{ "id": "5ae26e9d-09c7-4339-bdaf-352b0a33bb65", "created_at": "2026-04-06T00:15:21.448445Z", "updated_at": "2026-04-10T03:26:47.158591Z", "deleted_at": null, "sha1_hash": "dc2f245558ad8f6e711ed6c1d40788abb0c7550a", "title": "LockBit Ransomware Gang Attacks an MSP and Two Manufacturers Using RMM Tools", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7493469, "plain_text": "LockBit Ransomware Gang Attacks an MSP and Two\r\nManufacturers Using RMM Tools\r\nBy Elizabeth Clarke\r\nArchived: 2026-04-05 20:24:25 UTC\r\nExecutive Summary\r\neSentire, a top global Managed Detection and Response (MDR) security services provider, intercepted and shut\r\ndown three separate ransomware attacks launched by affiliates of the notorious, Russia-linked LockBit\r\nRansomware Gang. The FBI estimates that the LockBit operators and their affiliates have collected approximately\r\n$91 million since the group's inception, and that is just U.S. ransoms. LockBit functions as a Ransomware-as-a-Service (RaaS) model where other cybercriminals are recruited to conduct ransomware attacks using LockBit's\r\ntools and infrastructure. LockBit is one of the most pervasive, lucrative and destructive ransomware groups\r\ncurrently operating worldwide.\r\nTwo incidents disrupted by eSentire occurred between February 2023 and June 2023, and one occurred in\r\nFebruary 2022. The companies targeted include a storage materials manufacturer, a manufacturer of home décor,\r\nand a Managed Service Provider (MSP).\r\neSentire's security research team, the Threat Response Unit (TRU), found that in each attack, once the LockBit\r\nhackers gained initial access to the targets, they either used the companies' remote monitoring and management\r\n(RMM) tools, their remote access software, or brought in their own RMM tools to try and spread ransomware\r\nacross the targets' IT environment, or in the case of the MSP, push their malware to the MSP's downstream\r\ncustomers.\r\nRMM tools and remote access software are types of software used by individual companies, as well as by IT\r\nConsultants, VARs and MSPs. For example, individual businesses use this software so their internal IT teams can\r\nmanage computer systems at multiple locations. IT Consultants, VARs and MSPs also use RMM tools and remote\r\naccess software to help monitor and maintain their end customers' IT systems remotely.\r\nWhen cybercriminals avoid the use of trademark malware and use legitimate technology tools already present\r\nwithin a company's IT environment, this is known as Living-off-the-Land. It is a tactic that hackers have used for\r\nnumerous years, and it can be very effective because it helps the threat actors avoid detection and it makes\r\nattribution more difficult –– particularly when IT management tools can be accessed remotely or from the cloud.\r\nThis means that usage of standard IT tools, by a malicious threat actor, will not look any different than legitimate\r\nusage because:\r\n1. They are already installed and in use in the corporate environment.\r\n2. Network traffic does not stand out when a RMM tool or remote access software is being managed through\r\na cloud service.\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 1 of 24\n\nIn this report, TRU will detail three separate incidents. These events will illustrate how these businesses could\r\nhave suffered significant disruption if the LockBit affiliates had not been quickly detected and had their\r\nransomware attempts neutralized.\r\nComments from Keegan Keplinger, Senior Threat Intelligence Researcher with\r\nTRU\r\n\"LockBit affiliates tend to get initial access via numerous methods, including browser-based attacks like\r\nSocGholish, exploitation of vulnerable servers exposed to the Internet, and valid credentials.\"\r\n\"Some LockBit affiliates have moved towards a Living-off-the-Land attack model, leveraging valid credentials\r\nand using legitimate RMM tools and remote access software to deploy their ransomware, including Advanced IP\r\nScanner, AnyDesk, Atera and ConnectWise ScreenConnect™. Using valid credentials for initial access and\r\nlegitimate software for intrusion actions raises the bar for detecting attacks.\"\r\n\"The LockBit operators purport to have an open affiliate model, and they state on their leak site, ‘We are located\r\nin the Netherlands, completely apolitical and only interested in money. It does not matter what country you live in,\r\nwhat types of language you speak, what age you are, what religion you believe in, anyone on the planet can work\r\nwith us at any time of the year.' Interestingly, there haven't been reported cases of LockBit attacking organizations\r\nin Russia, and Russian nationals have been arrested in association with LockBit operations, as recently as June\r\n2023.