{ "id": "c8cce16c-91c6-4a0b-b803-a5bbda055dea", "created_at": "2026-04-06T00:21:27.261673Z", "updated_at": "2026-04-10T03:21:34.146579Z", "deleted_at": null, "sha1_hash": "ceb1042b99eb5efd17783ddbb81d6d85b519611a", "title": "LockBit, the new ransomware for hire: A sad and cautionary tale", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 289075, "plain_text": "LockBit, the new ransomware for hire: A sad and cautionary tale\r\nBy Dan Goodin\r\nPublished: 2020-05-01 · Archived: 2026-04-05 13:46:36 UTC\r\nAfter getting in, LockBit used a dual method to map out and infect the victimized network. ARP tables, which\r\nmap local IP addresses to device MAC addresses, helped to locate accessible systems, and server message block, a\r\nprotocol used for sharing files and folders among networked machines, allowed the infected nodes to connect to\r\nuninfected ones. LockBit would then execute a PowerShell script that spread the ransomware to those machines.\r\nUsing SMB, ARP tables, and PowerShell are an increasingly common way of spreading malware throughout a\r\nnetwork, and with good reason. Because almost all networks rely on these tools, it’s hard for antivirus and other\r\nnetwork defenses to detect their malicious use. LockBit had another means of staying stealthy. The malicious file\r\nthe PowerShell script downloaded was disguised as a PNG image. In fact, the downloaded file was a program\r\nexecutable that encrypted the files on the machine.\r\nLockBit had another clever trick. Before the ransomware encrypted data, it connected to an attacker-controlled\r\nserver and then used the machine’s IP address to determine where it was located. If it resided in Russia or another\r\ncountry belonging to the Commonwealth of Independent States, it would abort the process. The reason is most\r\nlikely to prevent being prosecuted by law enforcement authorities there.\r\nOnce the data was locked up, organization computers were left with a desktop that looked something like this:\r\nCredit: McAfee\r\nCredit: McAfee\r\nhttps://arstechnica.com/information-technology/2020/05/lockbit-the-new-ransomware-for-hire-a-sad-and-cautionary-tale/\r\nPage 1 of 2\n\nThe ransomware note looked like this:\r\nCredit: McAfee\r\nCredit: McAfee\r\nCustomer support, determination, and confidence\r\nIn a tragic but all-too-common failing, the organization that was hit by LockBit had no recent backup. With its\r\nentire network tied up, leaders had a choice of either paying the ransom or losing their data forever. They opted for\r\nthe first option.\r\nUsing a Tor site, the organization paid the ransom and, after several hours, used the same anonymous service to\r\nobtain the decryption key. Like many other ransomware operators, those behind this attack had a support desk that\r\ncommunicated over the anonymized Jabber messenger to resolve several problems the organization had in\r\nrebuilding the locked-up network.\r\nSource: https://arstechnica.com/information-technology/2020/05/lockbit-the-new-ransomware-for-hire-a-sad-and-cautionary-tale/\r\nhttps://arstechnica.com/information-technology/2020/05/lockbit-the-new-ransomware-for-hire-a-sad-and-cautionary-tale/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://arstechnica.com/information-technology/2020/05/lockbit-the-new-ransomware-for-hire-a-sad-and-cautionary-tale/" ], "report_names": [ "lockbit-the-new-ransomware-for-hire-a-sad-and-cautionary-tale" ], "threat_actors": [], "ts_created_at": 1775434887, "ts_updated_at": 1775791294, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ceb1042b99eb5efd17783ddbb81d6d85b519611a.pdf", "text": "https://archive.orkl.eu/ceb1042b99eb5efd17783ddbb81d6d85b519611a.txt", "img": "https://archive.orkl.eu/ceb1042b99eb5efd17783ddbb81d6d85b519611a.jpg" } }