{
	"id": "29a402b5-a75c-43ab-844e-ac70f84c1179",
	"created_at": "2026-04-06T00:21:13.937009Z",
	"updated_at": "2026-04-10T03:20:05.501867Z",
	"deleted_at": null,
	"sha1_hash": "3bef811b7032bcc544185cba369f138bae0ab806",
	"title": "Meet LockBit: The Most Prevalent Ransomware in 2022 | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2646986,
	"plain_text": "Meet LockBit: The Most Prevalent Ransomware in 2022 |\r\nFortiGuard Labs\r\nPublished: 2023-07-10 · Archived: 2026-04-05 16:32:48 UTC\r\nAffected platforms: Microsoft Windows, Linux, ESXi, MacOS\r\nImpacted parties: Microsoft Windows, Linux, ESXi, and MacOS Users\r\nImpact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption and not to leak stolen files\r\nSeverity level: High\r\nOn June 14th, 2023, the CISA, FBI, MS-ISAC, and multiple international cyber security organizations released a\r\njoint advisory for the LockBit ransomware. This ransomware group has been active since early 2020, targeting\r\norganizations across numerous industries, including energy and government sectors. According to the advisory,\r\nLockBit was the most active ransomware in 2022.\r\nThis blog provides insights into the LockBit Group's activities over the past few years.\r\nWhat is LockBit?\r\nLockBit is a ransomware group that has been active since early 2020 (the active period goes back to 2019 if its\r\npredecessor “ABCD ransomware” is included in the “LockBit” family) providing a Ransomware-as-a-Service\r\n(RaaS) service to for-hire online criminals known as affiliates. The affiliates’ job is to select and infiltrate victim\r\norganizations and deploy the ransomware provided by the LockBit developer.\r\nThe developer has consistently worked to improve the ransomware: LockBit 2.0 (also known as LockBit Red) was\r\nreleased in mid-2021, and LockBit 3.0 (also known as LockBit Black) became available in early-2022. The latest\r\nLockBit ransomware variant, “LockBit Green,” appeared in early 2023. While the LockBit ransomware initially\r\nonly supported the Windows platform, the LockBit threat actor group added support for Linux/VMware/ESXi and\r\nmacOS platforms in 2021 and 2023, respectively. The group also works with partners who want to sell exfiltrated\r\ndata but do not want to encrypt victims' files.\r\nFigure 1. LockBit’s active period as of June 21st, 2023, seen on its data leak site\r\nLockBit uses a dual extortion tactic, demanding that victims pay a ransom to recover their files and not release the\r\nstolen information to the public. LockBit is also believed to threaten Distributed Denial of Service (DDoS) attacks\r\nagainst victims if the demanded ransom is not paid.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 1 of 28\n\nDue to its prevalence and popularity among cybercriminals, FortiGuard Labs has published several blogs and\r\nthreat signals for LockBit ransomware:\r\nBlog\r\nCan You See It Now? An Emerging LockBit Campaign\r\nRansomware Roundup: LockBit, BlueSky, and More\r\nThreat Signal\r\n#StopRansomware: LockBit 3.0 (AA23-075A)\r\nLockBit 2.0 Ransomware as a Service (RaaS) Incorporates Enhanced Delivery Mechanism via Group\r\nPolicy\r\nAs a RaaS, the LockBit operator offers its affiliates a variety of options for splitting the ransom fee. The ransom\r\npayment is typically split 1:4 between the LockBit operator and the affiliates.\r\nUsing the features provided by the LockBit operator, its affiliates can perform a variety of activities, including:\r\nCreate private chat rooms to communicate with victim organizations\r\nUse of a custom “StealBit” stealer for data exfiltration\r\nUpload images, data, and communication history with victim organizations to the LockBit blog (data leak\r\nsite)\r\nSet exceptions for computer names, file names, and file extensions that are not to be encrypted\r\nShut down and remove Windows Defender\r\nRun the ransomware in SafeMode\r\nDelete shadow copies\r\nIt also has “do not target” and approved “target” industry lists for file encryption and data exfiltration.\r\nAffiliates are NOT allowed to encrypt files belonging to critical infrastructure, such as\r\nnuclear/thermal/hydroelectric power plants, gas and oil pipelines, oil production stations, and refineries.\r\nHowever, affiliates are allowed to steal data from such organizations without encrypting files.\r\nAffiliates are NOT allowed to attack post-Soviet countries: Armenia, Belarus, Georgia, Kazakhstan,\r\nKyrgyzstan, Latvia, Lithuania, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan, Ukraine, and\r\nEstonia.