{
	"id": "b0fb9416-8e7a-4b4f-a458-6182bbb3bbc3",
	"created_at": "2026-04-06T01:30:49.509204Z",
	"updated_at": "2026-04-10T03:20:56.782945Z",
	"deleted_at": null,
	"sha1_hash": "86d864275b62b901c1970162b0e29850cb609e9a",
	"title": "Cyble - A Deep-dive Analysis of LOCKBIT 2.0",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1774482,
	"plain_text": "Cyble - A Deep-dive Analysis of LOCKBIT 2.0\r\nBy cybleinc\r\nPublished: 2021-08-16 · Archived: 2026-04-06 00:40:05 UTC\r\nCyble's Research on the LOCKBIT 2.0 ransomware exfiltrating victim’s data using the double extortion technique and\r\ndemanding ransom.\r\nThe LOCKBIT 2.0 ransomware group has been highly active in the past few months. The Threat Actors (TAs) linked to\r\nthis ransomware use a Ransomware-as-a-Service (RaaS) business model. LOCKBIT 2.0 developers customize ransomware\r\nvariants as per their affiliates’ needs. They also offer various panels and attack statistics to provide victim\r\nmanagement capabilities to their affiliates.   \r\nThe malware uses the double extortion technique to compel victims into paying ransoms. Through this technique,\r\nattackers exfiltrate the victim’s data, after which they proceed to encrypt the data on the victim’s system. Data encryption is\r\nfollowed by the TAs demand ransom in exchange for a decryptor. If the victim refuses or cannot pay the ransom, the TA\r\nthreatens to leak the data. This ransomware was previously known as ABCD ransomware as the file extension used for\r\nencrypting files was .abcd. Now the extension used by this ransomware is .lockbit.   \r\nFigure 1 shows the LOCKBIT 2.0 ransomware gang hosting a blog in the TOR network. This blog, in particular, is used by\r\nthe TA to share the list of victims and screenshots of the sample data exfiltrated by the attackers from affected systems.  \r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/\r\nPage 1 of 11\n\nFigure 1: LOCKBIT 2.0 Blog displaying Victim companies\r\nLike other recently emerging RaaS gangs, LOCKBIT 2.0 also has an affiliate program to attract potential affiliates. Figure 2\r\nshows the affiliate program page. \r\nhttps://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/\r\nPage 2 of 11\n\nFigure 2: Affiliate Program of LOCKBIT 2.0\r\nLockBit is trying to position itself as the fastest encryptor compared to its competitor, RaaS gangs. They have listed the time\r\nspent on encryption for datasets of 100GB, 10TB, etc. Figure 3 shows the comparison of LOCKBIT 2.0 with other\r\nransomware gangs. \r\nFigure 3: LOCKBIT 2.0 Comparing itself with other Ransomware Gangs\r\nAdditionally, this ransomware gang does not function in countries formerly a part of the Soviet Union. This gang\r\nalso uses tools such as StealBIT, Metasploit Framework, and Cobalt Strike.  \r\nStealBIT is an information stealer used by the gang for data exfiltration. Metasploit Framework and Cobalt Strike are\r\npenetration testing tools used to emulate targeted attacks on sophisticated networks. \r\nFigure 4 shows the post in detail.  \r\nhttps://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/\r\nPage 3 of 11\n\nFigure 4: Additional affiliate details shared by the LOCKBIT 2.0\r\nTechnical Analysis \r\nOur static analysis of the ransomware shows that the malware file is a Windows x86 architecture Graphical User Interface\r\n(GUI) executable compiled on 2021-07-26 13:04:01, as shown in Figure 5. \r\nFigure 5: Static information About LOCKBIT 2.0 Ransomware\r\nhttps://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/\r\nPage 4 of 11\n\nCyble Research Labs has also found that the malware uses only a few libraries, shown in Figure 6.  \r\nFigure 6: Libraries Used by Ransomware\r\nFurthermore, only a few Application Programming Interfaces (APIs) were present in the ransomware import table, as shown\r\nin Figure 7. \r\nFigure 7: Import Table APIs List \r\nFigure 8 shows that the ransomware has encrypted user document files and appended them with a .lockbit extension while\r\nalso changing the icon of all encrypted files. Additionally, the ransomware also drops a ransom note in several folders. \r\nFigure 8: Encrypted Files and Ransom Note dropped by ransomware \r\n Figure 9 shows the content of the ransom note, which instructs the victims on how they can contact the ransomware gang. \r\nhttps://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/\r\nPage 5 of 11\n\nFigure 9: Content of ransom note \r\n The ransomware also changes the desktop background, showing additional ransomware gang information, as shown below. \r\nFigure 10: LOCKBIT 2.0 Changing Desktop Background\r\nTo get further insights into the ransomware, we checked which string symbols were present in the malware. \r\nFigure 11 shows the details of the initial strings which are present in the malware. These strings indicate that the malware\r\ncan query connected systems in the Active Directory Domain using the Lightweight Directory Access Protocol (LDAP). In\r\nquery strings, CN stands for Common Name, OU stands for Organization Unit, and DC stands for Domain\r\nComponent. This information could be used for discovering other