{
	"id": "73c188db-5c7e-43c0-986b-7383593a4c95",
	"created_at": "2026-04-06T00:08:09.597186Z",
	"updated_at": "2026-04-10T03:22:09.382774Z",
	"deleted_at": null,
	"sha1_hash": "aec5e1eba7f2c65fb83a33c0b8f88ad123b4147f",
	"title": "LockBit ransomware — What You Need to Know",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 154514,
	"plain_text": "LockBit ransomware — What You Need to Know\r\nBy Kaspersky\r\nPublished: 2020-09-25 · Archived: 2026-04-05 13:45:34 UTC\r\nLockBit Definition\r\nLockBit ransomware is malicious software designed to block user access to computer systems in exchange for a\r\nransom payment. LockBit will automatically vet for valuable targets, spread the infection, and encrypt all\r\naccessible computer systems on a network. This ransomware is used for highly targeted attacks against enterprises\r\nand other organizations. As a self-piloted cyberattack, LockBit attackers have made a mark by threatening\r\norganizations globally with some of the following threats:\r\nOperations disruption with essential functions coming to a sudden halt.\r\nExtortion for the hacker’s financial gain.\r\nData theft and illegal publication as blackmail if the victim does not comply.\r\nWhat is LockBit ransomware?\r\nLockBit is a new ransomware attack in a long line of extortion cyberattacks. Formerly known as “ABCD”\r\nransomware, it has since grown into a unique threat within the scope of these extortion tools. LockBit is a subclass\r\nof ransomware known as a ‘crypto virus’ due to forming its ransom requests around financial payment in\r\nexchange for decryption. It focuses mostly on enterprises and government organizations rather than individuals.\r\nAttacks using LockBit originally began in September 2019, when it was dubbed the “.abcd virus.” The moniker\r\nwas in reference to the file extension name used when encrypting a victim’s files. Notable past targets include\r\norganizations in the United States, China, India, Indonesia, Ukraine. Additionally, various countries throughout\r\nEurope (France, UK, Germany) have seen attacks.\r\nViable targets are ones that will feel hindered enough by the disruption to pay a heavy sum — and have the funds\r\nto do so. As such, this can result in sprawling attacks against large enterprises from healthcare to financial\r\ninstitutions. In its automated vetting process, it seems to also intentionally avoid attacking systems local to Russia\r\nor any other countries within the Commonwealth of Independent States. Presumably, this is to avoid prosecution\r\nin those areas.\r\nLockBit functions as ransomware-as-a-service (RaaS). Willing parties put a deposit down for the use of custom\r\nfor-hire attacks, and profit under an affiliate framework. Ransom payments are divided between the LockBit\r\ndeveloper team and the attacking affiliates, who receive up to ¾ of the ransom funds.\r\nHow does LockBit ransomware work?\r\nhttps://www.kaspersky.com/resource-center/threats/lockbit-ransomware\r\nPage 1 of 5\n\nLockBit ransomware is considered by many authorities to be part of the “LockerGoga \u0026 MegaCortex” malware\r\nfamily. This simply means that it shares behaviors with these established forms of targeted ransomware. As a\r\nquick explanation, we understand that these attacks are:\r\nSelf-spreading within an organization rather than requiring manual direction.\r\nTargeted rather than spread in a scattershot fashion like spam malware.\r\nUsing similar tools to spread, like Windows Powershell and Server Message Block (SMB).\r\nMost significant is its ability to self-propagate, meaning it spreads on its own. In its programming, LockBit is\r\ndirected by pre-designed automated processes. This makes it unique from many other ransomware attacks that are\r\ndriven by manually living in the network — sometimes for weeks — to complete recon and surveillance.\r\nAfter the attacker has manually infected a single host, it can find other accessible hosts, connect them to infected\r\nones, and share the infection using a script. This is completed and repeated entirely without human intervention.\r\nFurthermore, it uses tools in patterns that are native to nearly all Windows computer systems. Endpoint security\r\nsystems have a hard time flagging malicious activity. It also hides the executable encrypting file by disguising it as\r\nthe common .PNG image file format, further deceiving system defenses.