{ "id": "72f53a22-741b-415c-a393-d9631f46b10e", "created_at": "2026-04-06T00:06:34.836069Z", "updated_at": "2026-04-10T13:12:45.67069Z", "deleted_at": null, "sha1_hash": "e421789f2ec2552132d99a6a5b97844d4ee8ed70", "title": "Everything You Need to Know About LockBit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 236126, "plain_text": "Everything You Need to Know About LockBit\r\nBy Aaron Sandeen\r\nPublished: 2022-11-02 ยท Archived: 2026-04-05 17:52:01 UTC\r\nLockBit ransomware is in the minority group of ransomware families that leverage auto-propagating malware and\r\ndouble encryption methods. After its breaches into security behemoth Entrust and the Italian Revenue Agency\r\nearlier this summer, LockBit has continued to gain notoriety while on the lookout for its next victim.\r\nLockBit ransomware began its spree of high-profile attacks as early as September 2019 and has remained one of\r\nthe most prolific groups to date. Motivated by large payouts, the group doesn't fear targeting larger corporations\r\nand enterprises.\r\nThe ransomware group is known for its particular qualities of a triple-extortion method, sophisticated technology,\r\nhigh-severity cyberattacks, and heavy marketing to affiliates. LockBit's presence is felt globally, and industries are\r\nafforded only short moments of respite when the group retreats to develop more devastating upgrades to their\r\ntoolkit. Its attack frequency and strategy make the group a force to beware of in the cybersecurity world,\r\ndemonstrating its determination to cause harm.\r\nLockBit: The Brief\r\nLockBit markets itself as ransomware-as-a-service (RaaS). It works in conjunction with other bad actors\r\nwho perform attacks for hire, and then split the funds between the LockBit developer team and other\r\naccomplices.\r\nThe LockBit family targets both CVE-2021-22986 and CVE-2018-13379.\r\nThe Russian threat actor group, TA505 (also known as Hive0065) has been observed using the LockBit\r\nransomware payload in its attacks.\r\nNew Variants\r\nLockBit's origins began as an ABCD cryptovirus in 2019. Its main targets were government organizations in\r\nNorth America, Europe, and APAC regions and included private companies as well, with crypto as their form of\r\nransom payment.\r\nEarly targets of LockBit in 2019 and 2020 included Windows systems within financial and healthcare institutions.\r\nThe ransomware group then took a hiatus to improve its malware kit and operation strategy. To date, two LockBit\r\nversions in addition to the initial version have been released, with each subsequent release possessing increased\r\nattack capabilities.\r\nLockBit 2.0\r\nhttps://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-lockbit\r\nPage 1 of 3\n\nLockBit 2.0 was introduced in June 2021 and was documented in attacks in Taiwan, Chile, and the UK. In the 2.0\r\nversion, LockBit added the double-extortion technique and auto-encryption of hardware across Windows domains\r\nfor which it became known. Later in the fall of 2021, the group began branching out into Linux servers, too,\r\nspecifically attacking ESXi servers.\r\nLockBit 3.0, Also Known as LockBit Black\r\nAfter another brief hiatus, LockBit returned in June 2022 with the release of another improved version of the\r\nransomware, including a bug bounty program that financially incentivizes researchers to share bug reports. In\r\naddition to the program, version 3.0 includes Zcash payments and developed new extortion tactics. Building on\r\ntop of architecture found in BlackMatter and DarkSide, LockBit now has refined its evasion practices,\r\npasswordless execution, and implemented command-line features.\r\nThe updated LockBit ransomware was used to attack and steal data from the Italian Revenue Agency and a county\r\noffice in Ontario, Canada. On top of encryption and the threat of data leaks, the ransomware group has included\r\ndenial-of-service attacks to increase the pressure on victims.\r\nIn a surprising turn of events, an alleged LockBit developer leaked the group's builder used to design the 3.0\r\nversion on Twitter, citing frustration with the group's leadership as their motivation for the leak. A blow to the\r\ngroup but a potential risk to the cybersecurity field as the leaked information can equip new individuals with the\r\nnecessary tools to start their own ransomware kit. In no more than a week after the leak, a new ransomware group\r\nwas observed using the builder to target companies.\r\nHow Dangerous Is LockBit?\r\nLockBit has a diverse arsenal of technologies and techniques to go after the largest organizations, regardless of\r\nindustry. Here is a snapshot of the tools, tactics, and methods that make LockBit so dangerous:\r\nStealBit, a malware tool first found in the 2.0 version, was designed for encryption and is believed to be the\r\nmost efficient and quickest encryption tool.\r\nStealBit automatically spreads to other connected devices along a network by taking advantage of\r\nWindows PowerShell and Server Message Block.\r\nLockBit's malware can now infect both Windows and Linux systems when initially it could only exploit\r\nWindows systems.\r\nThe creation of the bug bounty program is the group's attempt at establishing itself as a professional group\r\nof hackers while simultaneously improving its defenses.\r\nLockBit 3.0 introduced Zcash payment options for ransom collection and to avoid interference from law\r\nenforcement agencies.\r\nHow to Prevent a LockBit Attack\r\nhttps://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-lockbit\r\nPage 2 of 3\n\nCurb unnecessary permissions: More restrictions on permissions are not a bad practice to get in the habit of\r\napplying, as more levels of authentication make it difficult for remote hackers to escalate permissions and\r\ngain greater access. Pay close attention to users with IT and admin-level permissions.\r\nMonitor your attack surface: Incorporate a solution that scans your entire attack surface for potential entry\r\npoints for attackers. Routinely monitor existing and newly added assets to your organization's network.\r\nSecurity leadership can keep attackers away by cultivating a culture of vigilance with structured vulnerability\r\nmanagement processes that prioritize threats based on severity and risk. Despite LockBit's capabilities,\r\norganizations do have options when it comes to protecting their organization and partners.\r\nAbout the Author\r\nCEO \u0026 Co-Founder, Securin\r\nAaron Sandeen is the CEO and co-founder of Securin (formerly Cyber Security Works), a Department of\r\nHomeland Security-sponsored company focused on helping leaders proactively increase their resilience against\r\never-evolving security threats on-premises and in the cloud. Aaron leads Securin in providing intelligent and\r\nactionable security insights at every layer of company operations.\r\nSource: https://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-lockbit\r\nhttps://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-lockbit\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-lockbit" ], "report_names": [ "everything-you-need-to-know-about-lockbit" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433994, "ts_updated_at": 1775826765, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e421789f2ec2552132d99a6a5b97844d4ee8ed70.pdf", "text": "https://archive.orkl.eu/e421789f2ec2552132d99a6a5b97844d4ee8ed70.txt", "img": "https://archive.orkl.eu/e421789f2ec2552132d99a6a5b97844d4ee8ed70.jpg" } }