\r\nAffiliates ARE allowed to target non-profit organizations\r\nAffiliates ARE allowed to target private and for-profit educational institutions\r\nAffiliates ARE allowed to attack medical and pharmaceutical institutions/companies, as long as the attack\r\ndoes not result in death. Affiliates are free to steal data without encrypting files.\r\nAffiliates ARE allowed to attack government agencies (as long as they make a profit)\r\nAffiliates ARE ENCOURAGED to attack police stations and law enforcement agencies\r\nPrevalence\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 2 of 28\n\nData gathered through Fortinet’s FortiRecon service supports the CISA advisory's claim that LockBit was the most\r\nactive ransomware in 2022. According to our internal research, LockBit ransomware accounted for approximately\r\n50% of the 3,298 ransomware incidents we observed in 2022.\r\nFigure 2. FortiRecon’s ransomware trends from January 1st, 2022, to December 31st, 2022\r\nLockBit ransomware victim organizations are spread across several industries. As explained, the LockBit operator\r\nimposes \"do not attack\" rules for specific industries and countries. However, it's up to each affiliate to follow the\r\nrules.\r\nHistory of LockBit Ransomware\r\nABCD ransomware\r\nABCD ransomware, which first appeared in September 2019, is believed to be the predecessor of LockBit\r\nransomware. Unlike its slightly more sophisticated successor, ABCD ransomware only allows victims to contact it\r\nusing email. The ransomware also deletes shadow copies by running the command vssadmin delete shadows /all\r\n/quiet \u0026 wmic shadowcopy delete, making it difficult to recover files.\r\nFortiGuard Labs found what appears to be an even earlier version of the ABCD ransomware (SHA2:\r\n49c0acf512146620dd26f515804324c8e4b4cc8eb8b9ab5d9c57e201241bc7ae). While this variant encrypts files, its\r\nransom note only contains the victim's personal ID.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 3 of 28\n\nFigure 3. LockBit’s encrypted files and test ransom note\r\nThe transition can be seen in a subsequent ABCD ransomware sample (SHA2:\r\nc8205792fbc0a5efc6b8f0f2257514990bfaa987768c4839d413dd10721e8871). This sample drops a ransom note,\r\n“Restore-My-Files.txt,” and changes the desktop wallpaper. Both refer to LockBit, but encrypted files still have a\r\n\".abcd\" extension. It's also worth noting that the LockBit operator set up a data leak site on TOR.\r\nFigure 4. ABCD ransomware sample referencing LockBit\r\nLockBit\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 4 of 28\n\nABCD ransomware was rebranded as LockBit in January 2020. This new LockBit variant changes the file\r\nextensions of encrypted files to \".lockbit\" instead of \".abcd\".\r\nFigure 5. Files encrypted by LockBit ransomware\r\nIt drops a ransom note with the same name as the ABCD ransomware, and communication was centralized on the\r\nTOR website rather than via email.\r\nFigure 6. LockBit ransom note\r\nThis LockBit variant also replaces the desktop wallpaper on compromised machines to indicate the presence of the\r\nransom note. The threat actor appears to have been using two different wallpapers.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 5 of 28\n\nFigure 7. Desktop wallpaper replaced by LockBit ransomware\r\nFigure 8. Another desktop wallpaper replaced by LockBit ransomware\r\nLockBit 2.0 (LockBit Red)\r\nLockBit ransomware was updated to LockBit 2.0 (also known as LockBit Red) in mid-2021. This new variant still\r\nappends a \".lockbit\" extension to the files it encrypts but now uses a red file icon that mimics the shape of a B.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 6 of 28\n\nFigure 9. Files encrypted by LockBit 2.0 (LockBit Red)\r\nFigure 10. LockBit 2.0 file icon\r\nLockBit 2.0 displays a ransom note on the desktop and a text file called Restore-My-Files.txt. This time, the\r\nLockBit threat actor added an alternate website that can be accessed through regular web browsers.\r\nFigure 11. Desktop wallpaper replaced by LockBit 2.0\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 7 of 28\n\nFigure 12. LockBit 2.0 ransom note\r\nLockBit Linux-ESXi Locker\r\nIn October 2021, the LockBit developer released a new LockBit ransomware variant designed to work on Linux\r\nand ESXi virtual machines. Like the Windows version, this new LockBit variant encrypts files on compromised\r\ndevices and leaves a ransom note called \"restore-my-files.txt.\"\r\nLockBit 3.0 (March 2022~)\r\nLockBit 3.0 was released in March 2022. This variant appends a random 9-character file extension instead of the\r\n\".lockbit\" extension used by the two previous LockBit variants. It also changes the file icon of the encrypted files\r\nto a black file icon that mimics the shape of a B.