\"\r\n\"LockBit is one of the busiest global ransomware operations in commission, with victims across geographic and\r\nvertical domains, ranging from small mom and pop businesses to large, industrial manufacturing companies.\"\r\nLockBit's Rise to Power and their Success in the U.S.\r\nThe Russian-speaking LockBit operators and their affiliates are one of the most prolific, destructive and lucrative\r\nransomware groups in operation today. They emerged on the scene in late 2019, but it is believed they did not\r\nlaunch their ransomware-as-a-service operation until January 2020. Since that time, they have racked up victims\r\nacross the globe. In a June 2023 U.S. Cybersecurity and Infrastructure Security Agency (CISA) security advisory,\r\nthe FBI estimated that between January 2020 and June 2023, the LockBit gang launched 1,700 attacks against\r\nU.S. organizations, many in critical infrastructure sectors. These were companies and public entities in the\r\nhealthcare, government, technology and manufacturing industries. The FBI also estimated that the LockBit\r\noperators and their affiliates collected approximately $91 million, bringing their U.S. ransom total to just shy of\r\nthe renowned $100 million club.\r\nOne of their most destructive U.S. attacks was in February 2023, when LockBit affiliates hit the city of Oakland,\r\nCalifornia. The attack wreaked havoc for weeks, causing many of the city's systems to go down and requiring city\r\nmanagers to take their IT network offline out of caution.\r\nSeveral of the city's non-emergency phone lines were offline or seriously impacted, it delayed the \"response\r\ntimes\" of Oakland's police department, and the attack affected at least six different government departments. As a\r\nresult, the city administrators called a state of emergency one week after the ransomware attack. And the LockBit\r\nhackers didn't stop there. They also reportedly leaked a large amount of sensitive data about city employees,\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 2 of 24\n\nincluding social security numbers, medical data, home addresses and other personal information for some Oakland\r\nresidents.\r\nLockBit Attacks Hospitals in Canada and France, Showing No Mercy in France\r\nThe LockBit cybercriminals also went after critical infrastructure organizations in the U.K., Canada, France, Italy,\r\nAustralia and New Zealand, among other countries. Readers might recall that it was the LockBit gang that\r\nattacked Toronto's Hospital for Sick Children last December, delaying patient care because of the hospital's\r\ndifficulty in processing lab results and medical images. Shockingly, on December 31, the LockBit operators issued\r\na public apology to the hospital, provided them with a free decryptor, and stated that the \"partner\" responsible for\r\nthe attack violated their rules and, as a result, was being kicked out of their affiliate program. Toronto's Hospital\r\nfor Sick Children was just one of many Canadian organizations hit by LockBit in 2022. According to the country's\r\ncyber intelligence agency, the Communications Security Establishment (CES), LockBit was responsible for 22%\r\nof attributed ransomware incidents in Canada in 2022.\r\nMeantime, halfway around the world, officials in Australia claimed that LockBit was behind 18 percent of the\r\ntotal reported ransomware incidents in their country between April 1, 2022, and March 31, 2023.\r\nThe LockBit operators might have shown sympathy to the children's hospital in Canada. However, they certainly\r\ndidn't show any mercy when one of their affiliates attacked the computer networks of a French hospital, Center\r\nHospitalier Sud Francilien (CHSF), in late August 2022. The attack caused the hospital to reroute emergency\r\npatients to other regional hospitals. For those patients needing care that required technology, they also had to be\r\ndiverted to other facilities. The attack also seriously disrupted the hospital's operating rooms because many\r\ntechnical systems went down. The LockBit hackers demanded a $10 million ransom, and it was reported after the\r\nhospital refused to pay, the LockBit threat actors published personal data about staff members and patients and\r\nbusiness data concerning the hospital's partner organizations.\r\nLockBit Hackers Halt International Shipping for U.K.’s National Postal Service\r\nfor Over a Month and Breach a Maximum-Security Fence Manufacturer in the\r\nU.K.