{ "id": "ff72250e-0dfc-4185-b289-8fd806268859", "created_at": "2026-04-06T00:17:42.833121Z", "updated_at": "2026-04-10T13:12:07.52202Z", "deleted_at": null, "sha1_hash": "bb10a2db9f52f24763f0601c5ae64dd4e343c127", "title": "Understanding LockBit - Packt SecPro", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64990, "plain_text": "Understanding LockBit - Packt SecPro\r\nBy packtsecurity\r\nPublished: 2022-06-02 · Archived: 2026-04-05 13:49:49 UTC\r\nA SecPro Super Issue: Understanding LockBit\r\nFor those of you in the UK, you may be winding down for the week already and ready for the Queen’s Platinum\r\nJubilee – a celebration of a monarch who has seen the world change from the low tech world of the 1950s to the\r\ntechnological revolution that we are living through today. In a world completely unimaginably different to those\r\nwho witnessed a coronation in 1953, taking a minute to reflect on the leaps and bounds we have made as a species\r\nis something that people often forget to do.\r\nOf course, the rise of modern computers saw another significant rise – cybercriminals. No one is more aware of\r\nthe rising threat than cybersecurity professionals, so here’s some light reading for the long weekend. If you’re not\r\nin the UK, you can just enjoy a super issue without the special occasion.\r\nThanks for reading and we’ll see you again on Friday!\r\nCheers!\r\nAustin Miller\r\nEditor-in-Chief\r\nUnderstanding the LockBit Ransomware\r\nBy Andy Pantelli\r\nBreaking down the Bitwise Spider APT\r\n \r\nLooking at the origins of the Adversary, how the group evolved, and how they became one of most prolific\r\ncriminal gangs using Ransomware-as-a-Service.  We will take a look at the Tactics, Techniques \u0026 Procedures the\r\nadversary uses and break these down.\r\nThe origins of BitWise Spider began in September of 2019.  Known then as ABCD Ransomware the gang set\r\nabout promoting and supporting their operation via Russian language forums.  Developing a strong professional\r\noperation until June 2021 when the group were banned from posting on Cyber Security forums.  This prompted a\r\nrebrand with the group changing name to BitWise Spider and at the same time releasing LockBit 2.0 ransomware\r\n\u0026 the StealBit information stealer.\r\nhttps://security.packt.com/understanding-lockbit/\r\nPage 1 of 9\n\nThis appears to be a milestone for the group which then saw increase in their reputation and popularity amongst\r\nthe Dark Web Community having matured \u0026 added much more functionality into Lockbit 2.0 Ransomware-as-a-Service (RaaS).   We will take a deeper look in more detail later in the article at the TTPs (Tactics, Techniques \u0026\r\nProcedures) used by the adversary.\r\nHaving become one of the most prolific Ransomware gangs the group looked to mature their software, and the\r\nbusiness model.  LockBit operations were by now increasing and developing the recruitment and marketing with\r\naffiliates.  What exactly is an ‘affiliate’?\r\nRansomware-as-a-Service developers can maximize their product exposure by providing it to third parties, or\r\n‘affiliates’ who in turn focus themselves on targeting victims and infecting their networks.  There is a monetary\r\ntrade between the developers and the affiliates for the number of infections and the numbers of users within an\r\ninfected organization.\r\nThis model worked for BitWise Spider successfully allowing them to focus on development and profit, but also\r\nprovides a layer between the gang and the victim making detection or prosecution of the developers more difficult\r\nwith obscurity.    Affiliate schemes are used by almost all Ransomware developers who provide the affiliate with a\r\nunique identifier in specific code within the Ransomware which directs any payout to the affiliate that caused the\r\ninfection.\r\nBitWise Spider comes of age\r\nIn March of 2022 the gang had matured their code, enriched features, added functionality and introduced new\r\ntactics.  This included data extortion as they began to detail new victims through their Dark Web site.  