\r\nFigure 13. Files encrypted by LockBit 3.0 (LockBit Black)\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 8 of 28\n\nFigure 14. LockBit 3.0 file icon\r\nLockBit 3.0 drops a ransom note labeled \"[random nine letters]_README_txt.\" The threat actor also set up more\r\nmirror TOR and regular websites in case they become inaccessible. This turned out to be the right move, as in\r\nmid-2022, reported distributed denial-of-service (DDoS) attacks took down LockBit's leak sites. The group also\r\nadded 'Tox' and 'Jabber' as alternative communication methods for victims. Another noteworthy addition was an\r\nadvertisement for victims, in which the LockBit group seeks insiders willing to provide internal information and\r\naccess to the corporate network.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 9 of 28\n\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 10 of 28\n\nFigure 15. LockBit 3.0 ransom note\r\nIt also replaces the desktop wallpaper with a reference to the dropped ransom note.\r\nFigure 16. Desktop wallpaper replaced by LockBit 3.0\r\nLockBit Green\r\nThe latest LockBit ransomware variant, \"LockBit Green,\" appeared in January 2023. A random 8-character\r\nextension is now added to the LockBit Green extension, and LockBit Green leaves a ransom note titled, \"!!!-\r\nRestore-My-Files-!!!.txt\". This new variant also contains a new encryption tool based on the leaked Conti source\r\ncode.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 11 of 28\n\nFigure 17. Files replaced by LockBit Green\r\nFigure 18. LockBit Green ransom note\r\nThe comprehensive LockBit Green ransom note is reproduced below, as the ransom note dropped by the\r\nransomware is badly formatted.\r\n~~~ LockBit 3.0 the world’s fastest and most stable ransomware from 2019~~~\r\n\u003e\u003e\u003e\u003e\u003e Your data is stolen and encrypted.\r\nIf you don’t pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your\r\ndata appears on our leak site, it could be bought by your competitors at any second, so don’t hesitate for a long\r\ntime. The sooner you pay the ransom, the sooner your company will be safe.\r\nTor Browser Links:\r\nhxxp://lockbitapt[redacted][.]onion\r\nhxxp://lockbitapt[redacted][.]onion\r\nhxxp://lockbitapt[redacted][.]onion\r\nhxxp://lockbitapt[redacted][.]onion\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 12 of 28\n\nhxxp://lockbitapt[redacted][.]onion\r\nhxxp://lockbitapt[redacted][.]onion\r\nhxxp://lockbitapt[redacted][.]onion\r\nhxxp://lockbitapt[redacted][.]onion\r\nhxxp://lockbitapt[redacted][.]onion\r\nLinks for normal browser:\r\nhxxp://lockbitapt[redacted][.]onion.ly\r\nhxxp://lockbitapt[redacted][.]onion.ly\r\nhxxp://lockbitapt[redacted][.]onion.ly\r\nhxxp://lockbitap[redacted][.]onion.ly\r\nhxxp://lockbitapt[redacted][.]onion.ly\r\nhxxp://lockbitapt[redacted][.]onion.ly\r\nhxxp://lockbitapt[redacted][.]onion.ly\r\nhxxp://lockbitapt[redacted][.]onion.ly\r\nhxxp://lockbitapt[redacted][.]onion.ly\r\n\u003e\u003e\u003e\u003e\u003e What guarantee is there that we won’t cheat you?\r\nWe are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We\r\nare not a politically motivated group and we want nothing more than money. If you pay, we will provide you with\r\ndecryption software and destroy the stolen data. After you pay the ransom, you will quickly make even more\r\nmoney. Treat this situation simply as a paid training for your system administrators, because it is due to your\r\ncorporate network not being properly configured that we were able to attack you. Our pentest services should be\r\npaid just like you pay the salaries of your system administrators. Get over it and pay for it. If we don’t give you a\r\ndecryptor or delete your data after you pay, no one will pay us in the future. You can get more information about\r\nus on Ilon Musk’s Twitter hxxps://twitter[.]com/hashtag/[redacted]?f=live\r\n\u003e\u003e\u003e\u003e\u003e You need to contact us and decrypt one file for free on TOR darknet sites with your personal ID\r\nDownload and install Tor Browser hxxps://www.torproject[.]org/\r\nWrite to the chat room and wait for an answer, we’ll guarantee a response from you. If you need a unique ID for\r\ncorrespondence with us that no one will know about, tell it in the chat, we will generate a secret chat for you and\r\ngive you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have\r\nto wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around\r\nthe world.