{
	"id": "ad685c04-0a07-4718-a60e-859c821a4dc0",
	"created_at": "2026-04-06T00:14:23.3163Z",
	"updated_at": "2026-04-10T13:11:21.453995Z",
	"deleted_at": null,
	"sha1_hash": "476ea316c666a626304b7c763d1a889eb0e4df52",
	"title": "Ransomware Spotlight: LockBit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1406987,
	"plain_text": "Ransomware Spotlight: LockBit\r\nArchived: 2026-04-02 11:37:19 UTC\r\nThe impact of LockBit and insights from Water Selkie\r\nOur investigation into the intrusion set behind LockBit, which we track as Water Selkie, reveals the effectiveness and impact\r\nof the tactics we have discussed. The key takeaways are the following:\r\nThe malware’s performance is a strong selling point. The malware’s speed and capabilities are widely known\r\nbecause the group uses them as selling points. The threat group’s efforts to publicize their malware’s capabilities have\r\nestablished it as the ransomware with one of the fastest and most efficient encryption methods.\r\nIt considers external pressures and issues faced by its potential targets. Water Selkie’s operators have indicated a\r\npreference for victims in Europe who fear breaching EU’s General Data Protection Regulation (GDPR). They\r\ncontinue to also consider the US to have lucrative targets, but see that data privacy laws can affect their chances of\r\ngetting a successful payout. In general, they are attuned to geopolitical issues that they can use to their advantage.\r\nBanks on the strength of its affiliate program. As mentioned earlier, a contributing factor in LockBit’s success is\r\nhow well it recruits trustworthy and capable affiliates. Evidence also suggests that several of its affiliates are involved\r\nin multiple RaaS operations, which helps Water Selkie innovate and keep up with its competition. In return, Water\r\nSelkie prides itself on its professional operation that can be trusted by affiliates.\r\nIt has more in store for the future. Water Selkie clearly ramped up operations in the second half of 2021. We see\r\nthat the intrusion set will either maintain or increase their level of activity in the first half of 2022. Organizations\r\nshould also expect more supply chain attacks in the future according to an interviewopen on a new tab conducted\r\nwith one of LockBit’s operators.\r\nWith LockBit affiliates being likely involved in other RaaS operations, its tactics slipping into those of other ransomware\r\ngroups isn’t a far-fetched notion. Organizations would therefore benefit from recognizing LockBit’s tactics, techniques, and\r\nprocedures (TTPs) laid out in the next sections.\r\nTop affected industries and countries\r\nIn this section, we discuss Trend Micro™ Smart Protection Network™ data, which are detections of LockBit attempts to\r\ncompromise organizations. LockBit has been detected all over the globe, with the US seeing most of the attack attempts\r\nfrom June 2021 to January 20, 2022, followed by India and Brazil. Like many ransomware families LockBit avoids\r\nCommonwealth of Independent States (CIS) countries.\r\nopen on a new tab\r\nFigure 2. Countries with the highest number of attack attempts per machine for LockBit ransomware (July 1, 2021 to\r\nJanuary 20, 2022)\r\nSource: Trend Micro™ Smart Protection Network™ infrastructure\r\nWe saw the most LockBit-related detections in the healthcare industry followed by the education sector.  LockBit threat\r\nactors have claimedopen on a new tab that they do not attack healthcare, educational, and charity institutions. This\r\n“contradictory code of ethics,” has been notedopen on a new tab by the US Department of Health Services (HHS) who\r\nwarns the public not to rely on such statements as these tend to dissolve in the face of easy targets.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit\r\nPage 1 of 9\n\nopen on a new tab\r\nFigure 3. Industries with the highest number of attack attempts per machine for LockBit ransomware (July 1, 2021 to\r\nJanuary 20, 2022) \r\nSource: Trend Micro Smart Protection Network infrastructure\r\nOverall, we saw increased LockBit-related activity following the release of LockBit 2.0, peaking in November 2021.