{
	"id": "e7db4dd7-dc76-4539-8150-e72e15c52db3",
	"created_at": "2026-04-06T00:22:34.031777Z",
	"updated_at": "2026-04-10T03:21:31.556861Z",
	"deleted_at": null,
	"sha1_hash": "26ffab30b70cfd691204e25578403ce88b339e1b",
	"title": "Cybereason vs. LockBit2.0 Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1866534,
	"plain_text": "Cybereason vs. LockBit2.0 Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 20:22:19 UTC\r\nThe Cybereason Nocturnus team has been tracking the LockBit ransomware since it first emerged in September\r\n2019 as a ransomware-as-a-service (RaaS). Following the rise of the new LockBit2.0 and the latest events,\r\nincluding the attack against the global IT company Accenture, we wanted to provide more information about the\r\nattack and show how the Cybereason Defense Platform protects customers from this threat.\r\nLockBit2.o Ransomware Key Details:\r\nEmerging Threat: In a short amount of time, Lockbit2.0 ransomware caused great damage and\r\nmade headlines across the world, with over 40 known victims on their website.\r\nHigh Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the\r\ndestructive potential of the attacks.\r\nThe fastest encryption on the market: The group claims that both the LockBit2.0 ransomware and\r\nthe StealBit info-stealer are the fastest on the market - in encrypting files and in stealing them.\r\nUses group policy update to encrypt network: LockBit2.0 is the first ransomware to automate the\r\nprocess of executing the ransomware on the entire network with a single command.\r\nPossibly triple extortion?: The group claims to attack Accenture, one of its victims, using DDOS\r\nattacks daily.\r\nDetected and Prevented: The Cybereason Defense Platform fully detects and prevents the\r\nLockBit2.0 ransomware. \r\nhttps://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nPage 1 of 12\n\nCybereason Blocks LockBit2.0 Ransomware\r\nIn August 2021, the group published on their website that they have breached the security company Accenture,\r\nand threaten to publish their sensitive information and stolen data. \r\nLockBit2.0 leaked data website\r\nAfter a few days of not publishing the data stolen from them, and extending their countdown multiple times. The\r\ngroup added this sentence to Accenture’s description: “Dudos every day” - which might imply that they are\r\nconducting DDOS activity against Accenture to push them into paying the ransom fee. This tactic is not unique,\r\ndifferent ransomware groups have adopted the triple extortion trend, since (apparently) sometimes, double\r\nextortion is not enough for them.\r\nThe LockBit group is suspected to be operated by Russian speakers. In the past, the group was recruiting affiliates\r\nin Russian hacking forums but since many hacking forums started to ban ransomware-related threads, the group\r\nstarted recruiting directly on their website. Similar to other Russian-based threat actors, they avoid targeting any\r\nvictims in former Soviet states.\r\nAccording to the LockBit group, LockBit2.0 is “the fastest encryption software all over the world,” and they are\r\neven sharing a test sample on their website, so everyone who “has any doubts” can check their claim: \r\nhttps://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nPage 2 of 12\n\nEncryption speed comparative table as shown in the LockBit2.0 blog\r\nThe ransomware test sample as shown in the LockBit2.0 blog\r\nAccording to the group’s website, there are major improvements in the new version of LockBit2.0, and addition of\r\nnew features. Among the new features are: port scanner, using wake-on-lan to switch on turned off machines,\r\nprint-out using network printers and automatic distribution in the domain, which puts corporates and small\r\nbusinesses in great danger:\r\nList of features as shown in the LockBit2.0 blog\r\nSame as other ransomware emerged over the years, the LockBit group follows the growing trend of double\r\nextortion (and sometimes even triple extortion, as mentioned above). They steal sensitive files and information\r\nfrom their victims, potentially by using another tool from their arsenal called StealBit, and later use it to extort the\r\nvictims by threatening to publish the data unless the ransom is paid:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nPage 3 of 12\n\nIntroducing StealBit in the LockBit2.0 blog\r\nBreaking Down the LockBit Ransomware Attack:\r\nLockBit2.0 Ransomware Infection Vector\r\nSince LockBit mostly relies on affiliates to carry out the operations, there are different infection vectors observed\r\nbeing used to infiltrate a network and install the ransomware. Most commonly seen method is through buying\r\nRemote Desktop Protocol (RDP) access to servers, but some affiliates also use typical phishing attacks to launch\r\ntheir operations.