\r\nTor Browser personal link available only to you (available during a ddos attack):\r\nhxxp://lockbitsup[redacted][.]onion\r\nTor Browser Links for chat (sometimes unavailable due to ddos attacks):\r\nhxxp://lockbitsup[redacted][.]onion\r\nhxxp://lockbitsup[redacted][.]onion\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 13 of 28\n\nhxxp://lockbitsup[redacted][.]onion\r\nhxxp://lockbitsup[redacted][.]onion\r\nhxxp://lockbitsup[redacted][.]onion\r\nhxxp://lockbitsup[redacted][.]onion\r\nhxxp://lockbitsupt[redacted][.]onion\r\nhxxp://lockbitsup[redacted][.]onion\r\nhxxp://lockbitsup[redacted][.]onion\r\n\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\r\n\u003e\u003e\u003e\u003e\u003e Your personal ID: [redacted] \u003c\u003c\u003c\u003c\u003c\r\n\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\u003e\r\n\u003e\u003e\u003e\u003e\u003e Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files!\r\n\u003e\u003e\u003e\u003e\u003e Don’t go to the police or the FBI for help and don’t tell anyone that we attacked you.\r\nThey won’t help and will only make things worse for you. In 3 years not a single member of our group has been\r\ncaught by the police, we are top notch hackers and we never leave a trail of crime. The police will try to prohibit\r\nyou from paying the ransom in any way. The first thing they will tell you is that there is no guarantee to decrypt\r\nyour files and remove stolen files, this is not true, we can do a test decryption before paying and your data will be\r\nguaranteed to be removed because it is a matter of our reputation, we make hundreds of millions of dollars and\r\nare not going to lose our revenue because of your files. It is very beneficial for the police and FBI to let everyone\r\non the planet know about your data leak because then your state will get the fines budgeted for you due to GDPR\r\nand other similar laws. The fines will be used to fund the police and the FBI, they will eat more sweet coffee\r\ndonuts and get fatter and fatter. The police and the FBI don’t care what losses you suffer as a result of our attack,\r\nand we will help you get rid of all your problems for a modest sum of money. Along with this you should know that\r\nit is not necessarily your company that has to pay the ransom and not necessarily from your bank account, it can\r\nbe done by an unidentified person, such as any philanthropist who loves your company, for example, Elon Musk,\r\nso the police will not do anything to you if someone pays the ransom for you. If you’re worried that someone will\r\ntrace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone\r\nfrom your company paid our ransom. The police and FBI will not be able to stop lawsuits from your customers for\r\nleaking personal and private information. The police and FBI will not protect you from repeated attacks. Paying\r\nthe ransom to us is much cheaper and more profitable than paying fines and legal fees.\r\n\u003e\u003e\u003e\u003e\u003e What are the dangers of leaking your company’s data.\r\nFirst of all, you will receive fines from the government such as the GDRP and many others, you can be sued by\r\ncustomers of your firm for leaking information that was confidential. Your leaked data will be used by all the\r\nhackers on the planet for various unpleasant things. For example, social engineering, your employees’ personal\r\ndata can be used to re-infiltrate your company. Bank details and passports can be used to create bank accounts\r\nand online wallets through which criminal money will be laundered. On another vacation trip, you will have to\r\nexplain to the FBI where you got millions of dollars worth of stolen cryptocurrency transferred through your\r\naccounts on cryptocurrency exchanges. Your personal information could be used to make loans or buy appliances.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 14 of 28\n\nYou would later have to prove in court that it wasn’t you who took out the loan and pay off someone else’s loan.\r\nYour competitors may use the stolen information to steal technology or to improve their processes, your working\r\nmethods, suppliers, investors, sponsors, employees, it will all be in the public domain. You won’t be happy if your\r\ncompetitors lure your employees to other firms offering better wages, will you? Your competitors will use your\r\ninformation against you. For example, look for tax violations in the financial documents or any other violations,\r\nso you have to close your firm. According to statistics, two thirds of small and medium-sized companies close\r\nwithin half a year after a data breach. You will have to find and fix the vulnerabilities in your network, work with\r\nthe customers affected by data leaks. All of these are very costly procedures that can exceed the cost of a\r\nransomware buyout by a factor of hundreds. It’s much easier, cheaper and faster to pay us the ransom. Well and\r\nmost importantly, you will suffer a reputational loss, you have been building your company for many years, and\r\nnow your reputation will be destroyed.