{
	"id": "2952732b-7225-4f02-8855-a9b9d57ee34a",
	"created_at": "2026-04-06T01:30:33.841847Z",
	"updated_at": "2026-04-10T03:20:16.568015Z",
	"deleted_at": null,
	"sha1_hash": "43bd982e1616f990c036eb549859da64065458e4",
	"title": "LockBit: response and recovery actions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 169168,
	"plain_text": "LockBit: response and recovery actions\r\nArchived: 2026-04-06 01:14:58 UTC\r\nLockBit is a ransomware family that has evolved significantly since its first appearance in 2020. One of its best-known variants, LockBit 3.0, stands out from its predecessors by its sophistication and enhanced ability to evade\r\ndetection and security measures. This release has introduced more robust encryption methods, advanced data\r\nexfiltration tactics, and a more refined ransomware-as-a-service (RaaS) structure that attracts a growing number of\r\naffiliates.\r\nReleased at the end of June 2022, LockBit 3.0 quickly established itself as one of the most damaging of its\r\ngeneration. Since its launch, it has targeted key infrastructure around the world, especially the US and Europe,\r\nincluding government entities, banks, critical communication networks, factories, large consultancies and,\r\nparticularly worryingly, the healthcare sector. In fact, its impact in terms of the number of attacks has only been\r\nsurpassed by its predecessor, LockBit 2.0.\r\nOne of its most revolutionary aspects was launching its own bug bounty program, the first time this strategy has\r\nbeen observed in the context of ransomware. This innovative approach underscores the sophistication and\r\nprofessionalization of the cybercriminal groups behind LockBit, and represents a paradigm shift in how these\r\nactors seek to engage other security experts to help them stay active.\r\n-Most Successful Ransomware Attack Campaigns in 2022. Source -\r\nOn February 20, 2024, in an international operation, law enforcement from 11 countries coordinated efforts to\r\nseize several darknet domains operated by the LockBit group, exploiting a critical vulnerability in PHP. The site is\r\ncurrently unavailable, thanks to its dismantling by the authorities.\r\nhttps://www.incibe.es/en/incibe-cert/blog/lockbit-response-and-recovery-actions\r\nPage 1 of 6\n\nCharacteristics\r\nMotivation\r\nAlthough its origin in Russia also raises global geostrategic interests, LockBit's main motivation has been\r\neconomic gain from extortion, through the tactic of \"double extortion\" to exfiltrate data and threaten to publish it\r\nif the ransom is not received, complicating detection, and blocking by security software.\r\n- Instances observed by ANSSI according to LockBit variants between 2020 and 2023. Source -\r\nInfection and spread\r\nTheir techniques for penetrating systems also evolved and refined with each release, ranging from the use of\r\ninsecure remote connections to the spread of emails with harmful content. But, in addition, LockBit, throughout\r\nits history, has been characterized by using a very large arsenal of exploits. \r\nAmong the most representative CVEs linked to this malware are: ProxyShell (CVE-2021-34473, CVE-2021-\r\n34523, CVE-2021-31207), PaperCut (CVE-2023-27350), BlueKeep (CVE-2019-0708), Apache Log4j (CVE-2021-44228) and Citrix Bleed (CVE-2023-4966).\r\nTrendmicro identified two different scenarios in the case of LockBit 3.0, although there may be many more\r\nvariants.\r\nhttps://www.incibe.es/en/incibe-cert/blog/lockbit-response-and-recovery-actions\r\nPage 2 of 6\n\n- LockBit 3.0 Execution Scenarios. Source -\r\nBlueKeep/Log4j/RDP scenario: In this scenario, attackers exploited known vulnerabilities such as\r\nBlueKeep, which affects unpatched remote desktop services in older versions of Windows, and Log4j, a\r\nvulnerability in the Java logging library, as well as weaknesses in the implementation of the Remote\r\nDesktop Protocol (RDP). Thus, attackers could obtain an initial entry point into the system or network.\r\nOnce inside, they used a loader to download and install a Cobalt Strike agent, which was used to establish\r\na persistent presence in the system, allowing lateral movement and preparation for the final phase of the\r\nattack: the deployment of LockBit 3.0.