\r\nAnother interesting approach the LockBit group uses is trying to gain access to corporate networks by recruiting\r\nemployees who can grant them insider access. They offer \"millions of dollars'' for corporate insiders who provide\r\naccess to networks where they have an account. Since the message appears after the already breached the network,\r\nit is most likely targeting external IT/IR consultants who may see the message while responding to the attack, or\r\nother people reading about it:\r\nPart of the message targeting corporate insiders\r\nLockBit2.0 Ransomware Data Exfiltrator\r\nOnce the ransomware operator or affiliate makes their way into a network, they begin to collect sensitive\r\ninformation and files and exfiltrate them. One tool that is used for this purpose, and is also offered to affiliates by\r\nthe LockBit group, is a stealer they named “StealBit”, which, according to the group, is the fastest stealer in the\r\nworld and it automatically downloads all the files to the LockBit blog:\r\nPDB found: E:\\work\\proj\\file_sender\\x64\\file_sender.pdb\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nPage 4 of 12\n\nFirst, the stealer collects information about the environment such as machine name, username, OS version,\r\navailable disk space and physical and virtual memory status. The stealer enumerate the logical drives that are\r\navailable on the victim's computer and recursively walk through the files in them and collects office documents\r\nfiles and pdf files, encrypts them send it to the server as “uploadFile.php” using HTTP POST method:\r\nWireShark packet showing the communication with the C2 -1\r\nEach file is added with information such as the file size, original file name and machine name:\r\nWireShark packet showing the communication with the C2 -2\r\nAfter exfiltrating the files, the stealer runs a PowerShell command that kills the malware's process and then\r\ndeletes the malware file from the filesystem:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nPage 5 of 12\n\nStealBit as shown in the Cybereason Defense Platform\r\nLockBit2.0 Ransomware Spreading in the Network\r\nLockBit2.0 tries to spread via shared folders. It copies it’s binary to remote machines and then executes it. In\r\naddition, the group mentioned on their website that they provide a port scanner to their affiliates that can detect all\r\nDFS, SMB, WebDav shares - which suggest other ways of spreading in the network.\r\nLockBit2.0 Ransomware Uses Group Policy Update to Encrypt Network\r\nWhen executed on the Domain Controller, the ransomware has the ability to spread in the network using GPO. \r\nFirst, the ransomware will query the Active Directory and create a list of machines to whom it will attempt to\r\nspread. For that it will perform LDAP queries and search for objectCategory=computer. Then, the ransomware\r\nwill create several new group policies on the domain controller that are then pushed out to every device on the\r\nnetwork using the following PowerShell command:\r\nPowerShell.exe -command “Get-ADComputer -filter * -Searchbase ‘%s’ | foreach{ Invoke-GPUpdate -computer\r\n$_.name -force -RandomDelayInMinutes 0}”\r\nLockBit2.0 execution as shown in the Cybereason Defense Platform\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nPage 6 of 12\n\nWindows Event log showing the creation of a new group policy object\r\nOne policy was created for disabling Microsoft Defender's real-time protection, alerts, submitting samples to\r\nMicrosoft, and default actions when detecting malicious files:\r\nStrings from memory - disabling Windows Defender\r\nAnother group policy was created for the purpose of spreading the ransomware binary and creating persistence on\r\nthe remote machines to execute it via scheduled task:\r\nStrings from memory - creation of a scheduled  task named “DisplayClibrator”\r\nLockBit2.0 Ransomware Print Bombing Network Printers\r\nAfter LockBit has finished the encryption process, it starts to bomb the ransom note to all networked printers-repeatedly print the ransom note to any connected network printers to get the victim's attention. This feature was\r\npreviously used by the Egregor Ransomware, which caused ransom notes to shoot out of receipt printers:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nPage 7 of 12\n\nPrinted ransom notes Source: BleepingComputer\r\nLockBit2.0 Ransomware Encrypting the Files and Leaving the Ransom Note\r\nOnce the files are encrypted, the ransomware drops the ransom “Restore-My-Files.txt” note