\r\nRead more about the GDRP legislation:\r\nhxxps://en.wikipedia[.]org/wiki/General_Data_Protection_Regulation\r\nhxxps://gdpr[.]eu/what-is-gdpr/\r\nhxxps://gdpr-info[.]eu/\r\n\u003e\u003e\u003e\u003e\u003e Don’t go to recovery companies, they are essentially just middlemen who will make money off you and\r\ncheat you.\r\nWe are well aware of cases where recovery companies tell you that the ransom price is 5 million dollars, but in\r\nfact they secretly negotiate with us for 1 million dollars, so they earn 4 million dollars from you. If you\r\napproached us directly without intermediaries you would pay 5 times less, that is 1 million dollars.\r\n\u003e\u003e\u003e\u003e Very important! For those who have cyber insurance against ransomware attacks.\r\nInsurance companies require you to keep your insurance information secret, this is to never pay the maximum\r\namount specified in the contract or to pay nothing at all, disrupting negotiations. The insurance company will try\r\nto derail negotiations in any way they can so that they can later argue that you will be denied coverage because\r\nyour insurance does not cover the ransom amount. For example your company is insured for 10 million dollars,\r\nwhile negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for\r\nexample 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million\r\ndollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars. He will\r\ndo anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If\r\nyou told us anonymously that your company was insured for $10 million and other important details regarding\r\ninsurance coverage, we would not demand more than $10 million in correspondence with the insurance agent.\r\nThat way you would have avoided a leak and decrypted your Information. But since the sneaky insurance agent\r\npurposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation.\r\nTo avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and\r\nterms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company. Poor\r\nmultimillionaire insurers will not starve and will not become poorer from the payment of the maximum amount\r\nspecified in the contract, because everyone knows that the contract is more expensive than money, so let them\r\nfulfill the conditions prescribed in your insurance contract, thanks to our interaction.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 15 of 28\n\nLockBit for MacOS\r\nIn April 2023, samples of LockBit for MacOS were submitted to a public file scanning service. Now that LockBit\r\ncovers all major platforms (Windows, Linux, ESXi, and MacOS), LockBit developers look to stay one step ahead\r\nof competitors and further expand their influence.\r\nEvidence that they plan to take their efforts further was uncovered in late 2022 when a post offering to purchase\r\nthe Raccoon Stealer source code was discovered. This addition to their arsenal would enable them to integrate\r\nknown infostealer code into the LockBit ransomware.\r\nInfection Vector\r\nLockBit's initial access vectors include exploiting vulnerabilities and exposed Remote Access Protocol (RDP),\r\ndrive-by compromise, and the use of phishing and spear-phishing emails. The LockBit group is also known to\r\npurchase existing access to targeted organizations from initial access brokers on the dark web.\r\nAccording to the CISA advisory, the LockBit ransomware group is reportedly exploiting the following N-day\r\nvulnerabilities:\r\nCVE-2023-0669 (Fortra GoAnywhere MFT License Response Servlet Command Injection)\r\nCVE-2023-27350 (PaperCut NG SetupCompleted Authentication Bypass Vulnerability)\r\nCVE-2021-44228 (Apache Log4j Error Log Remote Code Execution)\r\nCVE-2021-22986 (F5 iControl REST Interface Remote Command Execution Vulnerability)\r\nCVE-2020-1472 (Microsoft Windows Server Netlogon Elevation of Privilege Vulnerability)\r\nCVE-2019-0708 (Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability)\r\nCVE-2018-13379 (FortiOS SSL VPN Web Portal Pathname Information Disclosure Vulnerability)\r\nPlease note that there are patches available for all of these security vulnerabilities.\r\nPost-Infection Activities\r\nAfter LockBit affiliates gain access to victim environments, the attackers move laterally across compromised\r\nnetworks and exfiltrate information using various custom and dual-use tools, such as Stealbit and rclone, living-off-the-land tactics, and publicly available file-sharing services.