\r\nSocGholish Drive-by-Download scenario: This attack method required victims to be pre-infected by\r\nvisiting a compromised website causing an unwanted download and execution (drive-by-download) of the\r\nSocGholish malware. This malware acted as an entry point to download other malicious tools, such as\r\nCobeacon, and allow remote access via RDP. In addition, it can lead to the execution of reconnaissance\r\ntools, such as BloodHound and SeatBelt, to gain a detailed understanding of the network and trust\r\nrelationships within Active Directory, thus facilitating a more targeted and effective attack. This scenario\r\nalso culminates with the release of LockBit 3.0.\r\nLockBit 3.0's activity has relied on a variety of open-source and third-party tools to facilitate its ransomware\r\nattacks. These include compression tools such as 7-zip to prevent detections prior to data exfiltration, network\r\nscanning utilities such as Advanced IP Scanner and Advanced Port Scanner to map victim networks and find\r\naccess vectors, and remote management software, such as AnyDesk and TeamViewer, to control victims' devices\r\nremotely. It has also employed specialized security and systems administration tools, such as Bloodhound to\r\nrebuild Active Directory relationships and exploit them, and Mimikatz to extract credentials from the system. This\r\narsenal allows them to evade defenses and gain elevated privileges, to exfiltrate data and facilitate lateral\r\nhttps://www.incibe.es/en/incibe-cert/blog/lockbit-response-and-recovery-actions\r\nPage 3 of 6\n\nmovement within compromised networks. Although it has also developed others such as StealBit for automatic\r\ndata exfiltration.\r\nEvasion of detection and recovery\r\nBefore starting the encryption process, LockBit 3.0 executes several actions to ensure its effectiveness:\r\nTerminates specific services and processes: Detects and terminates a number of processes and services\r\nrelated to security, backup, database management, and other applications that could stop or interfere with\r\nthe encryption process. For example, it disrupts services linked to antivirus programs, backup systems, and\r\nactive databases to facilitate seamless encryption of critical files, using scan-evading techniques such as the\r\nNtTerminateProcess API, which terminates processes to bypass scans. \r\nDisable and alter security services: Modify system settings to disable security tools capable of detecting\r\ntheir presence. A notable case is the blocking of Windows Defender by alterations in the system registry, or\r\nthe paralysis of services related to other security products, with the aim of creating an environment where\r\nransomware can operate without being discovered or blocked by security defenses. \r\nDelete backups: The LockBit 3.0 strategy is done using Windows Management Instrumentation (WMI)\r\nvia COM objects. This method leverages WMI's administrative capabilities to manipulate and delete\r\noperating system backups efficiently, making it difficult for victims of the ransomware attack to recover\r\nfiles . \r\nDeletes and alters logs: After executing its malicious operations, ransomware strives to erase or change\r\nsystem event logs to hinder forensic investigation and post-infection analysis. It also empties the contents\r\nof the recycle bin.\r\nLockBit 3.0 employs threading when interacting with an API rather than directly calling the API, which is likely\r\nan attempt to complicate the analysis by researchers. This approach allows ransomware to execute multiple\r\nencryption tasks or processes simultaneously more efficiently, increasing the speed of the attack and reducing\r\ndetection time.\r\nEncryption\r\nLockBit 3.0 implements a mechanism for its unpacking and decryption process, using an RC4 KSA-specific\r\npassword to decrypt itself. This password initiates the first stage of the unpacking process, which takes place in\r\nseveral layers, starting with certain source code and then applying the RC4 algorithm.\r\nFinally, the process identifies and executes Windows API functions, thus completing its preparation for the\r\nexecution of the attack. In addition, it also employs algorithms, such as AES-256, ChaCha20, and RSA-2048, in\r\nits encryption operations, as ChaCha20 offers a high-performance alternative for encryption especially useful in\r\nenvironments where AES performance may not be optimal and RSA, on the other hand, is used for key\r\nencryption.