linked networks and systems. \r\nFigure 11: Setting LDAP parameters for Microsoft Active Directory\r\nAs seen in Figure 12, the ransomware could use PowerShell commands to query the DC to get the list of computers. Once\r\nthe list is received, malware could invoke the GPUpdate command remotely on the listed systems. \r\nhttps://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/\r\nPage 6 of 11\n\nFigure 12: PowerShell command for searching computers in the network\r\nAdditionally, the ransomware checks for additional mounted hard drives, network shared drives, shared folders of VMs, and\r\ndeletes the running process using taskkill.exe shown in Figure 12. \r\nFigure 13 depicts the policy updates that ransomware can push in the active directory environment to other connected\r\nsystems. To evade detection, the ransomware can disable Windows Defender on running systems and remote systems\r\nas well. \r\nFigure 13: Windows Defender Policies are changed by the ransomware\r\n While running the ransomware, we observed that it injects itself in dllhost.exe, as shown in Figure 14. \r\nhttps://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/\r\nPage 7 of 11\n\nFigure 14: Ransomware infecting dllhost.exe \r\nThe ransomware adds its execution folder to the Path of the System variables, as shown in Figure 15. \r\nFigure 15: Malware Added its Present Working Directory in System Path\r\nFigure 16 shows the ransomware looking for various running services like backup services, database-related\r\napplications, and other applications shown in Figure 15. If any service is found running in the system, the ransomware kills\r\nit. The ransomware uses OpenSCManager and OpenServiceA, as shown in Figure 16. \r\nFigure 16: Ransomware searching for Services\r\nAn additional list of services searched by the ransomware is shown in the table below. \r\nDefWatch  RTVscan  tomcat6 \r\nccEvtMgr  sqlbrowser  zhudongfangyu \r\nSavRoam  SQLADHLP  vmware-usbarbitator64 \r\nSqlservr  QBIDPService  vmware-converter \r\nsqlagent  Intuit.QuickBooks.FCS  dbsrv12 \r\nsqladhlp  QBCFMonitorService  dbeng8 \r\nCulserver  msmdsrv  MSSQL$MICROSOFT##WID \r\nMSSQL$KAV_CS_ADMIN_KIT  MSSQLServerADHelper100  msftesql-Exchange \r\nhttps://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/\r\nPage 8 of 11\n\nSQLAgent$KAV_CS_ADMIN_KIT  MSSQL$SBSMONITORING  MSSQL$SHAREPOINT \r\nMSSQLFDLauncher$SHAREPOINT  SQLAgent$SBSMONITORING  SQLAgent$SHAREPOINT \r\nMSSQL$VEEAMSQL2012  QBFCService  QBVSS \r\nSQLAgent$VEEAMSQL2012  YooBackup  YooIT \r\nSQLBrowser  vss  SQL \r\nSQLWriter  svc$  PDVFSService \r\nFishbowlMySQL  MSSQL  memtas \r\nMSSQL$MICROSOFT##WID  MSSQL$  mepocs \r\nMySQL57  sophos  veeam \r\nMSSQL$MICROSOFT##SSEE  backup  MSSQLFDLauncher$SBSMONITORING \r\nThe ransomware creates a shared folder for VMWare to spread to other systems, as shown in Figure 17. \r\nFigure 17: Ransomware creating VMWare shared folder and Dropping Sample \r\nThe encryption operation of the LOCKBIT 2.0 is similar to what we have observed in other ransomware groups. The flow of\r\noperation is shown below. \r\nhttps://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/\r\nPage 9 of 11\n\nFigure 18: Common Encryption Operation \r\nConclusion \r\nLOCKBIT 2.0 is a highly sophisticated form of ransomware that uses various state-of-the-art techniques to perform\r\nransomware operations. Current and potential LOCKBIT 2.0 victims’ range across multiple domains, from IT, services\r\nto banks. Our research indicates that affiliates of the group drop this ransomware inside an already compromised network.  \r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the suggestions given below: \r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices wherever\r\npossible and pragmatic.  \r\nUse a reputed anti-virus and internet security software package on your connected devices.     \r\nRefrain from opening untrusted links and email attachments without verifying their authenticity. \r\nConduct regular backup practices and keep those backups offline or in a separate network. \r\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\nhttps://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/\r\nPage 10 of 11\n\n0545f842ca2eb77bcac0fd17d6d0a8c607d7dbc8669709f3096e5c1828e1c049  Hash  SHA-256 \r\nAbout Us \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure\r\nin the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by\r\nY Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best\r\nCybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,\r\nand India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  \r\nSource: https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/\r\nhttps://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/"
	],
	"report_names": [
		"a-deep-dive-analysis-of-lockbit-2-0"
	],
	"threat_actors": [],
	"ts_created_at": 1775439049,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86d864275b62b901c1970162b0e29850cb609e9a.pdf",
		"text": "https://archive.orkl.eu/86d864275b62b901c1970162b0e29850cb609e9a.txt",
		"img": "https://archive.orkl.eu/86d864275b62b901c1970162b0e29850cb609e9a.jpg"
	}
}