDeploy XSOAR Playbook - Access Investigation Playbook\r\nDeploy XSOAR Playbook - Impossible Traveler\r\nNEXT-GENERATION\r\nFIREWALLS\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not\r\nexist\r\nEnsure application security policies exist when allowing traffic from an\r\nuntrusted zone to a more trusted zone\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted\r\nThreat Intelligence Sources Exists\r\nEnsure that the User-ID service account does not have interactive logon rights\r\nDefine at least one 'Include Network'.\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure remote access capabilities for the User-ID service account are\r\nforbidden.\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is enabled\r\nCORTEX XDR PREVENT Enable Anti-Malware Protection\r\nEnable Anti-Exploit Protection\r\nConfigure Host Firewall Profile\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 14 of 20\n\nConfigure Behavioral Threat Protection under the Malware Security Profile\r\nCredential Access\r\nThe courses of action below mitigate the following techniques:\r\nOS Credential Dumping [T1003], Credentials from Password Stores [T1555]\r\nCORTEX XDR PREVENT\r\nEnable Anti-Exploit Protection\r\nEnable Anti-Malware Protection\r\nDiscovery\r\nThe below courses of action mitigate the following techniques:\r\nNetwork Service Scanning [T1046], Process Discovery [T1057], System Location Discovery [T1614], System\r\nInformation Discovery [T1082]\r\nCORTEX XDR PREVENT Configure Behavioral Threat Protection under the Malware Security Profile\r\nNEXT-GENERATION\r\nFIREWALLS\r\nEnsure that all zones have Zone Protection Profiles with all Reconnaissance\r\nProtection settings enabled, tuned, and set to appropriate actions\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not\r\nexist\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted\r\nThreat Intelligence Sources Exists\r\nEnsure application security policies exist when allowing traffic from an\r\nuntrusted zone to a more trusted zone\r\nCORTEX XSOAR Deploy XSOAR Playbook - Port Scan\r\nLateral Movement\r\nThe courses of action below mitigate the following techniques:\r\nRemote Services [T1021], SMB/Windows Admin Shares [T1021.002]\r\nNEXT-GENERATION\r\nFIREWALLS\r\nEnsure remote access capabilities for the User-ID service account are\r\nforbidden.\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is enabled\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 15 of 20\n\nEnsure that the User-ID service account does not have interactive logon rights\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure that security policies restrict User-ID Agent traffic from crossing into\r\nuntrusted zones\r\nCORTEX XSOAR\r\nDeploy XSOAR Playbook - Block Account Generic\r\nDeploy XSOAR Playbook - Access Investigation Playbook\r\nCommand and Control\r\nThe courses of action below mitigate the following techniques:\r\nRemote Access Software [T1219]\r\nNEXT-GENERATION\r\nFIREWALLS\r\nEnsure that the Certificate used for Decryption is Trusted\r\nEnsure application security policies exist when allowing traffic from an\r\nuntrusted zone to a more trusted zone\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted\r\nThreat Intelligence Sources Exists\r\nEnsure 'SSL Forward Proxy Policy' for traffic destined to the internet is\r\nconfigured\r\nEnsure 'SSL Inbound Inspection' is required for all untrusted traffic destined\r\nfor servers using SSL or TLS\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not\r\nexist\r\nTHREAT PREVENTION\r\nEnsure DNS sinkholing is configured on all anti-spyware profiles in use\r\nEnsure passive DNS monitoring is set to enabled on all anti-spyware profiles\r\nin use\r\nEnsure a secure anti-spyware profile is applied to all security policies\r\npermitting traffic to the Internet\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and\r\n'pop3'\r\nEnsure an anti-spyware profile is configured to block on all spyware severity\r\nlevels, categories, and threats\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 16 of 20\n\nURL FILTERING\r\nEnsure secure URL filtering is enabled for all security policies allowing traffic\r\nto the internet\r\nEnsure all HTTP Header Logging options are enabled\r\nEnsure that PAN-DB URL Filtering is used\r\nEnsure that URL Filtering uses the action of ‘block’ or ‘override’ on the URL\r\ncategories\r\nEnsure that access to every URL is logged\r\nCORTEX XSOAR Deploy XSOAR Playbook - PAN-OS Query Logs for Indicators\r\nExfiltration\r\nThe courses of action below mitigate the following techniques:\r\nData Transfer Size Limits [T1030], Exfiltration Over C2 Channel [T1041]\r\nTHREAT PREVENTION\r\nEnsure DNS sinkholing is configured on all anti-spyware profiles in use\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and\r\n'pop3'\r\nEnsure an anti-spyware profile is configured to block on all spyware severity\r\nlevels, categories, and threats\r\nEnsure passive DNS monitoring is set to enabled on all anti-spyware profiles\r\nin use\r\nEnsure a secure anti-spyware profile is applied to all security policies\r\npermitting traffic to the Internet\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nURL FILTERING\r\nEnsure that PAN-DB URL Filtering is used\r\nEnsure that access to every URL is logged\r\nEnsure that URL Filtering uses the action of ‘block’ or ‘override’ on the URL\r\ncategories\r\nEnsure secure URL filtering is enabled for all security policies allowing traffic\r\nto the internet\r\nEnsure all HTTP Header Logging options are enabled\r\nCORTEX XSOAR Deploy XSOAR Playbook - Block URL\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 17 of 20\n\nDeploy XSOAR Playbook - PAN-OS Query Logs for Indicators\r\nDeploy XSOAR Playbook - Block IP\r\nDNS SECURITY Enable DNS Security in Anti-Spyware profile\r\nNEXT-GENERATION\r\nFIREWALLS\r\nSetup NetFlow Monitoring\r\nEnsure application security policies exist when allowing traffic from an\r\nuntrusted zone to a more trusted zone\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not\r\nexist\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted\r\nThreat Intelligence Sources Exists\r\nImpact\r\nThe courses of action below mitigate the following techniques:\r\nData Encrypted for Impact [T1486], Service Stop [T1489]\r\nCORTEX XSOAR Deploy XSOAR Playbook - Ransomware Manual for incident response.