{ "id": "a1f81c20-64a0-4fb1-89e6-4445a24f738a", "created_at": "2026-04-06T00:18:06.741253Z", "updated_at": "2026-04-10T03:24:23.6735Z", "deleted_at": null, "sha1_hash": "96cb17bdffb4239cf09ffc4fa4b6a006d4aa223c", "title": "LockBit 2.0", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 473113, "plain_text": "LockBit 2.0\r\nArchived: 2026-04-05 19:52:05 UTC\r\nLockBit 2.0: In-Depth Analysis, Detection, Mitigation, and Removal\r\nSummary of LockBit 2.0 Ransomware\r\nLockBit 2.0 emerged in August 2021, and is the evolution of the original LockBit RaaS (Ransomware-as-a-service).  Linux versions of LockBit 2.0 were first observed in early 2022.  LockBit practices double extortion –\r\ndemanding payment for a decryptor, as well as for the non-release of stolen data. LockBit touts their\r\n‘performance’ (speed/rate of encryption) as a selling point for their services.  The group is also known for using\r\ncustom or specialized tools such as StealBIT for exfiltration.\r\nWhat Does LockBit 2.0 Ransomware Target?\r\nLockBit ransomware typically targets the healthcare, finance, legal, and insurance industries. Targeting may vary\r\nacross affiliates.  Campaigns within the CIS (Commonwealth of Independant States) are discouraged.\r\nHow Does LockBit 2.0 Ransomware Spread?\r\nLockBit 2.0 is delivered in multiple ways: through Cobalt Strike or a similar framework, and through email\r\nphishing. Additionally, SMB spreading functionality is integrated into LockBit, and it can be turned on and off.\r\nLockBit 2.0 Ransomware Technical Details\r\nhttps://www.sentinelone.com/anthology/lockbit-2-0/\r\nPage 1 of 6\n\nLockBit is an ongoing ransomware affiliate program. The second revision ‘LockBit 2.0’, has been operating since\r\nearly 2020.\r\nEncryption is implemented in parts via the completion port (I/O), encryption algorithm AES + ECC. So far, none\r\nhave managed to decrypt it. LockBit is known for its encryption speed and self-spreading function.\r\nOperators behind LockBit 2.0 attempt to utilize LOLBINS and COTS options where possible. Within LockBit\r\ncampaigns, there is often heavy use of PowerShell. WMIC, and/or SMB for example.\r\nLockBit 2.0 can encrypt files regardless of online status meaning the encryption works offline. Affiliates have\r\ncomplete control over their campaigns via an administrative panel hosted via TOR (.onion domain). LockBit 2.0\r\nshares many features with other modern and successful ransomware families. These include:\r\nNetwork detection and spreading via DFS/SMB/WebDav\r\nAutomatic termination of processes that may interfere with the encryption or extraction processed (backup\r\nsoftware, security agents/scanners)\r\nBlocking the launch of processes that may lead to termination of the encryption\r\nRemoval of Shadow Copies\r\nClearing of logs, self-cleaning\r\nOptions for hidden or visible runtime modes\r\nSpread to hosts with Wake-On-Lan\r\nInteraction with networked printers\r\nSupport for “all” versions of Windows\r\nIn January of 2022, versions of LockBit targeting Linux were observed in the wild. These initial payloads\r\nprimarily target Linux-based ESXi servers.\r\nMITRE ATT\u0026CK\r\nData Encrypted for Impact T1486\r\nNetwork Share Discovery T1135\r\nRemote Services: SMB/Windows Admin Shares T1021.002\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547.001\r\nCommand and Scripting Interpreter T1059\r\nExploitation for Client Execution T1203\r\nHow to Detect LockBit 2.0 Ransomware\r\nThe SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related\r\nto LockBit 2.0.\r\nhttps://www.sentinelone.com/anthology/lockbit-2-0/\r\nPage 2 of 6\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIn case you do not have SentinelOne deployed, detecting this ransomware requires a combination of technical and\r\noperational measures, which are designed to identify and flag suspicious activity on the network. This allows the\r\norganization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.\r\n1. Use antimalware software, or other security tools, which are capable of detecting and blocking known\r\nransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to\r\nidentify and block suspicious files or activities.\r\n2. Monitor network traffic, and look for indicators of compromise, such as unusual network traffic patterns, or\r\ncommunication with known command-and-control servers.\r\n3. Conduct regular security audits and assessments, to identify vulnerabilities in the network and the system,\r\nand to ensure that all security controls are in place and functioning properly.\r\n4. Educate and train employees on cybersecurity best practices, including how to identify and report\r\nsuspicious emails, or other threats.\r\n5. Implement a robust backup and recovery plan, to ensure that the organization has a copy of its data, and\r\ncan restore it in case of an attack.\r\nHow to Mitigate LockBit 2.0\r\nThe SentinelOne Singularity XDR Platform detects and prevents malicious behaviors and artifacts\r\nassociated with LockBit.\r\nhttps://www.sentinelone.com/anthology/lockbit-2-0/\r\nPage 3 of 6\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIf you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of\r\nAtomSilo ransomware attacks.