Using an\r\narray of techniques, tactics \u0026 procedures (TTP) the group were responsible for many high profile attacks such as\r\nthe one in 2021 against Accenture, who were at the time were in the process of a marketing campaign to recruit\r\nnew affiliates.  The Fortune 500 Company was later to confirm the breach with a $50m ransom demanded\r\notherwise the company data would be leaked.  Accenture were soon forced to file a data breach in the October\r\nSEC filings after “extraction of proprietary information.” during the August attack.\r\nLockBit has undergone some major development releasing a new version including several new features;\r\nautomatic encryption of devices across Microsoft Windows Active Directory Domains, the removal of shadow\r\ncopies, self-propagation, the ability to bypass User Account Control Settings (UAC), ESXi support, and even the\r\ncapability of printing Ransom notes via the victim’s network connected printers.  Some of the techniques seen are\r\npublicly available such as privilege escalation by using the Mimikatz tool but also the group also claim to have the\r\nfastest encryption method which employs a multithread approach using some of the following methods to boost\r\nperformance: \r\n• Open files with the FILE_FLAG_NO_BUFFERING flag, write by sector size\r\n• Transfer work with files to Native API\r\n• Use asynchronous file I/O\r\n• Use I/O port completion\r\n• Pass control to the kernel yourself, Google KiFastSystemCall\r\nhttps://security.packt.com/understanding-lockbit/\r\nPage 2 of 9\n\nNot content with this improvement, the developers at BitWise Spider introduced StealBit to shift their tactics by\r\nemploying data exfiltration as a double extortion tactic.  Victims of Ransomware may not be willing to pay the fee\r\nin some instances, this could be for a number of reasons, lack of financial resources, available backups, concerns\r\nthat if a payment were to be made to the blackmailers then would the data even be unencrypted?  All this made\r\ncriminal gangs look towards threatening victims of Ransomware that unless a payment were made to the gang\r\nthen the malicious actors would release the data online or even sell it.\r\nStealBit is developed and maintained by the group and as seen by the graphic compares favourably against other\r\nRansomware tools:\r\nThe table represents hash values of selected StealBit samples that have been observed in the security community:\r\nMITRE ATT\u0026CK\r\nTactics, techniques \u0026 procedures (TTPs) observed to be used by the adversary:\r\nIndustries \u0026 Countries Targeted \r\nLockBit targets diverse industry sectors \u0026 geographical regions.  Most attacks are observed in the US, India \u0026\r\nBrazil with the Commonwealth of Independent States being avoided.  Business sectors indicate the Healthcare\r\nclosely followed by the Education Sector although the group have issued a statement to claim that they do not\r\ntarget “healthcare, charity or educational institutions”.  This has prompted the US Department of Health Services\r\nHHS) to issue “contradictory code of ethics” note warning the public not to rely on such statements and these are\r\nshown not be true.  \r\nInitial Access\r\nLockBit affiliates gain access via compromised servers, or by using RDP or VPN accounts using brute force\r\ninsecure credentials.  A further delivery method is by exploiting Fortinet VPN CVE-2018-13379 vulnerability.\r\n LockBit also makes use of Mimikatz to escalate privileges.\r\nExecution\r\nExecuted by command line or by scheduled tasks and can be propagated in other machines.  It is also known to\r\nuse PowerShell Empire post exploitation agent.\r\nhttps://security.packt.com/understanding-lockbit/\r\nPage 3 of 9\n\nPersistence\r\nRegistry Run Keys / Start up Folders\r\nDiscovery\r\nAdvanced Port Scanner, Network Scanner \u0026 AdFind are used to enumerate connected machines.\r\nLateral movement\r\nSelf-Propagation via SMB using compromised credentials or Group Policy.  PsExec or Cobalt Strike is used for\r\nlateral movement.