\r\n†These capabilities are part of the NGFW security subscriptions service\r\nNote: This is not an all-inclusive list of the protections provided by Palo Alto Networks. This is a subset of our\r\ncurrent Courses of Action initiative and will be updated as the project progresses.\r\nConclusion\r\nLockBit 2.0 and its evolution over time is a perfect example to illustrate the persistence, increasing complexity\r\nand impact brought by the ransomware landscape as a whole. With claims of this RaaS offering the fastest\r\nencryption on the ransomware market, coupled with the fact that it has been delivered in high volume by\r\nexperienced affiliates, this RaaS poses a significant threat. LockBit’s continuation with operations and its next\r\niteration coming up on the horizon means that organizations and their security teams need to stay vigilant in the\r\never-evolving threat landscape.\r\nPalo Alto Networks detects and prevents LockBit 2.0 ransomware in the following ways:\r\nWildFire: All known samples are identified as malware.\r\nCortex XDR:\r\nIdentifies indicators associated with LockBit 2.0.\r\nAnti-Ransomware Module to detect LockBit 2.0 encryption behaviors on Windows.\r\nLocal Analysis detection for LockBit 2.0 binaries on Windows.\r\nNext-Generation Firewalls: DNS Signatures detect the known C2 domains, which are also categorized as\r\nmalware in Advanced URL Filtering.\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 18 of 20\n\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their\r\ncustomers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nAppendix A\r\nIn August 2021, a Russian blogger published a 22-minute interview with an alleged representative of the group\r\nbehind LockBit 2.0 called “LockBitSupp” on a YouTube channel called “Russian-language open source\r\nintelligence (OSINT).” The same Russian blogger previously published interviews with a representative of the\r\ngroup behind the REvil ransomware-as-a-service (RaaS), hackers and security experts.\r\nSome key takeaways from the claims made in the interview were:\r\nThe LockBit 2.0 threat actor claimed the group’s RaaS was unlikely to be rebranded since the team\r\nallegedly was a business that was honest with their customers – suggesting a supposed contrast between\r\nLockBit 2.0 and Avaddon, DarkSide and REvil affiliates.\r\nThe LockBit 2.0 ransomware disregarded keyboard layout, but it allegedly would not run on a host where\r\nthe system language was set to any of the languages spoken in the Commonwealth of Independent States\r\nregion.\r\nThe group did not devise attacks on companies of their choice; they simply worked with initial access to\r\nany corporate network they obtained elsewhere, since this was more profitable and saved time. The team\r\nselected targets for ransomware attacks based on the company’s finances — the bigger, the better. The\r\nlocation also did not matter. However, team members allegedly did not attack healthcare facilities, social\r\nservices, educational institutions and charitable organizations or any other organization that “contributed to\r\nthe survival of the human race.” [Note that Unit 42 case data does include indications that threat actors\r\nusing LockBit 2.0 have targeted healthcare organizations at times.]\r\nThe threat actor claimed that the largest number of victims who paid ransom were company representatives\r\nwho did not care about creating backup copies and did not protect their sensitive data. According to the\r\nthreat actor’s claims, companies that violated regulations about collecting and handling customer or user\r\npersonal information were among those eager to pay. The threat actor claimed that there generally were\r\nonly a few companies who refused to pay ransom on principle, while most of the victims evaluated profit\r\nand loss to decide whether or not to pay a ransom.\r\nLockBit 2.0 operators allegedly almost always offered discounts to their victims since the goal was to\r\nstreamline attacks.\r\nThe threat actor claimed that the COVID-19 pandemic facilitated ransomware attacks significantly, saying\r\nit was easy to compromise home computers of employees who work remotely and use them as a\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 19 of 20\n\nspringboard to access other networked systems.\r\nCompanies in Europe and the U.S. were hit with ransomware much more often than companies based in\r\nother countries allegedly because of high profit and insurance and not because of language barriers.\r\nRansomware operators usually recruit negotiators, who coerce victims to pay ransom, since professional\r\npenetration testers allegedly lack the time for chatter.\r\nTable of Contents\r\nExecutive Summary\r\nLockBit 2.0 Overview\r\nVictimology\r\nLeak Site Data\r\nUnit 42 Incident Response Data on LockBit 2.0\r\nLockBit 2.0 Tactics, Techniques and Procedures\r\nLockBit 2.0 Technical Details\r\nLockBit 3.0\r\nCourses of Action\r\nConclusion\r\nAppendix A\r\nAdditional Resources\r\nRelated Articles\r\nThe Golden Scale: 'Tis the Season for Unwanted Gifts\r\nThreat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, 2025)\r\nThreat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nhttps://unit42.paloaltonetworks.com/lockbit-2-ransomware/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/lockbit-2-ransomware/" ], "report_names": [ "lockbit-2-ransomware" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434243, "ts_updated_at": 1775791944, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/13cdd4e99bf7672de346ea5f7823cfedc12ad3d0.pdf", "text": "https://archive.orkl.eu/13cdd4e99bf7672de346ea5f7823cfedc12ad3d0.txt", "img": "https://archive.orkl.eu/13cdd4e99bf7672de346ea5f7823cfedc12ad3d0.jpg" } }