\r\nThe LockBit gang continued their criminal acts, kicking off 2023 with a bang. In early January, a LockBit affiliate\r\ndecided to breach the U.K.'s postal service, the Royal Mail. The attack brought the postal organization's\r\ninternational shipping department to a complete standstill for over a month. The hackers initially demanded a\r\nransom of $80 million but later reduced it to $40 million. According to one news report, it was not clear if the\r\nRoyal Mail paid any of the ransom, and when a Royal Mail spokesperson was asked, they declined to answer.\r\nAlthough the Royal Mail attack drew headlines, it is LockBit’s August 2023 breach of England-based Zaun\r\nLimited, a maximum-security perimeter fencing manufacturer, which is currently sounding alarms with U.K.\r\ngovernment officials. Zaun manufactures security gates, perimeter fencing and other physical security barriers,\r\nand counts among its customers the U.K.’s Ministry of Defense. In early September, U.K. tabloids began reporting\r\nthat the LockBit gang had published thousands of pages stolen from Zaun on their Dark Web leak site, which\r\ncontained sensitive data relating to Zaun's work with various organizations within the U.K.’s Ministry of Defense.\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 3 of 24\n\nReportedly, the leaked data includes information pertaining to Royal Navy Base-- the Clyde nuclear submarine\r\nbase, located in Scotland; security equipment at a Royal Air Force station in England; the Porton Down chemical\r\nweapons lab in England; and detailed drawings for perimeter fencing and a map highlighting installations at\r\nCawdor, a U.K. army site in Wales. It was also reported that sales orders for a Government Communications\r\nHeadquarters (GCHQ) facility in England and a series of U.K. prisons were leaked by LockBit.\r\nA member of U.K.’s Parliament Tobias Ellwood, who sits on the Commons Defense Select Committee said this\r\nabout the reported breach, \"The government needs to explain why this firm's computer systems were so\r\nvulnerable. Any information which gives security arrangements to potential enemies is of huge concern.\"\r\nLockBit Rakes in $91 Million from U.S. Victims\r\nAlthough the LockBit operators are Russian-speaking, they claim to be based in the Netherlands. It is reported that\r\nthe LockBit operators maintain the ransomware encryptors and the websites, including their Dark Web leak site.\r\nThe affiliates are tasked with breaking into the victim networks, stealing the data and encrypting the victims'\r\ndevices. It is generally believed that the affiliates pay the LockBit operators 20 percent of the ransom monies they\r\ncollect. Although it is not publicly known how many operators run the LockBit syndicate, the fact is that 20\r\npercent of $91 million (the FBI's estimate of the ransoms paid to LockBit by U.S. organizations between January\r\n2020 and June 2023) is $26 million and tax free. Not bad wages for working part-time.\r\nFor comparison, the average annual salary for a software engineer working in Russia is $19,000. So, even if there\r\nare 10 operators behind LockBit, each operator's take would be $2.6 million over three and a half years, giving the\r\noperators an average annual salary of approximately $743,000, and that estimate only includes U.S. ransoms.\r\nLockBit's Clever Marketing Tactics to Lure their Partners in Crime\r\nAs previously mentioned, LockBit functions as a Ransomware-as-a-Service (RaaS) model. One of the other\r\ninteresting aspects of LockBit are some of the clever marketing tactics used to recruit their affiliates, including:\r\nEnsuring affiliates get paid first—Affiliates are allowed to receive the ransom payment in full and then\r\nsend the operators their portion. Typically, most RaaS operations do the exact opposite, where the core\r\noperators get paid the ransom and then send the affiliates their agreed upon cut.\r\nBadmouthing other RaaS groups in underground forums.\r\nPromoting the LockBit brand by paying people to get LockBit tattoos and issuing a $1 million bounty on\r\ninformation, leading to the identity of LockBit's head operator, who uses the alias \"LockBitSupp.\"\r\nProviding a simple, point-and-click interface for its ransomware, making it easy to use, so even affiliates\r\nwith minimal technical skills can use it.\r\nA LockBit Affiliate Attacks an MSP and Tries to Infect their Downstream\r\nCustomers\r\nIn tracking the activities of the LockBit group, it did not come as a surprise to TRU that LockBit used RMM tools\r\nor remote access software in their attacks against eSentire's customers. In fact, in CISA's June security advisory,\r\nthey specifically called out how LockBit affiliates are repurposing remote access software such as AnyDesk, Atera\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 4 of 24\n\nand ConnectWise ScreenConnect™ and other legitimate software for their ransomware operations.