\r\nExfiltration\r\nData extracted to Cloud Storage Web Applications MEGA, or FreeFileSync.  Also used for exfiltration is the\r\ngroups own StealBit.\r\nImpact\r\nRansomware payload will encrypt victim machines upon execution.  This includes local and network drives.\r\n Encrypting with AES-256.  Can print ransom note using connected printers.  The desktop wallpaper is also\r\nreplaced. \r\nRansom note, file name Restore-My-Files.txt\r\nTactics\r\nThe use of affiliates, marketing \u0026 the gangs Direct Leak Site to upload stolen data are direct tactics to propagate\r\nthe monetization.  Offering Ransomware-as-a-Service provides a tactic to avoid direct involvement and obfuscate\r\nany law enforcement action.\r\nKnown target industries include and are not limited to Cryptocurrency, Academics, Aviation, Aerospace,\r\nHealthcare Insurance, Food and Beverage, Chemicals Energy Oil and Gas, Manufacturing, Hospitality, Real\r\nEstate Travel, Opportunistic, Logistics Transportation, Legal, Retail, and Government.\r\nThe known 74 target countries include Taiwan, China, Poland, Netherlands, Mexico, the United States, Belgium,\r\nColombia, Denmark, Chile, Vietnam, and Peru.\r\nThe gang have developed a strong selling point with affiliates using the speed of the malware with its capabilities\r\nbeing well known.  The group maximizes this selling point through various means of publicity.  External factors\r\ninfluence the targeting of victims with a preference for victims that have concerns over GPDR in Europe. \r\nhttps://security.packt.com/understanding-lockbit/\r\nPage 4 of 9\n\nTechniques\r\nAs with many Ransomware gangs LockBit will the check system language to avoid encrypting systems in Russia\r\nor other nearby CIS states The Malware issues the\r\ncommands GetSystemDefaultUILanguage and GetUserDefaultUILanguage to check if the system of user default\r\nUI is in the language list to avoid.\r\nAzerbaijani (Cyrillic, Azerbaijan), Azerbaijani (Latin, Azerbaijan), Armenian (Armenia), Belarusian (Belarus),\r\nGeorgian (Georgia), Kazakh (Kazakhstan), Kyrgyz (Kyrgyzstan), Russian (Moldova), Russian (Russia), Tajik\r\n(Cyrillic, Tajikistan), Turkmen (Turkmenistan), Uzbek (Cyrillic, Uzbekistan), Uzbek (Latin, Uzbekistan), and\r\nUkrainian (Ukraine).\r\nThe malware uses and Ifstatement and calls ExitProcess to terminate itself if the user of system UI language is\r\nidentified.\r\nStrings seen in LockBit executables are encoded and then stored as a stack string. Before use they are decoded\r\ndynamically through computations such as addition, subtraction or XOR, this is the Stack String Anti-Analysis.\r\nAs with many major Ransomware variants LockBit resolves APIs dynamically to make the Inline Anti-Analysis\r\nmore difficult but the gang have enhanced the technique by making the entire resolving process inline which\r\nmakes the decompiled code much larger, and therefore more difficult \u0026 time consuming to analyse.\r\nThen using methods to load the API libraries into memory, the malware uses hashing \u0026 obfuscation methods to\r\naccess the DLL base and export table which returns the target API address.  After loading all required libraries\r\nLockBit will restrict access to its own process by calling NTOpenProcess to get a handle on the current process\r\nthen resolve GetSecurityInfo to get the process security descriptor.\r\nBy initializing an SID for the EVERYONE group and using the RtlAddAccessDeniedAce to add\r\nthe ACCESS_DENIED access control entry for the EVERYONE group the malware process is effectively\r\nprotected.  Additional ACEs are iterated for each process that the malware uses.  Critical system messages are\r\nsuppressed and calls to RtlAdjustPrivilege which enables the SE_TAKE_OWNERSHIP_PRIVILEGE. \r\nPrivilege escalation\r\nIn the next stages LockBit will look to elevate privilege of the user account using the GetTokenInformation call to\r\nretrieve information about the user account associated with the Token.  Using a combination retrieving and\r\ncomparing account SID the malware begins the process to escalate itself.