\r\nopen on a new tab\r\nFigure 4. LockBit monthly detections per machine (July 1, 2021 to January 20, 2022) \r\nSource: Trend Micro Smart Protection Network infrastructure\r\nTargeted regions and sectors according to LockBit leak site\r\nIn this section, we examine the number of attacks recorded on LockBit’s leak site, which represents successfully\r\ncompromised organizations who, as of writing, have refused to pay ransom. In our foray into the leak site of LockBit\r\noperators from December 16, 2021 to January 15, 2022, we observed that they had the highest number of recorded victims\r\namong active ransomware groups at 41, followed by Continews article at 29. Do note, however, that LockBit has been\r\naccusedopen on a new tab of artificially inflating the number of their victims.\r\nLooking into the list of their victims, it appears that more than half of the organizations are based in North America,\r\nfollowed by Europe and Asia Pacific.\r\nopen on a new tab\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit\r\nPage 2 of 9\n\nFigure 5. Regional distribution of LockBit victims according to the group’s leak site (December 16, 2021 to January 15,\r\n2022)\r\nLockBit targets organizations indiscriminately, in that their victims come from many different sectors compared to other\r\ngroups. In the abovementioned time period, they have victims coming from financial, professional services, manufacturing,\r\nand construction sectors, just to name a few. The majority of LockBit’s victims have been either small or small and medium-size businesses (SMBs) – 65.9% and 14.6% respectively, with enterprises only comprising 19.5%. That’s at odds with a\r\ngroup like Conti who victimized 44.8% of enterprises and 34.5% SMBs, and only victimized 20.7% of small businesses.\r\nopen on a new tab\r\nFigure 6. Sector distribution of LockBit victims according to the group’s leak site (December 16, 2021 to January 15, 2022)\r\nIn our observation of the activities within the LockBit leak site for the same time period, majority of attacks took place\r\nduring weekdays, approximately 78% of the total, while 22% happened during the weekend.\r\nInfection chain and techniques\r\nOperating as a RaaS, LockBit infection chains show a variety of tactics and tools employed, depending on the affiliates\r\ninvolved in the attack. Affiliates typically buy access to targets from other threat actors, who typically obtain it via phishing,\r\nexploiting vulnerable apps, or brute forcing remote desktop protocol (RDP) accounts. \r\nHere are some of the observed infection flows of LockBit variants:\r\nopen on a new tab\r\nFigure 7. A LockBit 1.0 campaign that used PowerShell Empire to perform command and control after gaining access to the\r\nsystem\r\nopen on a new tab\r\nFigure 8. A LockBit 1.0 campaign that used Microsoft RAS to access other systems\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit\r\nPage 3 of 9\n\nopen on a new tab\r\nFigure 9. A LockBit 1.0 campaign that used Meterpreter to perform command and control after gaining access to the system\r\nopen on a new tab\r\nFigure 10. A LockBit 1.0 campaign that did not involve any network scanning as it directly deployed the payload after\r\ngaining access to the system\r\nopen on a new tab\r\nFigure 11. LockBit 2.0 infection chain that uses StealBit for automated data exfiltration\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit\r\nPage 4 of 9\n\nopen on a new tab\r\nFigure 12. LockBit 3.0 infection chain that uses Cobeacon and KillAV\r\nInitial Access\r\nLockBit operators mostly gain access via compromised servers or RDP accounts that are usually bought or obtained\r\nfrom affiliates.\r\nIn some instances, it arrived via spam email or by brute forcing insecure RDP or VPN credentials.\r\nIt can also arrive via exploiting Fortinet VPN’s CVE-2018-13379open on a new tab vulnerability.\r\nExecution\r\nLockBit is usually executed via command line as it accepts parameters of file path or directories if desired to only\r\nencrypt specific paths.\r\nIt may also be executed via created scheduled tasks. This is usually the case if it is propagated in other machines.\r\nThere are also reports of it being executed using PowerShell Empire, a pure PowerShell post-exploitation agent.\r\nCredential Access\r\nAside from using credentials obtained from affiliates. LockBit attacks were also observed using Mimikatz to further\r\ngather credentials.\r\nDefense Evasion\r\nSome infections were observed to have GMER, PC Hunter, and/or Process Hacker. These are tools that are usually\r\nused to disable security products.\r\nIn some observed attacks, a Group Policy was created to disable Windows Defender.