\r\nCybercriminals are leveraging these powerful tools because users and organizations are not executing Access\r\nControl Management best practices when using these solutions. Extra caution should be given whenever RMM\r\nand other Remote Access Technologies are utilized.\r\nDuring the first quarter of 2023, cyber analysts with eSentire's Security Operations Center (SOC) were alerted by\r\neSentire's MDR for Endpoint solution that ransomware was being detected and blocked on a handful of customers'\r\ncomputers. TRU was immediately called in to investigate and to make sure no other actions had been taken by the\r\nthreat actors, such as lateral movement, persistence, and credential access, and to determine how the hackers\r\ngained initial entry.\r\nThe impacted endpoints were promptly isolated, and the malware was identified as LockBit. TRU wiped the\r\ncomputers clean and initiated a threat hunt to make sure the LockBit criminals were no longer in the customers'\r\nnetworks. Once it was confirmed the cybercriminals were gone, TRU began investigating how the LockBit\r\nhackers were able to gain access.\r\nTRU discovered that each organization hit by LockBit was a client of the same MSP. TRU reached out to the MSP\r\nto begin running down possible leads, and the picture started coming together.\r\nSpeculating on Initial Access\r\nThe initial question asked by TRU was how did the LockBit ransomware get on the endpoints of multiple\r\ncustomers? The MSP showed no signs of a break in; thus, TRU thought the threat actors might have gotten valid\r\ncredentials to the MSP's remote access software. In previous cases, TRU has seen where the LockBit ransomware\r\nhas been deployed into a victim's environment after being infected with the malware loader, SocGholish.\r\nHowever, SocGholish was not discovered during the incident investigation.\r\nTRU identified that the MSP had the login panel for its ConnectWise ScreenConnect™ solution exposed to the\r\nInternet. Many providers of remote access solutions will leave this service open to the Internet, to make it easier\r\nfor their customers' IT administrators to access the service for deployment, device enrollments, file sharing and\r\nbrand building.\r\nHowever, if an IT system, like a remote access solution, is open to the Internet, threat actors can use any number\r\nof search services, like Shodan, to find Internet-connected systems and devices and then target those systems for\r\nransomware attacks or other types of attacks.\r\nTo avoid situations like this, it is recommended that all providers of RMM services and remote access software:\r\nEnforce two-factor authentication for all RMM and remote access software services and ensure the use of\r\nstrong and unique passwords for these type accounts.\r\nImplement Access Control Lists (ACLs) for trusted IPs. However, if an end customer is roaming, they\r\nshould connect to a VPN.\r\nAlternatively, RMM and remote access software providers can implement the use of client SSL certificates\r\nbefore customers can access these solutions.\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 5 of 24\n\nIf protections like these are not in place, then the chances of threat actors gaining access is exponentially higher.\r\nFor example, cybercriminals can brute-force or phish a set of legitimate credentials. Alternatively, plenty of\r\nlegitimate login credentials are for sale on the Underground Marketplaces. In tracking these Dark Web markets,\r\nTRU observed countless posts advertising stolen credentials for some of the most popular RMM and remote\r\naccess software, including AnyDesk, Atera, ConnectWise ScreenConnect™ and Kaseya VSA.\r\nThe price for a set of credentials is a mere $10. See Figure 1.\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 6 of 24\n\nFigure 1: Partial image of posts in an underground Russian Dark Market selling login credentials for\r\npopular RMM services for $10 per set\r\nIf threat actors are able to obtain system administration credentials from a provider of RMM tools or remote\r\naccess software, or if they are able to procure a set of legitimate access credentials from a customer of a RMM or\r\nremote access software provider and can work their way into obtaining system administration credentials, then\r\nchances are good that the threat actors can deploy ransomware or other malware to a service provider’s\r\ndownstream customers. This is why it is so important that remote access providers have two-factor authentication,\r\nstrong password usage, and secure remote access rules in place.