\r\nResponse \u0026 Disinfection\r\nOn the NoMoreRansom platform you can find a disinfection suite aimed at version 3.0, developed by the Japanese\r\npolice on the basis of international cooperation. It should be noted that it is based on the use of decryption keys\r\nhttps://www.incibe.es/en/incibe-cert/blog/lockbit-response-and-recovery-actions\r\nPage 4 of 6\n\nrecovered by law enforcement agencies (around 1,000) and not on the exploitation of any vulnerability of the\r\nLockBit 3.0 ransomware. This means that data retrievability is limited. The package, called \"Decryption Checker\r\nfor LockBit.zip\", in its version 0.5, offers two tools:\r\nThe first tool, Decryption ID Checker, refers to the check_decryption_id.exe binary and compares the\r\nuser's decryption ID with keys known to authorities, potentially offering a decryption solution with\r\ninstructions for those with matching IDs. \r\nPreparation: No special preparation is required beyond having access to the Windows operating\r\nsystem from where the tool will be run.\r\nRun: From Windows Command Prompt (cmd) or PowerShell, navigate to the directory where the\r\ndownload is located and run check_decryption_id.exe. This step requires entering the unique\r\ndecryption ID, when prompted.\r\nResult: If a match is found in the database of known decryption keys, you will be told that a\r\ndecryption key is available for you, and you will receive instructions on how to proceed.\r\nThe second tool, Check Decrypt for LockBit 3.0, refers to the check_decrypt.exe binary, collects\r\ndiagnostic information on the system, evaluating the possibility of partially decrypting encrypted files,\r\nalthough it does not guarantee a complete recovery. The steps to run this tool are:\r\nPreparation: You need to have access to a Windows terminal on your system with encrypted files.\r\nRun: Using a command console or PowerShell, navigate to the folder where check_decrypt.exe is\r\nlocated. Execute the command by providing the two necessary arguments: check_decrypt.exe\r\n\u003cpath_to_encrypted_files\u003e \u003ccommon_lockbit_extension\u003e. The lockbit extension replaces the\r\noriginal file extension with a 9-character string. For example:\r\nE:\\check_decrypt.exe \"D:\\data\\lockbit_encrypted\" \"xE9thWXg6\"\r\nDuring execution, status information will be displayed per console, including the number of files\r\nfound with the specified extension and the progress in analyzing the data.\r\nResult: Upon completion, a CSV file will be created in the directory from which the command was\r\nexecuted, with all the summarized information about all the analyzed files. This file is useful for\r\ndetermining which files might be potentially recoverable. If decryptable files are detected, the\r\nnumber of files amenable to decryption will be provided along with contact details for additional\r\ninformation on how to proceed. If no recoverable files are found, a message will be displayed\r\nstating that no decryptable files were found.\r\nAlthough the scope of current recovery tools is limited, the seizure of large amounts of data from the malware's\r\nservers fuels the expectation that new tools with greater capabilities and scope may soon be developed to recover\r\nfiles that cannot be recovered with current tools.\r\nConclusions\r\nThe analysis of LockBit 3.0 underscores the crucial importance of research and development within the\r\ncybersecurity community, which has demonstrated its resilience and adaptability in the face of such threats.\r\nInternational police collaboration is a fundamental pillar in the fight against cybercrime, allowing a more agile and\r\ncoordinated response thanks to the exchange of intelligence and resources.\r\nhttps://www.incibe.es/en/incibe-cert/blog/lockbit-response-and-recovery-actions\r\nPage 5 of 6\n\nOn the other hand, the increasing complexity of these attacks highlights the urgent need to strengthen\r\ncybersecurity awareness and preparedness, equipping organizations and individuals with the tools and knowledge\r\nnecessary for early detection and effective response. Together, these elements make up a comprehensive and\r\ninitiative-taking approach essential to navigating and mitigating risks in today's cyber threat environment.\r\nSource: https://www.incibe.es/en/incibe-cert/blog/lockbit-response-and-recovery-actions\r\nhttps://www.incibe.es/en/incibe-cert/blog/lockbit-response-and-recovery-actions\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.incibe.es/en/incibe-cert/blog/lockbit-response-and-recovery-actions"
	],
	"report_names": [
		"lockbit-response-and-recovery-actions"
	],
	"threat_actors": [],
	"ts_created_at": 1775439033,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/43bd982e1616f990c036eb549859da64065458e4.pdf",
		"text": "https://archive.orkl.eu/43bd982e1616f990c036eb549859da64065458e4.txt",
		"img": "https://archive.orkl.eu/43bd982e1616f990c036eb549859da64065458e4.jpg"
	}
}