\r\nStages of LockBit attacks\r\nLockBit attacks can be understood in roughly three stages:\r\n1. Exploit\r\n2. Infiltrate\r\n3. Deploy\r\nStage 1: Exploit weaknesses in a network. The initial breach looks much like other malicious attacks. An\r\norganization may be exploited by social engineering tactics like phishing, in which attackers impersonate trusted\r\npersonnel or authorities to request access credentials. Equally viable is the use of brute force attacks on an\r\norganization’s intranet servers and network systems. Without proper network configuration, attack probes may\r\nonly take a few days to complete.\r\nOnce LockBit has made it into a network, the ransomware prepares the system to release its encrypting payload\r\nacross every device it can. However, an attacker may have to ensure a few additional steps are completed before\r\nthey can make their final move.\r\nStage 2: Infiltrate deeper to complete attack setup if needed. From this point forward, the LockBit program\r\ndirects all activity independently. It is programmed to use what are known as “post-exploitation” tools to get\r\nescalate privileges to achieve an attack-ready level of access. It also roots through access already available via\r\nlateral movement to vet for target viability.\r\nIt is at this stage that LockBit will take any preparative actions before deploying the encryption portion of the\r\nransomware. This includes disabling security programs and any other infrastructure that could permit system\r\nrecovery.\r\nhttps://www.kaspersky.com/resource-center/threats/lockbit-ransomware\r\nPage 2 of 5\n\nThe goal of infiltration is to make unassisted recovery impossible, or slow enough that succumbing to the\r\nattacker’s ransom is the only practical solution. When the victim is desperate to get operations back to normal, this\r\nis when they will pay the ransom fee.\r\nStage 3: Deploy the encryption payload. Once the network has been prepared for LockBit to be fully mobilized,\r\nthe ransomware will begin its propagation across any machine it can touch. As stated previously, LockBit doesn’t\r\nneed much to complete this stage. A single system unit with high access can issue commands to other network\r\nunits to download LockBit and run it.\r\nThe encryption portion will place a “lock” on all the system files. Victims can only unlock their systems via a\r\ncustom key created by LockBit’s proprietary decryption tool. The process also leaves copies of a simple ransom\r\nnote text file in every system folder. It provides the victim with instructions to restore their system and has even\r\nincluded threatening blackmail in some LockBit versions.\r\nWith all the stages completed, the next steps are left up to the victim. They may decide to contact LockBit’s\r\nsupport desk and pay the ransom. However, following their demands is not advised. Victims have no guarantee\r\nthat the attackers will follow through on their end of the bargain.\r\nTypes of LockBit threats\r\nAs the latest ransomware attack, the LockBit threat can be a significant concern. We cannot rule out the possibility\r\nthat it can take hold across many industries and organizations, especially with a recent increase in remote working.\r\nSpotting LockBit’s variants can help with identifying exactly what you’re dealing with.\r\nVariant 1 —. abcd extension\r\nLockBit’s original version renames files with the “.abcd” extension name. Additionally, it includes a ransom note\r\nwith demands and instructions for alleged restorations in the “Restore-My-Files.txt” file, which has been inserted\r\ninto every folder.\r\nVariant 2 —. LockBit extension\r\nhttps://www.kaspersky.com/resource-center/threats/lockbit-ransomware\r\nPage 3 of 5\n\nThe second known version of this ransomware adopted the “.LockBit” file extension, giving it the current\r\nmoniker. However, victims will find that other traits of this version appear mostly identical despite some backend\r\nrevisions.\r\nVariant 3 —. LockBit version 2\r\nThe next identifiable version of LockBit no longer requires downloading the Tor browser in its ransom\r\ninstructions. Instead, it sends victims to an alternate website via traditional internet access.\r\nOngoing updates and revisions to LockBit\r\nRecently, LockBit has been enhanced with more nefarious features such as negating administrative permission\r\ncheckpoints. LockBit now disables the safety prompts that users may see when an application attempts to run as\r\nan administrator.