in every folder,\r\nmaking sure it is noticeable to the victim. In addition, the icons of the files are replaced with LockBit's icon and\r\nthe extensions .lock and .lockbit are added to the encrypted files:\r\nEncrypted files by LockBit2.0\r\nTo make sure that the end user wouldn’t miss the message, LockBit also start a process that is responsible to\r\nshows this message:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nPage 8 of 12\n\nPop-up message opened by LockBit2.0\r\nIf, by any chance, the end user didn’t see the pop-up message, the new files icons, the ransom notes, or the printed\r\nransom notes, LockBit also changes the desktop background:\r\nDesktop background changed by LockBit2.0\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nPage 9 of 12\n\nFinally, same as most of the ransomware gangs these days, LockBit sets a deadline for the victim to pay the\r\nransom, and if the deadline passes without payment, they leak the victim data on their website.\r\nCybereason Detects and Prevents LockBit2.o Ransomware\r\nThe Cybereason Defense Platform is able to prevent the execution of LockBit2.0 Ransomware using multi-layer\r\nprotection that detects and blocks malware with threat intelligence, machine learning, and next-gen (NGAV)\r\ncapabilities. Additionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the\r\nplatform are able to detect and prevent any attempt to encrypt files and generates a MalopTM for it:\r\nRansomware MalOp triggered due to the malicious activity\r\nUsing the Anti-Malware feature with the right configurations (listed in the recommendations below), The\r\nCybereason Defense Platform will also detect and prevent the execution of the ransomware and ensure that it\r\ncannot encrypt targeted files. The prevention is based on machine learning, which prevents both known and\r\nunknown hashes:\r\nUser notification, blocking the execution of the ransomware in the endpoint\r\nSecurity Recommendations\r\nEnable the Anti-Ransomware Feature on Cybereason NGAV: Set Cybereason Anti-Ransomware\r\nprotection mode to Prevent - more information for customers can be found here\r\nEnable Anti-Malware Feature on Cybereason NGAV: Set Cybereason Anti-Malware mode to\r\nPrevent and set the detection mode to Moderate and above - more information can be found here\r\nKeep Systems Fully Patched: Make sure your systems are patched in order to mitigate\r\nvulnerabilities\r\nRegularly Backup Files to a Remote Server: Restoring your files from a backup is the fastest way\r\nto regain access to your data\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nPage 10 of 12\n\nUse Security Solutions: Protect your environment using organizational firewalls, proxies, web\r\nfiltering, and mail filtering\r\nINDICATORS OF COMPROMISE\r\nOpen the chatbot on the bottom right corner of this report to access the LockBit2.0 ransomware IOCs\r\nMITRE ATT\u0026CK TECHNIQUES\r\nInitial\r\nAccess\r\nLateral\r\nMovement\r\nPersistence\r\nDefense\r\nEvasion\r\nDiscovery\r\nCommand\r\nand Control\r\nImpact\r\nPhishing\r\nTaint\r\nShared\r\nContent\r\nScheduled\r\nTask/Job\r\nDeobfuscate /\r\nDecode Files\r\nor\r\nInformation\r\nAccount\r\nDiscovery\r\nCommonly\r\nUsed Port\r\nData Encrypted\r\nfor Impact\r\nValid\r\nAccounts\r\nLateral\r\nTool\r\nTransfer\r\nBoot or\r\nLogon\r\nAutostart\r\nExecution\r\nMasquerading\r\nApplication\r\nWindow\r\nDiscovery\r\nRemote File\r\nCopy\r\nSystem\r\nShutdown/Reboot\r\n   \r\nDomain\r\nPolicy\r\nModification\r\nFile and\r\nDirectory\r\nDiscovery\r\nStandard\r\nApplication\r\nLayer\r\nProtocol\r\n \r\n     \r\nProcess\r\nDiscovery\r\nStandard\r\nCryptographic\r\nProtocol\r\n \r\n   \r\nSystem\r\nInformation\r\nDiscovery\r\nStandard\r\nNon-Application\r\nLayer\r\nProtocol\r\n \r\nhttps://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nPage 11 of 12\n\nAuthor: LIOR ROCHBERGER, SENIOR THREAT RESEARCHER AND THREAT HUNTER,\r\nCYBEREASON\r\nAs part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse\r\nengineering and malware analysis teams. Lior has also been a contributing researcher to multiple threat and\r\nmalware blogs including Bitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC\r\noperations within the Israeli Air Force.\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware"
	],
	"report_names": [
		"cybereason-vs.-lockbit2.0-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434954,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/26ffab30b70cfd691204e25578403ce88b339e1b.pdf",
		"text": "https://archive.orkl.eu/26ffab30b70cfd691204e25578403ce88b339e1b.txt",
		"img": "https://archive.orkl.eu/26ffab30b70cfd691204e25578403ce88b339e1b.jpg"
	}
}