\r\nLockBit Data Leak Site\r\nLockBit has a data leak site on TOR where LockBit affiliates can post information about victims and their stolen\r\ndata.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 16 of 28\n\nFigure 19. LockBit 3.0 data leak site\r\nEach victim has their own page with a countdown timer and examples of stolen information. In some cases,\r\nLockBit threat actors offer to extend the ransom deadline, download stolen information, and destroy all copies for\r\na fee.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 17 of 28\n\nFigure 20. LockBit 3.0 data leak page\r\nThe LockBit group also offers a file-sharing service that supports files up to 2GB. The service also has options to\r\nautomatically remove uploaded files after 24 hours, seven days, or on the first download, as well as a password\r\nsetting.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 18 of 28\n\nFigure 21. LockBit file-sharing service\r\nA data leak page with search functionality is also available.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 19 of 28\n\nFigure 22. LockBit 3.0 data leak page\r\nFigure 23. LockBit 3.0 data leak page for the victim company\r\nThe LockBit leak site was initially not as sophisticated as it is today—proof that the LockBit developer has put\r\nmuch effort into improving the site along with improvements to the ransomware code over the years. The below\r\nfigure of the LockBit Data Leak site is courtesty of id-ransomware.\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 20 of 28\n\nFigure 24. LockBit Data Leak Site in 2019 (courtesy of id-ransomware)\r\nConclusion\r\nThe LockBit Group has worked hard to improve its services to those who work with them. These efforts have\r\nenabled LockBit to remain at the forefront of the ransomware realm in terms of popularity and prevalence.\r\nIOCs\r\nNote that many LockBit ransomware samples exist due to the high prevalence of the ransomware over several\r\nyears. Because of this, this section only contains up to 10 samples from each LockBit generation.\r\nSHA2 Malware\r\n13849c0c923bfed5ab37224d59e2d12e3e72f97dc7f539136ae09484cbe8e5e0 ABCD ransomware\r\n49c0acf512146620dd26f515804324c8e4b4cc8eb8b9ab5d9c57e201241bc7ae ABCD ransomware\r\n4d0113884f70ddbbaf1ee0365602124ba91c11a76ff7bff5908d310aa9d3dfe9 ABCD ransomware\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 21 of 28\n\n6fedf83e76d76c59c8ad0da4c5af28f23a12119779f793fd253231b5e3b00a1a ABCD ransomware\r\n70cb1a8cb4259b72b704e81349c2ad5ac60cd1254a810ef68757f8c9409e3ea6 ABCD ransomware\r\n9595abf24d1fa80a476c2711cd788820e9f75da015c2c8726a0a44bca0444ddf ABCD ransomware\r\nb02d57f1c4f7f233044a56fdc57c89b6cc3661479dccc3b4cfa1f6f9d20cd893 ABCD ransomware\r\nc8205792fbc0a5efc6b8f0f2257514990bfaa987768c4839d413dd10721e8871 ABCD ransomware\r\ncff048ed06cf900170562906bded4a8fd166185a1b785f5ece0e2a842cf52d46 ABCD ransomware\r\nec88f821d22e5553afb94b4834f91ecdedeb27d9ebfd882a7d8f33b5f12ac38d ABCD ransomware\r\n0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76 LockBit ransomware\r\n0e66029132a885143b87b1e49e32663a52737bbff4ab96186e9e5e829aa2915f LockBit ransomware\r\n0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335 LockBit ransomware\r\n0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51 LockBit ransomware\r\n15a7d528587ffc860f038bb5be5e90b79060fbba5948766d9f8aa46381ccde8a LockBit ransomware\r\n286bffaa9c81abfb938fe65be198770c38115cdec95865a241f913769e9bfd3f LockBit ransomware\r\n410c884d883ebe2172507b5eadd10bc8a2ae2564ba0d33b1e84e5f3c22bd3677 LockBit ransomware\r\n76a77def28acf51b2b7cdcbfaa182fe5726dd3f9e891682a4efc3226640b9c78 LockBit ransomware\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 22 of 28\n\ne3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877 LockBit ransomware\r\nfaa3453ceb1bd4e5b0b10171eaa908e56e7275173178010fcc323fdea67a6869 LockBit ransomware\r\n3f8ab65e3733ca62001500f7fcb83057869c869345affa4701fbd4d7207e6899 LockBit 2.0\r\n4b09da2f1d94bc0fd2fd8be7b723172349e03e71117dfe483da06ac207f3e124 LockBit 2.0\r\n5b5f3fc7bd943bd6bb575406018bf6401c6e6956ed92d54f634ba754e993d2d2 LockBit 2.0\r\n897b23cc1af331a972da64e298163fbe0f1fd4d6bd983d452a889c1d285a1a27 LockBit 2.0\r\nf35ba7686462a868a90bb8d9567e42e34064f91f54aeb5ed74b0d0b0e19badac LockBit 2.0\r\n059399f01e9bd588b42dbaf61c7a3b5aa6a48ba15a3ed13bdca7ce13a71a8526 LockBit 2.0\r\n161c951e6d2e8d07571fc451a28a9feafb672c1f05586768f8178f33a9d74efb LockBit 2.0\r\n329e77a8a304e38ce4c4ed8906f9a7594377a3da64505fd1935b58acfc9ab4b9 LockBit 2.0\r\nc6d3ff77910e991c6d782a3961c58ef69643c7d000b9c2d31e19904f2020dc6c LockBit 