\r\nLogging\r\nThe malware then makes a number of calls to create hidden debug windows which can be viewed during the\r\nprocess by a combination of hot keys Shift+F1.\r\nhttps://security.packt.com/understanding-lockbit/\r\nPage 5 of 9\n\nCommand Line\r\nCommand-line is to be used with or without arguments.  Once encryption of the target file/directory is complete\r\nthe process is terminated\r\nMutex\r\nLockBit checks for, and avoids multiple Ransomware instances by checking the stack string \\\r\n{\\%02X%02X%02X%02X-%02X%02X-%02X%02X-%02X%02X%02X%02X%02X%%02X}”\r\nActive Directory\r\nLockBit seeks out the OS Version, if Windows Vista or above it tries to create and set up new group policies for\r\nother hosts within Active Directory using NtQueryInformationToken_1 and the NtOpenProcessToken commands\r\nthe malware looks up the Admin account and Domain.  To then connect to the AD Domain LockBit will generate\r\nthe LDAP display name for the Group Policy Object.\r\nBy resolving the stack string and formats it with the public key.  Manually extracting the DNS Domain Name, and\r\nname LockBit is able to create a new GPO, lastly the path is built by formatting the string LDAP://CN=\u003cGPO\r\nGUID\u003e,CN=Policies,CN=System,DC=\u003cDomain component 1\u003e,DC=\u003cDomain Component 2\u003e which allows the\r\nAD path and GPO to call CreateGPOLink to connect the GPO to the Active Directory Domain.\r\nDNS Retrieval\r\nLockBit formats ScheduledTasks.xml file to execute a taskkill.exe for each process in the process list before\r\ndropping in the Registy.pol file1 which contains the following list of registry paths and values:\r\n• Software\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware: True\r\n• Software\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableRealtimeMonitoring: True\r\n• Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent: Never send\r\n• Software\\Policies\\Microsoft\\Windows Defender\\Threats\\Threats_ThreatSeverityDefaultAction: Enabled\r\n• Software\\Policies\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction\\Low: Ignored\r\n• Software\\Policies\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction\\Medium: Ignored\r\n• Software\\Policies\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction\\High: Ignored\r\n• Software\\Policies\\Microsoft\\Windows Defender\\Threats\\ThreatSeverityDefaultAction\\Severe: Ignored\r\n• Software\\Policies\\Microsoft\\Windows Defender\\UX Configuration\\Notification_Suppress: Enabled\r\nThese following registry configurations disable Windows Defender features such as anti-spyware, real-time\r\nprotection, submitting samples to Microsoft servers, default actions, and displaying notification on all network\r\nhttps://security.packt.com/understanding-lockbit/\r\nPage 6 of 9\n\nhosts.\r\nPersistence\r\nBefore executing encryption routines LockBit configures persistence using Registry Keys if the Malware is\r\ninterrupted by a system shutdown.  Once encryption is complete, the malware will remove the persistence key\r\ncalling RegDeleValueW to prevent itself from running again if the user restarts the machine following encryption.\r\nDeleting backups\r\nLockBit will delete shadow copies by resolving the string /c vssadmin delete shadows /all /quiet \u0026 wmic\r\nshadowcopy delete \u0026 bcdedit /set {default} bootstatuspolicy ignoreallfailures \u0026 bcdedit /set {default}\r\nrecoveryenabled no then passes the fields to ShellExecuteA. The command uses vssadmin and wmic to delete all\r\nshadow copies and bcdedit to disable file recovery.\r\nWallpaper\r\nSetting the default file extension, desktop background and ransom note printing tasks are completed.\r\nPrinting\r\nUsing the call EnumPrintersW to retrieve printers’ information.  The internal function resolves two strings\r\nMicrosoft Print to PDF and Microsoft XPS Document Writer to compare the printer name.  If the value is one of\r\nthe two, the function will exit and the ransom note will not be printed.\r\nThis is to ensure that the note is not printed to a file and only to print from a physical printer.