\r\nRemote Monitoring and Management tools and remote access software are powerful, productive solutions. They\r\nhelp individual companies manage their computer systems at multiple locations and they help manage their\r\nemployees’ remote access to the corporate network. Additionally, many small and medium businesses (SMBs)\r\ndepend heavily on IT Consultants, VARs and MSPs to help them maintain their IT systems, ensuring the SMBs\r\nthat their computer environment is always up and running, 24/7, so in turn they can focus on their core business.\r\nHowever, as this report illustrates, these powerful solutions require the users of these tools, whether it be an\r\nindividual company or a VAR, Consultant or MSP, to implement Access Control Management best practices and\r\ntake extra caution whenever RMM and other Remote Access Technologies are utilized.\r\nLockBit Attack Intercepted\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 7 of 24\n\nAs previously mentioned, because the hackers used the LockBit ransomware as their final payload against several\r\nof the MSP's customers, the attack was quickly intercepted and shut down. The impacted endpoints were promptly\r\nisolated, the malware identified, the computers wiped clean, and TRU carried out a threat hunt to make sure the\r\nLockBit threat actors were no longer in the customers' networks.\r\nSee technical details of this LockBit incident at the end of the report.\r\nFigure 2: Ransomware wallpaper\r\nLockBit Brings PsExec and AnyDesk in its Attack Against a Home Décor\r\nManufacturer\r\nIn this incident, LockBit affiliates were detected disabling Windows services on the endpoint of a manufacturing\r\ncompany. Recognizing the signs of a hands-on intrusion, the incident was escalated for active response by TRU.\r\nDuring the investigation, it was discovered that a PsExec service had been initiated and was being leveraged by\r\nthe threat actors to delete files they brought into the manufacturer's environment, making it harder for security\r\ndefenders to retrace the threat actors' steps and gather forensics.\r\nThe computers were immediately isolated from the network, and PsExec usage was traced back to an unmanaged,\r\nunprotected machine. The threat actors were also attempting to establish persistence via AnyDesk, an RMM tool\r\nalso known to be popular with LockBit intrusions. Further attempts to spread to other computers were detected\r\nfrom the unmanaged endpoint. At this time, TRU suspected the LockBit affiliates had administrator privileges on\r\nthat specific computer. The threat actors attempted to delete shadow volume copies of the manufacturer's files– a\r\nmethod that can certainly inhibit recovery from a ransomware attack. However, the LockBit affiliates were\r\nunsuccessful. Working with the client, eSentire disabled the source machine. The ransomware affiliates were\r\nsuppressed through host isolation and infrastructure blocking, and the threat was shut down.\r\nLockBit Targets a Storage Materials Manufacturer and Uses Multiple RMM Tools\r\nTrying to Spread Ransomware Across the Victim’s Network\r\nIn late May 2023, eSentire's 24/7 SOC alerted TRU that suspicious activity had been spotted on a corporate\r\ndesktop belonging to a manufacturer of storage materials. Upon investigation, TRU found that a threat actor had\r\ngained an initial foothold into the organization's network and had uploaded a Microsoft Install File onto one of the\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 8 of 24\n\ncompany's computers. They then installed the remote access software, ConnectWise ScreenConnect™, and used it\r\nto push ransomware onto a different corporate computer. Interestingly, the manufacturer also had the ConnectWise\r\nScreenConnect™ software implemented as part of their IT environment.\r\neSentire's endpoint solution immediately detected the malicious software and blocked the execution of the\r\nransomware binary. The computer was taken off the network, and the ransomware code was wiped from the\r\nsystem. TRU conducted further investigations to assess lateral movement and persistence in the environment,\r\nfinding that an additional RMM tool, TSD Service, had been written to disk. No additional persistence\r\nmechanisms were found.\r\nWhy would the LockBit hackers bring their own copy of ConnectWise ScreenConnect™ , when the target already\r\nhad the software installed in their corporate environment? TRU surmises that the threat actors may not have had\r\ncredentials for the company's ConnectWise ScreenConnect™ software and decided it would be quieter and less\r\nintrusive if they brought their own copy into the target's environment. Because the manufacturer already had the\r\nsoftware running in their network, the presence of additional copies would not immediately raise a red flag with\r\nsystem administrators and security defenders.