2.0\r\nef870afba5951592f7d2964613a7819b9c92c7c6f6bd5c6fd2aa46978deaca34 LockBit 2.0\r\n6aee637b88a06f7cc4813b47719717a64e39047f33617930a6cd11fc25fbca0a LockBit 3.0\r\n7d7357e4963c7d6f087a11e22d683cacf614dc7f269c2907bbb12ae30f2b007d LockBit 3.0\r\n97320395d90b28ad3d5cd0ed0416b0fe379cc0cc3d65f0b27e50db4da5902ec2 LockBit 3.0\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 23 of 28\n\ncb537a122fb0531f14c76dfd0a87cc304c26a9ab01aec46a5fd17f268ac80854 LockBit 3.0\r\nf1ecb57988caf26216683b1314607f06f8bf051632ff7ba73f17c2dc9b3aafcc LockBit 3.0\r\n072d0633006eeafc77c0b0144fdac84a57fa1e4f8b96d9aa33d377bd789bc533 LockBit 3.0\r\n12b6fead37cca9d8ca4c00c2a9d56c0a402e760ab309356f078587acb7f33396 LockBit 3.0\r\n58729cd09a74e3f69d26653b71412f9c9285ffaba52a9beb5b6d634014c98e1a LockBit 3.0\r\naa0d0c6dcb69623ac4cfd87ecd991d8fe55807cec6628b92ba698844a24ba58e LockBit 3.0\r\nf02cf38d417fc6e3d5f9fc05ebf49ca37e6106ffc62ce21145888338598e0c70 LockBit 3.0\r\n102679330f1e2cbf41885935ceeb2ab6596dae82925deec1aff3d90277ef6c8c LockBit Green\r\n32eb4b7a4d612fac62e93003811e88fbc01b64281942c25f2af2a0c63cdbe7fa LockBit Green\r\n5c5c5b25b51450a050f4b91cd2705c8242b0cfc1a0eaeb4149354dbb07979b83 LockBit Green\r\n7509761560866a2f7496eb113954ae221f31bc908ffcbacad52b61346880d9f3 LockBit Green\r\n924ec909e74a1d973d607e3ba1105a17e4337bd9a1c59ed5f9d3b4c25478fe11 LockBit Green\r\nac49a9ecd0932faea3659d34818a8ed4c48f40967c2f0988eeda7eb089ad93ca LockBit Green\r\nfc8668f6097560f79cea17cd60b868db581e51644b84f5ad71ba85c00f956225 LockBit Green\r\nffa0420c10f3d0ffd92db0091304f6ed60a267f747f4420191b5bfe7f4a513a9 LockBit Green\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 24 of 28\n\n472836ed669d3927d50055e801048696375b37fce03b2f046e3e1039fb88e048 LockBit for Linux\r\ndc3d08480f5e18062a0643f9c4319e5c3f55a2e7e93cd8eddd5e0c02634df7cf LockBit for Linux\r\n052716d193fc11c2f0deb67e35e580db335368d53cdd486f9cb1598c7021be8e LockBit for Linux\r\n2f31962c5e89917f6df87babd836840042b7ea7ea01763cff1bf645878a2ab47 LockBit for Linux\r\n719e1e9289c78ed9ee5000bffdd26bc2a4473f966091e321919e333d81e8b1e6 LockBit for Linux\r\n624188b7b839afe83d2cc6593448b73e94c40085671f967846ac3901c9f75249 LockBit for Linux\r\n6a6c3a6eec55a1ec47badd05d6cfe6b4f8680c7f7bc6ee571c330a5b1ffdbc3a LockBit for Linux\r\na0b36376ab6c54540d10e5d549049622096d121abec6f760e0452a535c1675f3 LockBit for Linux\r\n3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79 LockBit for MacOS\r\n0be6f1e927f973df35dad6fc661048236d46879ad59f824233d757ec6e722bde LockBit for MacOS\r\nProtection\r\nFortiGuard Labs has the following AV signatures in place for the LockBit samples in the IOC section:\r\nW32/Filecoder.NXQ!tr.ransom\r\nW32/LockBit.29EA!tr.ransom\r\nW32/Filecoder.OAN!tr.ransom\r\nW32/Lockbit.C2F8!tr.ransom\r\nW32/Lockbit.K!tr.ransom\r\nW64/GenKryptik.FSFZ!tr.ransom\r\nLinux/Filecoder_LockBit.D!tr\r\nELF/LockBit.D!tr.ransom\r\nLinux/Filecoder.BU!tr\r\nLinux/Filecoder_LockBit.B!tr\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 25 of 28\n\nLinux/Filecoder_LockBit_AGen.A!tr\r\nLinux/Filecoder_LockBit.A!tr\r\nOSX/Filecoder_Lockbit.A!tr\r\nAdditionally, the following AV signatures are available for LockBit samples:\r\nW32/Filecoder_Lockbit.A!tr\r\nW32/Filecoder_Lockbit.BHHHVJJ!tr.ransom\r\nW32/Filecoder_Lockbit.E!tr\r\nW32/Filecoder_Lockbit.E!tr.ransom\r\nW32/Filecoder_Lockbit.H!tr\r\nW32/Filecoder_Lockbit.H!tr.ransom\r\nW32/Filecoder_Lockbit.I!tr\r\nW32/Filecoder_Lockbit.I!tr.ransom\r\nW32/Filecoder_Lockbit.P!tr.ransom\r\nW32/Filecoder_Lockbit.Q!tr\r\nW32/Filecoder_Lockbit.Q!tr.ransom\r\nW32/Filecoder_Lockbit.R!tr\r\nW32/Filecoder_Lockbit.R!tr.ransom\r\nW32/Filecoder.LOCKBIT!tr\r\nW32/Filecoder.LOCKBIT!tr.ransom\r\nW32/LockBit.20D4!tr.ransom\r\nW32/LockBit.2513!tr.ransom\r\nW32/LockBit.29FC!tr.ransom\r\nW32/Lockbit.2D74!tr.ransom\r\nW32/LockBit.323D!tr.ransom\r\nW32/Lockbit.82C9!tr.ransom\r\nW32/LockBit.921B!tr.ransom\r\nW32/LockBit.B8275!tr.ransom\r\nW32/Lockbit.D!tr.ransom\r\nW32/Lockbit.E!tr.ransom\r\nW32/LockBit.E755!tr.ransom\r\nW32/LockBit.F84F!tr.ransom\r\nW32/Lockbit.P!tr.ransom\r\nW32/Lockbit.R!tr.ransom\r\nW32/Lockbit.VHO!tr.ransom\r\nW32/Predator.LOCKBIT!tr.ransom\r\nW32/Ransom_Lockbit.R002C0DD823\r\nW32/Ransom_Lockbit.R002C0DDP23\r\nW32/Ransom_Lockbit.R002C0DEB23\r\nW32/Ransom_Lockbit.R002C0DEC23\r\nW32/Ransom_Lockbit.R002C0DED23\r\nW32/Ransom_Lockbit.R002C0DF223!tr.ransom\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 26 of 28\n\nW32/Ransom_Lockbit.R023C0DEA23\r\nW32/Ransom_Win32_LOCKBIT.ENC\r\nW32/Ransom_Win32_LOCKBIT.EOD\r\nW32/Ransom_Win32_LOCKBIT.YXCGT\r\nW32/Ransom_Win32_LOCKBIT.YXCGUT\r\nW32/Ransom_Win32_LOCKBIT.YXCLQZ!tr.ransom\r\nW64/Lockbit.886F!tr.ransom\r\nW64/Lockbit.A!tr.ransom\r\nW64/LockBit.EF55!tr.ransom\r\nHTML/Lockbit.FCBE!tr.ransom\r\nMSIL/Lockbit.96B2!tr.ransom\r\nData/Lockbit!tr.ransom\r\nData/Lockbit.9AFA!tr.ransom\r\nFortiGuard