\r\nExtension\r\nAll files encrypted by LockBit have the file extinction .lockbit after\r\ncalling NtCreateFile and NtWriteFile resolves \\Registry\\Machine\\Software\\Classes\\.lockbit stack string and\r\ncalls NTCreateKey to create the registry extension, this is done after formatting using its public key.\r\nFile Encryption\r\nPrior to encryption LockBit will enumerate all volumes on the target system\r\nusing FindFirstVolumeW and FindNextVolumeW and proceeds to retrieve a list of Drive letters and any mounted\r\nfolder paths.  Then each drive path is iterated from Z to A before being mounted to a specific drive letter by\r\ncalling SetVolumeMountPointW.  Libsodium Cryptography is used for the public key crypto using functions\r\nhttps://security.packt.com/understanding-lockbit/\r\nPage 7 of 9\n\nbcrypt.dll and LoadLibraryA, it will use BCryptGenRandom for the RNG function or CryptGenRandom.  Next, as\r\nseen before the stack string is resolved and the public key is used to format it which is later used as a Registry key\r\nto store the victim crypto keys.  The malware calls Libsodium crypto_box_keypair to generate a random 32-bit\r\nprivate key and the corresponding public key.  Next it will encrypt the 64-bit buffer containing both keys using\r\nLibsodium crypto_box_easy then deletes the victims private key from memory.\r\nAfter setting up the crypto keys, LockBit initialises its multithreading method we reference earlier it then traverses\r\nthrough all local drives using techniques to skip drives that are not available, or that have already been encrypted.\r\n Files that are recognised as read-only changes the attribute to FILE_ATTRIBUTE_NORMAL making it writable\r\nand available for encryption.  The files are encrypted using 512 byte chunks and given the extension .lockbit\r\nAgain calling the RNG function the malware randomly generates a 16-byte AES key and 16-byte AES IV and\r\nwrites into the file structure before renaming the file before the encryption by populating\r\na FILE_NAME_INFORMATION with the encrypted file name before calling NTSetInformationFile with the\r\ninformation class FileNameInformation.  In the final stages LockBit will create threads to traverse and encrypt\r\nother network hosts and network drives by using the GetAdaptorInfo the inet_addr call is made to convert the\r\nsystem IP address and mask.  Once the broadcast domain is identified LockBit will scan the network iterating\r\nfrom the network ID address and incrementing up to the broadcast address trying to connect over ports 135 or\r\n445, if successful it will try to encrypt the network hosts.\r\nProcedures\r\nIndicators of Compromise\r\nFurther reading\r\nhttps://security.packt.com/understanding-lockbit/\r\nPage 8 of 9\n\nWant to find out more about LockBit? Check out these links.\r\nhttps://github.com/cdong1012/IDAPython-Malware-Scripts/blob/master/Lockbit/lockbit_dropped_files/Registry.pol\r\nhttps://asec.ahnlab.com/en/17147/\r\nhttps://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/\r\nhttps://www.trustedsec.com/blog/weaponizing-group-policy-objects-access/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/\r\nSource: https://security.packt.com/understanding-lockbit/\r\nhttps://security.packt.com/understanding-lockbit/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://security.packt.com/understanding-lockbit/" ], "report_names": [ "understanding-lockbit" ], "threat_actors": [ { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "3940f08b-39aa-492c-8699-86bfe515fa70", "created_at": "2023-01-06T13:46:39.470535Z", "updated_at": "2026-04-10T02:00:03.339964Z", "deleted_at": null, "main_name": "BITWISE SPIDER", "aliases": [], "source_name": "MISPGALAXY:BITWISE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434662, "ts_updated_at": 1775826727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb10a2db9f52f24763f0601c5ae64dd4e343c127.pdf", "text": "https://archive.orkl.eu/bb10a2db9f52f24763f0601c5ae64dd4e343c127.txt", "img": "https://archive.orkl.eu/bb10a2db9f52f24763f0601c5ae64dd4e343c127.jpg" } }