\r\nHow Organizations Can Prevent Cybercriminals from Hijacking their RMM Tools\r\nand Remote Access Software and Infecting their Employees and End Customers\r\nwith Ransomware\r\nThe LockBit attack against the MSP and the two manufacturers highlights the importance of securing RMM tools\r\nand remote access software. Below are security tips for defending against LockBit and other cyberthreats, utilizing\r\nan organization's legitimate IT tools to spread their malware and hide in plain sight.\r\n1. Enforce two-factor authentication for all RMM and remote access solutions, VPNs and other key software\r\nsystems. Ensure strong and unique passwords are used for remote access accounts and other key system\r\naccounts.\r\n2. Implement Access Control Lists (ACLs) for trusted IPs. However, if an end customer is roaming, they\r\nshould connect to a VPN.\r\n3. Alternatively, MSPs could implement the use of client SSL certificates before customers can access the\r\nRMM system or remote access solution.\r\n4. Don't be too explicit about your software stack in job offerings. Because job offers are necessarily public\r\nfacing, threat actors can use these to understand what software is employed in your company and –\r\ntherefore – craft personalized phishing lures that employees are less likely to question.\r\n5. Phishing awareness: Any employees with access to RMM or remote access software should receive\r\nadditional instruction to scrutinize communications that appear to come from a provider of these services.\r\n6. Ensure your organization's IT environment, including your network, endpoints and logs (both on-premises\r\nand in the cloud) are protected by a 24/7 Managed Detection and Response solution.\r\n7. Know what level of response/remediation and incident handling is provided as part of your 24/7 Managed\r\nDetection and Response offering.\r\n8. Proactive threat intel operationalized – sweeps/proactive hunts to uncover malicious actors across customer\r\norganizations, after initial discovery.\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 9 of 24\n\n9. Ensure that your organization is doing regular and timely patching and updating of its software\r\napplications, operating systems and all third-party tools.\r\n10. Educate your clients about the importance of cybersecurity and work with them to establish security\r\npolicies and guidelines for their employees.\r\nThe CISA LockBit security advisory also details more of the threat group's techniques, tactics and procedures\r\n(TTPs). See here.\r\nTechnical Details of the LockBit Attack Against the MSP\r\nDuring LockBit's attack against the MSP, the ransomware binaries were dropped on multiple endpoints within five\r\nminutes. Downstream customer organizations in which the LockBit affiliates attempted to deploy ransomware\r\nincluded manufacturing organizations and companies in business services, transportation and hospitality.\r\nTRU believes the threat actor(s) likely generated a new ransomware build for three of the customers based on the\r\nhashes to circumvent hash blocking. The threat actors dropped 32-bit and 64-bit versions of LockBit ransomware\r\nbinaries on Windows servers, and the PowerShell loader for the DLL version of the ransomware on one of the\r\nhosts. TRU saw that the LockBit Green version was dopped onto the hosts and other LockBit versions. LockBit\r\nGreen was released at the beginning of 2023 and was first reported by vx-underground.\r\nTRU was able to recover the PowerShell script dropped by the threat group on one of the servers. The script is\r\nnamed \"LBB_PS1_obfuscated\". The first layer of the obfuscated script consists mostly of the code lines\r\nresponsible for concatenating and reversing the order of the characters.\r\nFigure 3: First layer of obfuscated PowerShell script\r\nBefore executing the decoded data, the script attempts to disable the Anti-Malware Scan Interface (AMSI) by\r\nassigning amsiInitFailed to \"True\"(System.Management.Automation.AmsiUtils class) which will disable the scan\r\nfor the current process. AMSI is a feature in Windows that can be used by antivirus and other security products to\r\nscan PowerShell commands for malicious content.\r\nThe function \"fnD\" takes an array of 64-bit integers within the $data array, decodes them using bitwise AND (-\r\nband) operations, and returns the decoded string as ASCII; $scb is then populated with the decoded strings.\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 10 of 24\n\nFigure 4: Second layer of obfuscated PowerShell script\r\nThe third deobfuscated layer reveals the PowerShell loader that contains the LockBit ransomware binary. The\r\ndeobfuscated script is responsible for reflectively loading the DLL that is base64-encoded and GZIP-compressed\r\ninto the current process in memory, resulting in the ransomware execution.