Labs has put the following IPS signatures in place for the vulnerabilities reportedly exploited by\r\nLockBit ransomware threat actors:\r\nFortra.GoAnywhere.MFT.LicenseResponseServlet.Command.Injection (CVE-2023-0669)\r\nPaperCut.NG.SetupCompleted.Authentication.Bypass (CVE-2023-27350)\r\nApache.Log4j.Error.Log.Remote.Code.Execution (CVE-2021-44228)\r\nF5.iControl.REST.Interface.Remote.Command.Execution (CVE-2021-22986)\r\nMS.Windows.Server.Netlogon.Elevation.of.Privilege (CVE-2020-1472)\r\nMS.Windows.RDP.Channel.MS_T120.Remote.Code.Execution (CVE-2019-0708)\r\nMS.Windows.Server.NTLM.Relay.Spoofing (CVE-2021-36942)\r\nZK.Framework.Remote.Code.Execution (CVE-2022-36537)\r\nMS.Exchange.Server.Autodiscover.Remote.Code.Execution (CVE-2021-34473)\r\nMS.Exchange.Server.Common.Access.Token.Privilege.Elevation (CVE-2021-34523)\r\nMS.Exchange.MailboxExportRequest.Arbitrary.File.Write (CVE-2021-31207)\r\nFortiOS.SSL.VPN.Web.Portal.Pathname.Information.Disclosure (CVE-2018-13379)\r\nNote: For more information on CVE-2018-13379, see the blog “Prioritizing Patching is Essential for Network\r\nIntegrity.”\r\nFortiGuard Labs Guidance\r\nDue to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the\r\nunwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS\r\nsignatures up to date.\r\nSince the majority of ransomware is generally delivered via phishing, organizations should consider leveraging\r\nFortinet solutions designed to train users to understand and detect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 27 of 28\n\nphishing attacks.\r\nOur FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed\r\nto help end users learn how to identify and protect themselves from various types of phishing attacks and can be\r\neasily added to internal training programs.\r\nOrganizations also need to make foundational changes to the frequency, location, and security of their data\r\nbackups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with\r\ndigital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks\r\ncan come from anywhere. Organizations are encouraged to implement cloud-based security solutions, such\r\nas SASE, to protect off-network devices, advanced endpoint security, such as EDR (endpoint detection and\r\nresponse) solutions that can disrupt malware mid-attack, and Zero Trust Access and network segmentation\r\nstrategies that restrict access to applications and resources based on policy and context. These solutions are proven\r\nto minimize risk and reduce the impact of a successful ransomware attack.\r\nBy operating these solutions as part of the industry's only fully integrated Security Fabric, organizations can also\r\ntake advantage of native synergy and automation across your security ecosystem, Fortinet also provides an\r\nextensive portfolio of technology and human-based as-a-service offerings that can be deployed independently or\r\nas part of the Fortinet Security Fabric. These services are powered by advanced AI-enabled technologies and our\r\nglobal FortiGuard team of seasoned cybersecurity experts.\r\nBest Practices include Not Paying a Ransom\r\nOrganizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom\r\npartly because the payment does not guarantee that files will be recovered. According to a U.S. Department of\r\nTreasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to\r\ntarget additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit\r\nactivities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a\r\nRansomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes\r\nComplaint Center (IC3).\r\nHow Fortinet Can Help\r\nFortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is\r\ndetected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare\r\nfor a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop\r\nexercises).\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nAI-powered security services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nhttps://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware\r\nPage 28 of 28",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware"
	],
	"report_names": [
		"lockbit-most-prevalent-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434873,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3bef811b7032bcc544185cba369f138bae0ab806.pdf",
		"text": "https://archive.orkl.eu/3bef811b7032bcc544185cba369f138bae0ab806.txt",
		"img": "https://archive.orkl.eu/3bef811b7032bcc544185cba369f138bae0ab806.jpg"
	}
}