\r\nAlso, the malware now is set up to steal copies of server data and includes additional lines of blackmail included\r\nin the ransom note. In case the victim does not follow instructions, LockBit now threatens the public release of the\r\nvictim’s private data.\r\nLockBit removal and decryption\r\nWith all the trouble that LockBit can cause, endpoint devices need thorough protection standards across your\r\nentire organization. This first step is to have a comprehensive endpoint security solution, such as Kaspersky Next\r\nEDR Optimum.\r\nIf your organization is already infected, the removal of LockBit ransomware alone doesn’t give you access to your\r\nfiles. You will still require a tool to restore your system, as encryption requires a “key” to unlock. Alternatively,\r\nyou may be able to restore your systems by reimaging them if you’ve got pre-infection backup images already\r\ncreated.\r\nHow to protect against LockBit ransomware\r\nUltimately, you’ll have to set up protective measures to ensure your organization is resilient against any\r\nransomware or malicious attacks from the offset. Here are a few practices that can help you prepare:\r\n1. Strong passwords should be implemented. Many account breaches occur due to easy-to-guess\r\npasswords, or those that are simple enough for an algorithm tool to discover within a few days of probing.\r\nMale sure you pick secure password, such as choosing longer ones with character variations, and using\r\nself-created rules to craft passphrases.\r\n2. Activate multi-factor authentication. Deter brute force attacks by adding layers atop your initial\r\npassword-based logins. Include measures like biometrics or physical USB key authenticators on all your\r\nsystems when possible.\r\n3. Reassess and simplify user account permissions. Limit permissions to more strict levels to limit potential\r\nthreats from passing undeterred. Pay special attention to those accessed by endpoint users and IT accounts\r\nhttps://www.kaspersky.com/resource-center/threats/lockbit-ransomware\r\nPage 4 of 5\n\nwith admin-level permissions. Web domains, collaborative platforms, web meeting services, and enterprise\r\ndatabases should all be secured.\r\n4. Clean out outdated and unused user accounts. Some older systems may have accounts from past\r\nemployees that were never deactivated and closed. Completing a check-up on your systems should include\r\nremoving these potential weak points.\r\n5. Ensure system configurations are following all security procedures. This may take time, but revisiting\r\nexisting setups may reveal new issues and outdated policies that put your organization at risk of attack.\r\nStandard operation procedures must be reassessed periodically to stay current against new cyber threats.\r\n6. Always have system-wide backups and clean local machine images prepared. Incidents will happen\r\nand the only true safeguard against permanent data loss is an offline copy. Periodically, your organization\r\nshould be creating backups to keep up-to-date with any important changes to your systems. In case of a\r\nbackup becoming tainted with a malware infection, consider having multiple rotating backup points for the\r\noption to select a clean period.\r\n7. Be sure to have a comprehensive enterprise cyber security solution in place. While LockBit can try to\r\ndisable protections once in a unit, enterprise cyber security protection software would help you catch file\r\ndownloads across the entire organization with real-time protection. Learn more about Kaspersky Security\r\nSolutions for Enterprise to help you protect your business and devices.\r\nRelated Articles:\r\nWays hackers can violate your online privacy\r\nWhat is a security breach?\r\nInternet of Things Security Threats\r\nHow to protect your privacy against hackers\r\nPhishing - A Guide\r\nSource: https://www.kaspersky.com/resource-center/threats/lockbit-ransomware\r\nhttps://www.kaspersky.com/resource-center/threats/lockbit-ransomware\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.kaspersky.com/resource-center/threats/lockbit-ransomware"
	],
	"report_names": [
		"lockbit-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434089,
	"ts_updated_at": 1775791329,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aec5e1eba7f2c65fb83a33c0b8f88ad123b4147f.pdf",
		"text": "https://archive.orkl.eu/aec5e1eba7f2c65fb83a33c0b8f88ad123b4147f.txt",
		"img": "https://archive.orkl.eu/aec5e1eba7f2c65fb83a33c0b8f88ad123b4147f.jpg"
	}
}