\r\nFigure 5: Decoded ransomware binary\r\nLockBit uses ROR13 hashing algorithm for API hashing. API hashing is used in malware to evade detection. The\r\nprocess involves creating a unique hash value for the API function, which can help the malware bypass signature-based detection techniques used by security tools.\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 11 of 24\n\nFigure 6: API hashing algorithm\r\nMost of the API hashes are further obfuscated with XOR. The XOR key 0x11039FFE is hardcoded in the binary.\r\nTRU was able to resolve the hashes using HashDB plugin, developed by OALabs.\r\nFigure 7: Blob of the API hashes that are resolved with the HashDB plugin\r\nLockBit implements trampolines including rotate and XOR operations (with the key mentioned above) to call out\r\nto specific API functions.\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 12 of 24\n\nFigure 8: Example of trampolines implemented by LockBit\r\nThe ransomware binary contains multiple anti-debugging functions. When the debugger is detected, the\r\nForceFlags field is set to the HEAP_TAIL_CHECKING_ENABLED flag, and the sequence 0xABABABAB is\r\nappended at the end of the allocated heap block.\r\nFigure 9: Anti-debug technique (1)\r\nAnother anti-debugging technique the ransomware implements is by using ZwSetInformationThread with\r\nThreadInformationClass set to 0x11 (ThreadHideFromDebugger) to hide the threads from the debugger. The\r\ndebugger won't be able to receive any events while the threads are running.\r\nFigure 10: Anti-debug technique (2)\r\nThe third anti-debugging technique is implemented via encrypting the call to DbgUiRemoteBreakin.\r\nDbgUiRemoteBreakin is used by debuggers to remotely break into a running process and interrupt its execution.\r\nWhen a debugger needs to debug a process, it can call the DbgUiRemoteBreakin function to cause the process to\r\nbreak into the debugger, which allows the debugger to take control and examine the process' state. Thirty-two\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 13 of 24\n\nbytes are encrypted by SystemFunction040 (RtlEncryptMemory) function after modifying the memory protection\r\nof DbgUiRemoteBreakin to PAGE_EXECUTE_READWRITE. This will cause the DbgUiRemoteBreakin call to\r\nbe corrupted.\r\nFigure 11: Anti-debug technique (3)\r\nLockBit determines the version of the Windows operating system currently running on the system from the PEB\r\n(Process Environment Block) data structure.\r\nFigure 12: Retrieving OS version\r\nThe ransomware creates a mutex to prevent another instance of the ransomware running. The mutex is the MD4\r\nhash of the infected machine GUID (globally unique identifier), for example,\r\n\"Global\\\\a91a66d6abc26041b701bf8da3de4d0f\". If more than one instance of the ransomware is running, the\r\nransomware terminates the execution, and the PowerShell ransomware loader file gets removed using the \"/c del /f\r\n/q\" command via the Command Prompt without prompting for confirmation.\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 14 of 24\n\nFigure 13: Mutex creation\r\nLockBit also implements UAC bypass via The COM Elevation Moniker with \"Elevation:Administrator!new:\r\n{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\". The COM elevation moniker is a technique used to bypass the\r\nUAC prompt and elevate the privileges of a process or program by creating a new instance of a COM object with\r\nadministrator privileges. The moniker syntax \"Elevation:Administrator!new:{GUID}\" specifies that a new\r\ninstance of the COM object with the specified GUID should be created with administrator privileges, thus\r\nbypassing the UAC prompt.\r\nFigure 14: UAC bypass\r\nThe ransomware decrypts the strings using bitwise XOR operations, as shown below. TRU wrote the IDAPython\r\nscript that decrypts the strings within the ransomware binary.\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 15 of 24\n\nFigure 15: String decryption\r\nLockBit leverages TrustedInstaller to stop services such as Microsoft Defender Antivirus; it queries for the\r\nTrustedInstaller service, starts the service and duplicates the token for the TrustedInstaler.exe process. It's worth\r\nmentioning that a similar technique was observed in the Hive ransomware.