\r\nDiscovery\r\nNetwork Scanner, Advanced Port Scanner, and AdFind were also used to enumerate connected machines in the\r\nnetwork. Probably to locate the Domain Controller or Active Directory server as these are usually the best targets for\r\ndeploying ransomware with network encryption or propagation.\r\nLateral Movement\r\nLockBit can self-propagate via SMB connection using obtained credentials.\r\nSome samples can self-propagate and execute via Group Policy.\r\nIn some instances, PsExec or Cobalt Strike were used to move laterally within the network.\r\nExfiltration\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit\r\nPage 5 of 9\n\nUploads stolen files via cloud storage tools like MEGA or FreeFileSync.\r\nSometimes, the StealBit malware (also sold by the threat actors) was used instead to exfiltrate stolen files.\r\nImpact\r\nThe ransomware payload will proceed with encryption routine upon execution. Encryption includes both local and\r\nnetwork encryption.\r\nIt encrypts files using AES and encrypts AES key with RSA encryption. The AES Key is generated using\r\nBCryptGenRandom.\r\nFor faster encryption, it only encrypts the first 4KB of a file and appends it to “.lockbit.”\r\nIt will also replace the desktop wallpaper with a note that includes a statement where it tries to recruit insiders or\r\naffiliates within companies.\r\nFigure 12. Sample wallpaper used by LockBit\r\nLockBit also sends a WoL packet to ensure that network drives are active for its network encryption; this behavior\r\nwas first observed on the Ryuk ransomwarenews- cybercrime-and-digital-threats.\r\nLockBit also has the capability to print its ransom note using connected printers using WinSpool APIs, which is\r\nprobably inspired by Egregor ransomware.\r\nMITRE tactics and techniques\r\nInitial\r\nAccess\r\nExecution Persistence Privilege Escalation Defense Evasion Discovery\r\nLateral\r\nMovement\r\nExfiltrati\r\nT1566 -\r\nPhishing\r\nArrives via\r\nphishing\r\nemails \r\nT1190 -\r\nExploit\r\npublic-facing\r\napplication\r\nArrives via\r\nany the\r\nfollowing\r\nexploits:•\r\nCVE-2018-\r\n13379\r\nT1078 -\r\nValid\r\naccounts\r\nT1059  -\r\nCommand\r\nand\r\nscripting\r\ninterpreter\r\nUses\r\nvarious\r\nscripting\r\ninterpreters\r\nlike\r\nPowerShell\r\nand\r\nWindows\r\ncommand\r\nshell \r\nT1204 -\r\nUser\r\nexecution\r\nT1547  -\r\nBoot or\r\nlogon\r\nautostart\r\nexecution\r\nCreates\r\nregistry run\r\nentries\r\nT1134 - Access token\r\nmanipulation\r\nUse AdjustTokenPrivilege\r\nAPI to modify token attribute\r\nto\r\nSE_PRIVILEGE_ENABLED \r\nT1548 - Abuse Elevation\r\nControl Mechanism\r\nMakes use of \r\nucmDccwCOMMethod in\r\nUACME, a github collection\r\nof UAC bypass techniques\r\nT1140 -\r\n Deobfuscate/Decode\r\nFiles or Information\r\nStrings to be used\r\nthroughout the\r\nroutine are\r\nencrypted using XOR\r\nor Subtraction.\r\nT1562 - Impair\r\ndefenses\r\nDisables security\r\nrelated services via\r\nterminating\r\nthem. May include\r\nusing tools like PC\r\nHunter, Process\r\nHacker,\r\nKillAV/KillProc \r\nT1083 -\r\nFile and\r\ndirectory\r\ndiscovery\r\nSearches\r\nfor specific\r\nfiles and\r\ndirectory\r\nrelated to\r\nits\r\nencryption\r\nT1135 -\r\nNetwork\r\nShare\r\nDiscovery\r\nEnumerate\r\nnetwork\r\nshare for\r\nT1570 -\r\nLateral tool\r\ntransfer\r\nCan make\r\nuse of RDP,\r\nSMB admin\r\nshares, or\r\nPsExec to\r\ntransfer the\r\nransomware\r\nor tools\r\nwithin the\r\nnetwork\r\nT1567 -\r\nExfiltratio\r\nover web\r\nservice\r\nSyncs files\r\na specified\r\ncloud\r\nstorage, s\r\nas MegaSy\r\nor\r\nFreeFileSy\r\nT1041 -\r\n Exfiltratio\r\nOver C2\r\nChannel\r\nExfiltratio\r\nusing\r\nStealBit to\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit\r\nPage 6 of 9\n\nInitial\r\nAccess\r\nExecution Persistence Privilege Escalation Defense Evasion Discovery\r\nLateral\r\nMovement\r\nExfiltrati\r\nHas been\r\nreported to\r\nmake use of\r\ncompromised\r\naccounts to\r\naccess\r\nvictims via\r\nRDP or VPN\r\nT1106 -\r\nExecution\r\nthrough API\r\nUses native\r\nAPI to\r\nexecute\r\nvarious\r\ncommands/\r\nroutines\r\nUser\r\nexecution is\r\nneeded to\r\ncarry out\r\nthe payload\r\nfrom the\r\nspear\r\nphishing\r\nlink or\r\nattachments\r\nT1574 - Hijack\r\nexecution flow\r\nDLL side-loading\r\ncan also be used as a\r\nform of defense\r\nevasion\r\nT1218 - Signed\r\nBinary Proxy\r\nExecution \r\nExecutes mshta to\r\nopen the ransom\r\nnote \r\nT1484 - Domain\r\nPolicy Modification\r\nIt