{
	"id": "2f9609d5-b6c6-472b-9b33-0d72df86e1ab",
	"created_at": "2026-04-06T00:09:21.954384Z",
	"updated_at": "2026-04-10T03:21:09.448743Z",
	"deleted_at": null,
	"sha1_hash": "7b4608105e7aded4e32e39b81241d44e0c7ee8b7",
	"title": "LockBit: Ransomware Puts Servers in the Crosshairs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73618,
	"plain_text": "LockBit: Ransomware Puts Servers in the Crosshairs\r\nBy About the Author\r\nArchived: 2026-04-05 17:08:06 UTC\r\nSymantec, a division of Broadcom Software, has observed threat actors targeting server machines in order to\r\nspread the LockBit ransomware threat throughout compromised networks.\r\nIn one attack observed by Symantec, LockBit was seen identifying domain-related information, creating a Group\r\nPolicy for lateral movement, and executing a \"gpupdate /force\" command on all systems within the same domain,\r\nwhich forcefully updates group policy.\r\nLockBit is a ransomware-as-a-service (RaaS) operated by malicious actors Symantec tracks as Syrphid.\r\nShortly after it first appeared in September 2019, the Syrphid gang expanded its operations, using a network of\r\naffiliates to deploy the LockBit ransomware on victim networks. The ransomware, which has currently reached\r\nversion 3.0, has evolved over the past few years, as has its operators who have recently launched a bug bounty\r\nprogram in order to weed out weaknesses in the malware’s code and the RaaS operation as a whole.\r\nAttack chain\r\nIn one observed instance, before dropping and executing the LockBit ransomware, an attacker had RDP access to\r\nthe enterprise network for a couple of weeks at least. This access may have been obtained through remote desktop\r\napplications such as AnyDesk or Windows RDP, or by exploiting a known vulnerability, etc.\r\nLockBit behaves differently on server machines with domain controllers than on Windows 10 machines. When\r\nexecuted on a server, it has the capability to spread through the network using Group Policy. On Windows 10\r\nmachines it performs routine ransomware activity and encrypts files.\r\nWhen LockBit is executed on a server machine it carries out the following actions:\r\n1. Debugger check\r\nLockBit first checks if the malware process is being debugged. If this is the case, it goes into an infinite\r\nloop.\r\nFigure 1. If malware process is being debugged, LockBit goes into an infinite loop\r\nFigure 1. If malware process is being debugged, LockBit goes into an infinite loop\r\n2. Language Check\r\nIt calls GetSystemDefaultUILanguage and GetUserDefaultUILanguage to check the language.\r\nIf the language matches with the one on the malware’s list then it terminates immediately.\r\nLockBit does not target Russia or a selection of nearby countries.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers\r\nPage 1 of 6\n\nFigure 2. LockBit calls GetSystemDefaultUILanguage and GetUserDefaultUILanguage to check\r\nthe language.\r\nFigure 2. LockBit calls GetSystemDefaultUILanguage and GetUserDefaultUILanguage to check the\r\nlanguage.\r\n3. End running processes and disable services\r\nLockBit ends a list of running processes related to malware analysis and other processes like Process\r\nExplorer, Process Monitor, Wireshark, Dumpcap, Process Hacker, cmd.exe, TeamViewer, Notepad,\r\nNotepad++, WordPad etc.\r\nDisables a list of services related to SQL, backup, and MSExchange etc.\r\n4. Privilege escalation\r\nDuplicates the token by calling DuplicateTokenEx and creates a new process using\r\nCreateProcessAsUserW.\r\nAfter it achieves privilege escalation, LockBit relaunches itself under DLLHost.exe. Once the new process\r\nis spawned, the LockBit process ends itself.\r\n5. Bypass UAC\r\nLockBit injects code into dllhost.exe with CLSIDs of COM objects, which runs the following command to\r\nbypass UAC:\r\nA. Exploiting USERENV.dll to bypass UAC\r\nC:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}\r\nB. Bypass method in hfiref0x’s UACME\r\nC:\\Windows\\SysWOW64\\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\r\nC. Exploiting the ICMLuaUtil elevated COM Interface-Object\r\nC:\\Windows\\SysWOW64\\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\r\n6. LockBit creates a copy of itself under the SYSVOL directory “c:\\windows\\sysvol\\domain\\scripts\\\u003c Lockbit\r\nexecutable\u003e”\r\n7. Creating a Group Policy:\r\nOnce the malware identifies it is running as an admin user and a domain controller is installed on the\r\nsystem, it creates a Group Policy to stop services, end processes, and copy LockBit etc.\r\nUnder the “C:\\Windows\\SYSVOL\\domain\\Policies\\\u003cpolicy GUID\u003e” folder, LockBit creates XML files\r\nthat are required for the Group Policy.\r\nComputer configurations:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers\r\nPage 2 of 6\n\nIt first creates a policy to turn off Windows Defender, suppress all notifications, disable file submissions,\r\nturn off real-time protection etc.\r\nIt then maps the network drive through Group Policy.\r\nDisables services related to SQL server at startup.\r\nUser Configurations:\r\nThe malware copied the ransomware from SYSVOL to the Desktop directory.\r\nIt then creates a scheduled task to end the list of processes previously mentioned.\r\nFigure 3.Group Policy XML file used to copy LockBit from the shared SYSVOL location to\r\nclient’s desktop location.\r\nFigure 3.Group Policy XML file used to copy LockBit from the shared SYSVOL location to client’s\r\ndesktop location.\r\nFigure 4. Group Policy created by LockBit can be seen in the Group Policy Management\r\nconsole.\r\nFigure 4. Group Policy created by LockBit can be seen in the Group Policy Management console.