\r\nFigure 16: Starting TrustedInstaller service\r\nThe ransomware avoids encrypting the following extensions:\r\n386 adv ani\r\nbat bin cab\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 16 of 24\n\ncmd com cpl\r\ncur deskthemepack diagcab\r\ndiagcfg diagpkg dll\r\ndrv exe hlp\r\nicl icns ico\r\nics idx ldf\r\nlnk mod mpa\r\nmsc msp msstyles\r\nns5 nls nomedia\r\nocx prf ps1\r\nrom rtp tc2\r\nth3 spl sys\r\ntheme themepack wpx\r\nlock key hta\r\nmsi pdb\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 17 of 24\n\nThe following files are also skipped from decryption:\r\nautorun.inf boot.ini\r\nbootfont.bin bootsect.bak\r\ndesktop.ini iconcache.db\r\nntldr ntuser.dat\r\nntuser.dat.log ntuser.ini\r\nthumbs.db\r\nList of services to be killed by the ransomware:\r\nvss sql\r\nsvc$ memtas\r\nmepocs msexchange\r\nsophos veeam\r\nbackup GxVss\r\nGxBlr GxFWD\r\nGxCVD GxCIMgr\r\nList of processes to be killed:\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 18 of 24\n\nsql oracle ocssd\r\ndbsnmp synctime agntsvc\r\nisqlplussvc xfssvccon mydesktopservice\r\nocautoupds encsvc firefox\r\ntbirdconfig mydesktopqos ocomm\r\ndbeng50 sqbcoreservice excel\r\ninfopath msaccess mspub\r\nonenote outlook powerpnt\r\nsteam thebat thunderbird\r\nvisio winword wordpad\r\nnotepad\r\nLockBit can also send the configuration of the infected machine to the C2 server in the following format:\r\n{\r\n\"host_hostname\": \"%s\",\r\n\"host_user\": \"%s\",\r\n\"host_os\": \"%s\",\r\n\"host_domain\": \"%s\"\r\n\"host_arch\": \"%s\",\r\n\"host_lang\": \"%s\",\r\n\"disks_info\":[\r\n{\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 19 of 24\n\n\"disk_name\": \"%s\",\r\n\"disk_size\": \"%u\",\r\n\"free_size\": \"%u\"\r\n}]\r\n}\r\nUsing the following user agents:\r\nMozilla/5.0\r\nAppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/91.0.4472.77\r\nSafari/537.36\r\nEdge/91.0.864.37\r\nFirefox/89.0\r\nGecko/20100101\r\nFigure 17: Ransomware note\r\nIf you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend\r\nyou partner with us for security services to disrupt threats before they impact your business. Want to learn more?\r\nConnect with an eSentire Security Specialist.\r\nIndicators of Compromise\r\nName Indicator\r\nLBG64.exe 38c813d99d54de6639a80148ff1cfc6acec08066b0912c49576604ed67e9cfaf\r\nLBG32.exe 8793537b1422beb7d314c65761135b38c63fbdefac6092e93c80191a2e22de91\r\nLBG32.exe 6a686c39a6d0e11f217ca6fce2ebc45039f2ab34daa69afb548d847ee09561c5\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 20 of 24\n\nLBB_PS1_obfuscated.ps1 6ac1084e747153b3958df7af09eb71fdeb883385f508a0bec8b983b9a87d729a\r\nLockBit DLL binary (32-bit) 5e947d728f25449601414e025ce298c69df1c6c852e3994aa1a2b23c8e8c4db4\r\nReferences:\r\nhttps://twitter.com/vxunderground/status/1618885718839001091?s=20\r\nhttps://github.com/OALabs/hashdb\r\nhttps://anti-debug.checkpoint.com/techniques/debug-flags.html\r\nhttps://github.com/RussianPanda95/IDAPython/blob/main/LockBit/lockbit_string_decrypt.py\r\nhttps://www.microsoft.com/en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/\r\nhttps://research.openanalysis.net/lockbit/lockbit3/yara/triage/ransomware/2022/07/07/lockbit3.html\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 21 of 24\n\nGET STARTED\r\nABOUT THE AUTHOR\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 22 of 24\n\nElizabeth Clarke Director, Public Relations\r\nElizabeth creates and oversees eSentire’s global press campaigns and manages its North American and UK PR\r\nagencies. Before joining eSentire, Elizabeth served as Director of Media Relations for Dell’s security division,\r\nSecureworks, and as Director of Media and Analyst Relations for Armor Cloud Security. While in these roles,\r\nElizabeth generated millions of dollars of media coverage for the companies’ security research. It has been\r\nfeatured in the Wall Street Journal, the New York Times, “60 Minutes,” Forbes, Wired, CNN, CSO, CBC,\r\nBusinessweek, “NBC Nightly News,” the BBC, and London Financial Times, among others. Elizabeth has also\r\nworked with top writers: Hunter S. Thompson, William F. Buckley Jr., Jimmy Breslin, Joyce Carol Oates and\r\nHarry Crews. She received a B.A. in public relations from WKU.\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 23 of 24\n\nSource: https://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nhttps://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware\r\nPage 24 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.esentire.com/blog/russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware" ], "report_names": [ "russia-linked-lockbit-ransomware-gang-attacks-an-msp-and-two-manufacturers-using-the-targets-rmm-tools-to-infect-downstream-customers-and-employees-with-ransomware" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434521, "ts_updated_at": 1775791607, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dc2f245558ad8f6e711ed6c1d40788abb0c7550a.pdf", "text": "https://archive.orkl.eu/dc2f245558ad8f6e711ed6c1d40788abb0c7550a.txt", "img": "https://archive.orkl.eu/dc2f245558ad8f6e711ed6c1d40788abb0c7550a.jpg" } }