\r\nEducate Employees\r\nEmployees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails,\r\nmalicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments,\r\nand to avoid opening them, or clicking on links or buttons in them.\r\nImplement Strong Passwords\r\nOrganizations should implement strong, unique passwords for all user accounts, and should regularly update and\r\nrotate these passwords. Passwords should be at least 8 characters long, and should include a combination of\r\nuppercase and lowercase letters, numbers, and special characters.\r\nEnable Multi-factor Authentication\r\nOrganizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer\r\nof security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft\r\nAuthenticator, or through the use of physical tokens or smart cards.\r\nUpdate and Patch Systems\r\nOrganizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent\r\nattackers from exploiting them. This includes updating the operating system, applications, and firmware on all\r\ndevices, as well as disabling any unnecessary or unused services or protocols.\r\nImplement Backup and Disaster Recovery\r\nhttps://www.sentinelone.com/anthology/lockbit-2-0/\r\nPage 4 of 6\n\nOrganizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can\r\nrecover from ransomware attacks, or other disasters. This includes creating regular backups of all data and\r\nsystems, and storing these backups in a secure, offsite location.\r\nThe backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and\r\neasily.\r\nLockBit 2.0 Ransomware FAQs\r\nWhat is LockBit 2.0 Ransomware?\r\nLockBit 2.0 is a dangerous program that locks up your files and demands money to get them back. It spreads\r\nthrough bad links, fake emails, or hidden downloads. Once inside, it scrambles everything, leaving only a ransom\r\nnote behind. Companies and individuals have both been hit. You can lower your risk by avoiding suspicious\r\nattachments, updating security software, and backing up important files in a safe place.\r\nWhat happens when LockBit 2.0 Ransomware infects a system?\r\nOnce LockBit 2.0 gets into a computer, it scans for important files and locks them with powerful encryption.\r\nThen, it leaves a ransom note demanding payment for a secret key to unlock the files. Sometimes, it even spreads\r\nto other computers on the same network. You can fight back by backing up your data in secure locations and\r\nresponding quickly if something unusual starts happening on your system.\r\nWhat types of files does LockBit 2.0 encrypt?\r\nLockBit 2.0 locks a wide range of files, including documents, spreadsheets, videos, and databases. Anything\r\nvaluable or important is a target. After encryption, the files can’t be opened without a special key that attackers\r\nsell for ransom. You can prevent losing access to your data by making regular backups and storing them\r\nsomewhere safe, like an external hard drive or a protected cloud service.\r\nDoes LockBit 2.0 steal data before encryption?\r\nYes, LockBit 2.0 doesn’t just lock files—it also steals data before encrypting it. Hackers can then threaten to leak\r\nsensitive information if the ransom isn’t paid. This makes attacks even more dangerous. You can limit the damage\r\nby protecting sensitive data with strong security measures, using encrypted backups, and monitoring networks for\r\nsuspicious file transfers that might signal a ransomware attack.\r\nWhich industries are most targeted by LockBit 2.0 Ransomware?\r\nLockBit 2.0 attacks businesses that rely on important data, such as healthcare, finance, and manufacturing. These\r\nindustries can’t afford long shutdowns, making them more likely to pay the ransom. Hackers look for weak spots,\r\nlike outdated security or employees who fall for phishing scams. You can lower your risk by keeping security\r\npatches updated, training staff, and using strong security software.\r\nhttps://www.sentinelone.com/anthology/lockbit-2-0/\r\nPage 5 of 6\n\nHow can businesses protect themselves from LockBit 2.0 Ransomware?\r\nCompanies can fight LockBit 2.0 by training employees to recognize phishing emails, limiting who can access\r\nimportant files, and using strong antivirus programs. You can also block untrusted websites, keep your software\r\nupdated, and back up files regularly. Hackers look for weak spots, so closing security gaps and watching for\r\nunusual activity on your network can help keep them out.\r\nWhat security best practices help prevent a LockBit 2.0 infection?\r\nGood security habits make a big difference. You can use strong passwords, set up multi-factor authentication, and\r\nscan for strange behavior on your network. Teach employees how to spot suspicious emails and avoid risky links.\r\nBack up your data often and keep backups separate from your main system. The harder you make it for hackers,\r\nthe less likely you are to become a victim.\r\nSource: https://www.sentinelone.com/anthology/lockbit-2-0/\r\nhttps://www.sentinelone.com/anthology/lockbit-2-0/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.sentinelone.com/anthology/lockbit-2-0/" ], "report_names": [ "lockbit-2-0" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434686, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/96cb17bdffb4239cf09ffc4fa4b6a006d4aa223c.pdf", "text": "https://archive.orkl.eu/96cb17bdffb4239cf09ffc4fa4b6a006d4aa223c.txt", "img": "https://archive.orkl.eu/96cb17bdffb4239cf09ffc4fa4b6a006d4aa223c.jpg" } }