\r\nFigure 5. Group Policy details to disable Defender and several additional options.\r\nFigure 5. Group Policy details to disable Defender and several additional options.\r\nFigure 6. Group Policy used to map network drives.\r\nFigure 6. Group Policy used to map network drives.\r\nFigure 7. Group Policy used to disable SQL services at startup.\r\nFigure 7. Group Policy used to disable SQL services at startup.\r\nFigure 8 Group Policy used to copy LockBit from the SYSVOL shared location to the desktop.\r\nFigure 8 Group Policy used to copy LockBit from the SYSVOL shared location to the desktop.\r\nFigure 9. Group Policy used to end processes using the taskkill command.\r\nFigure 9. Group Policy used to end processes using the taskkill command.\r\nFigure 10. Group Policy used to execute the LockBit ransomware.\r\nFigure 10. Group Policy used to execute the LockBit ransomware.\r\n8. Lateral movement: \r\nLockBit launches powershell.exe to run the command shown below in order to search through all the\r\ncomputers on the Active Directory. For each host it uses the GPUpdate force command (gpupdate) to apply\r\nthe newly created Group Policy.\r\npowershell.exe. exe -Command \"Get-ADComputer -filter * -Searchbase 'DC=symcdemos,DC=local' | foreach{\r\nInvoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}\"\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers\r\nPage 3 of 6\n\n9. Executes gpupdate command on the domain controller where LockBit is running. Also runs gpupdate to run\r\npolicies from the computer configurations and user configurations.\r\ngpupdate.exe /target:computer /force gpupdate.exe /target:user /force\r\n10. Firewall\r\nLockBit reads firewall rules using the Windows Defender Firewall with Advanced Security API's\r\n“FwPolicy2” object. The following CLSID COM object is called:\r\nC:\\Windows\\system32\\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}\r\n11. Impact\r\nLockBit attempts to delete shadow copies using VSSADMIN and WMIC. It also tries to disable recovery\r\nusing the BCDEdit command.\r\n\"C:\\Windows\\System32\\cmd.exe\" /c vssadmin delete shadows /all /quiet \u0026 wmic shadowcopy delete \u0026\r\nbcdedit /set {default} bootstatuspolicy ignoreallfailures \u0026 bcdedit /set {default} recoveryenabled no\r\nDeletes Windows event logs using:\r\nwevtutil cl security wevtutil cl system wevtutil cl application\r\n12. Encrypts files and appends the .lockbit file extension.\r\n13. MSHTA.exe\r\nCreates the file lockbit.hta and executes it to display a ransom note.\r\nFigure 11. LockBit ransom note.\r\nFigure 11. LockBit ransom note.\r\nLockBit has been one of, if not the most active of RaaS gangs in 2022. The drop in Conti activity in May helped\r\nLockBit reach the top spot, with some reports stating that the threat was behind as much as 40% of ransomware\r\nattacks.\r\nLockBit’s success is also due to its developers and affiliates continued evolution of features and tactics, which\r\ninclude the malware’s fast encryption speed, ability to target both Windows and Linux machines, its brash\r\nrecruitment drives, and high-profile targets. In addition, as previously mentioned, the launch of a rewards program\r\nfor vulnerabilities in LockBit’s code and for suggestions on improving the RaaS operation will no-doubt help the\r\nransomware remain a serious threat to organizations.\r\nIndicators of Compromise (IOCs)\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\n5181d2e71e8e73a82712a483a80aaea94e1efa785f2b8b8ee9641544c0b652f0 -\r\nlockbit_6341d6e5844c8289.exe\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers\r\nPage 4 of 6\n\nllll.exe – copy of LockBit ransomware\r\nhxxps://temp[.]sh/AErDa/LockBit_6341D6E5844C8289[.]exe - Payload URL\r\nMITRE Techniques\r\nFigure 12. MITRE techniques used by the LockBit ransomware.\r\nFigure 12. MITRE techniques used by the LockBit ransomware.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nSymantec Endpoint Protection (SEP) protects against ransomware attacks using multiple static and dynamic\r\ntechnologies.\r\nAV Protection\r\nRansom.LockBit\r\nRansom.LockBit!g2\r\nScr.Malscript!gen1\r\nBehavior Protection\r\nSONAR.RansomLckbit!g3\r\nSONAR.RansomNokibi!g1\r\nSONAR.RansomLckbit!g1\r\nIntrusion Prevention System (IPS) Protection\r\n[SID: 33705] Attack: Lockbit Ransomware Binary Copy GPO Config\r\n[SID: 33706] Attack: Lockbit Ransomware Services Disable GPO Config\r\n[SID: 33707] Attack: Lockbit Ransomware Enable Share GPO Config\r\n[SID: 33708] Attack: Lockbit Ransomware Security Services Taskkill GPO\r\nSymantec Data Center Security (DCS) hardening policies for Windows Servers and Domain Controllers prevent\r\nLockBit ransomware installation. The default DCS lockdown prevents lateral movement of LockBit ransomware\r\non the network and protects servers from LockBit execution attempts to tamper with Group Policies and critical\r\nsystem resources.\r\nLockBit: Ransomware Puts Servers in the Crosshairs\r\nVishal Kamble\r\nVishal Kamble\r\nPrincipal Threat Analysis Engineer\r\nLahu Khatal\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers\r\nPage 5 of 6\n\nLahu Khatal\r\nSenior Threat Analysis Engineer\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockbit-targets-servers"
	],
	"report_names": [
		"lockbit-targets-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434161,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7b4608105e7aded4e32e39b81241d44e0c7ee8b7.pdf",
		"text": "https://archive.orkl.eu/7b4608105e7aded4e32e39b81241d44e0c7ee8b7.txt",
		"img": "https://archive.orkl.eu/7b4608105e7aded4e32e39b81241d44e0c7ee8b7.jpg"
	}
}