releases group\r\npolicy update that\r\nwill be able to\r\nterminate AV tools\r\nand create scheduled\r\ntasks to execute the\r\npropagated copies\r\nvia SMB \r\nT1070 - Indicator\r\nRemoval on Host \r\nIt is capable of\r\ndeleting Windows\r\nevent logs and its\r\nexecutable file to\r\nremove traces \r\nits network\r\nencryption\r\nT1018 -\r\n Remote\r\nsystem\r\ndiscovery\r\nMakes use\r\nof tools for\r\nnetwork\r\nscans\r\nT1057 -\r\n Process\r\ndiscovery\r\nDiscovers\r\ncertain\r\nprocesses\r\nfor process\r\ntermination\r\nSummary of malware, tools, and exploits used\r\nSecurity teams can watch out for the presence of the following malware tools and exploits that are typically used in LockBit\r\nattacks: \r\nInitial Entry Execution Discovery\r\nLateral\r\nMovement\r\nDefense Evasion Exfiltration\r\nPhishing\r\nemails\r\nRDP/Valid\r\naccounts\r\nExploit:\r\nCVE-2018-\r\n13379\r\nScheduled\r\ntasks\r\nWindows\r\ncommand-line\r\nNetwork\r\nScanner \r\nGroup\r\nPolicy\r\nSMB\r\nPsExec\r\nKillAV/KillProc\r\nPC Hunter\r\nProcess Hacker\r\nStealBit\r\nFreeFileSync\r\nMegaSync\r\nRecommendations\r\nAs mentioned earlier, we expect the LockBit to continue its level of activity, if not increase it in the coming months. From\r\nour discussion, LockBit also demonstrates both consistent and versatile operations that adapt to current trends that affect the\r\nthreat landscape. Organizations therefore should also keep abreast of the latest shifts that could influence their own security\r\nmeasures.  \r\nTo help defend systems against similar threats, organizations can establish security frameworks that can allocate resources\r\nsystematically for establishing a solid defense against ransomware. \r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit\r\nPage 7 of 9\n\nHere are some best practices that can be included in these frameworks:\r\nAudit and inventory\r\nTake an inventory of assets and data \r\nIdentify authorized and unauthorized devices and software \r\nMake an audit of event and incident logs \r\nConfigure and monitor\r\nManage hardware and software configurations \r\nGrant admin privileges and access only when necessary to an employee’s role \r\nMonitor network ports, protocols, and services \r\nActivate security configurations on network infrastructure devices such as firewalls and routers \r\nEstablish a software allow list that only executes legitimate applications \r\nPatch and update\r\nConduct regular vulnerability assessments\r\nPerform patching or virtual patching for operating systems and applications \r\nUpdate software and applications to their latest versions \r\nProtect and recover\r\nImplement data protection, backup, and recovery measures \r\nEnable multifactor authentication (MFA) \r\nSecure and defend\r\nEmploy sandbox analysis to block malicious emails \r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork \r\nDetect early signs of an attack such as the presence of suspicious tools in the system \r\nUse advanced detection technologies such as those powered by AI and machine learning\r\nTrain and test\r\nRegularly train and assess employees on security skills \r\nConduct red-team exercises and penetration tests\r\nA multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and\r\nnetwork). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.\r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools early on before the ransomware can do irreversible damage to the system.\r\nTrend Micro Cloud One™ Workload Securityproducts protects systems against both known and unknown threats that\r\nexploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nlearning.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.\r\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\nIndicators of Compromise (IOCs)\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit\r\nPage 8 of 9\n\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nAI Security Starts Here: The Essentials for Every Organizationnews article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit"
	],
	"report_names": [
		"ransomware-spotlight-lockbit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434463,
	"ts_updated_at": 1775826681,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/476ea316c666a626304b7c763d1a889eb0e4df52.pdf",
		"text": "https://archive.orkl.eu/476ea316c666a626304b7c763d1a889eb0e4df52.txt",
		"img": "https://archive.orkl.eu/476ea316c666a626304b7c763d1a889eb0e4df52.jpg"
	}
}