{
	"id": "ff58563b-6d15-4280-bda1-81ceec6ab6ac",
	"created_at": "2026-04-06T15:54:02.157489Z",
	"updated_at": "2026-04-10T03:20:59.371463Z",
	"deleted_at": null,
	"sha1_hash": "f7e981421907295b91b9f0c6b276e0f3a1d6e03b",
	"title": "Ransomware: LockBit 2.0 Borrows Ryuk and Egregor's Tricks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 420514,
	"plain_text": "Ransomware: LockBit 2.0 Borrows Ryuk and Egregor's Tricks\r\nBy Mathew J. Schwartz\r\nArchived: 2026-04-06 15:16:41 UTC\r\nCybercrime , Fraud Management \u0026 Cybercrime , Malware as-a-Service\r\nRival Newcomer Hive's Ransomware-as-a-Service Operation Continues to Swarm Victims (euroinfosec) • August\r\n20, 2021    \r\nDesktop wallpaper deployed by LockBit 2.0 on a system it's infected (Source: Trend Micro)\r\nAs ransomware-as-a-service operations continue to compete for affiliates, the operators behind LockBit have\r\nunveiled a new version of their crypto-locking malware boasting fresh features, some borrowed from rivals.\r\nSeparately, a relatively unsophisticated newcomer called Hive has debuted.\r\nSee Also: Experts Offer Insights from Theoretical to the Realities of AI-enabled Cybercrime\r\nRegardless of their sophistication, however, attackers wielding both types of ransomware continue to take down\r\nfresh victims.\r\nhttps://www.bankinfosecurity.com/ransomware-lockbit-20-borrows-ryuk-egregors-tricks-a-17335\r\nPage 1 of 7\n\nBanner for the Hive ransomware-as-a-service operation's dedicated data leak site\r\nHive, for example, after less than two months of operation already lists on its data leak site more than two dozen\r\nvictims who have so far refused to pay a ransom.\r\nIn the case of LockBit, the long list of victims has lately included the consultancy giant Accenture, which recently\r\nconfirmed that it had suffered an attack and said it was restoring affected systems from backups, refusing to pay a\r\nransom. LockBit then dumped allegedly stolen data via its dedicated data leak site, although Accenture has\r\ndownplayed the value of what was stolen or leaked.\r\nAs with Hive, LockBit is run as a ransomware-as-a-service operation, meaning that operators maintain the\r\nmalware and offer it as a service to affiliates, who use it to infect victims.\r\n\"The LockBit group provides a set of services - usually collecting the ransom, providing the infrastructure\r\nnecessary to distribute and encrypt and apply the decryption tools and chat communications between the 'client'\r\nand the 'business,'\" Matt Olney, director of threat intelligence at Cisco Talos, has told Information Security Media\r\nGroup. \"A cut of that final ransom ... goes to the affiliate and a cut is retained by the LockBit ransomware\r\noperators.\"\r\nSecurity firm Emsisoft says LockBit and its affiliates have been extremely active in recent months.\r\nCompetition for Affiliates\r\nRansomware operators compete for affiliates, who may work with multiple operations at once. In June, LockBit's\r\noperators debuted LockBit 2.0. Experts and affiliates say that it continues to be one of the best-designed lockers\r\non the market, with a focus on speed of encryption as well as functionality. For example, LockBit 2.0 enables\r\nhttps://www.bankinfosecurity.com/ransomware-lockbit-20-borrows-ryuk-egregors-tricks-a-17335\r\nPage 2 of 7\n\naffiliates to use valid remote desktop protocol credentials - which remain easy to procure - to automatically access\r\nvictims' networks, and also provides them with a Trojan called StealBit designed to automatically steal data from\r\nvictims' networks, researchers at security firm Trend Micro say in a new report.\r\nTrend Micro says it's been seeing a large number of LockBit 2.0 attacks against victims in Chile as well as Italy,\r\nTaiwan and the U.K. Those results are based on the firm's own telemetry. Such a perspective varies by security\r\nfirm, because it's based on the firm's own honeypots as well as any malware encountered by customers running its\r\nendpoint and server security software.\r\nLockBit is one of a number of operations that continue to exfiltrate data as part of a double extortion tactic\r\ndesigned to increase the pressure on victims to pay. Many attackers now claim to have stolen data - although\r\nthieves do have a propensity to lie - and use dedicated data leak sites to first try to name and shame victims who\r\nwon't pay, followed by leaking extracts of stolen data. For victims who still refuse to pay, many groups will\r\ntypically dump all stolen data online as an example to any future victims who likewise decline to pay.\r\nLockBit 2.0 Infection Chain\r\nOnce attackers gain access to a system and deploy LockBit 2.0, the malware \"uses a network scanner to identify\r\nthe network structure and to find the target domain controller,\" Trend Micro says. \"It also uses multiple batch files\r\nthat can be used to terminate processes, services and security tools. There are also batch files for enabling RDP\r\nconnections on the infected machine.\"\r\nLockBit 2.0's infection chain (Source: Trend Micro)\r\nhttps://www.bankinfosecurity.com/ransomware-lockbit-20-borrows-ryuk-egregors-tricks-a-17335\r\nPage 3 of 7\n\nRansomware attackers' main target is typically Active Directory's domain controller, because it enables them to\r\noperate as an administrator and push malware onto any endpoint - and Trend Micro says LockBit 2.0 is no\r\ndifferent. \"Once in the domain controller, the ransomware creates new group policies and sends them to every\r\ndevice on the network,\" it says. \"These policies disable Windows Defender, and distribute and execute the\r\nransomware binary to each Windows machine.\"\r\nRansom note - filename: Restore-My-Files.txt - dropped by LockBit into directories of files it has encrypted\r\n(Source: Trend Micro)\r\nIf LockBit 2.0 successfully crypto-locks a system, then, like many other types of ransomware, it will drop ransom\r\nnotes into encrypted directories as well as change the desktop wallpaper, Trend Micro says. The wallpaper not\r\nonly includes instructions for how victims can pay a ransom, but also advertises the group to potential affiliates,\r\ntelling would-be recruits they can \"earn millions of dollars\" without ever sharing their real identity with the\r\noperation.\r\nLearning From Maze, Ryuk and Egregor\r\nInterpol says LockBit first partnered with the now-defunct Maze ransomware group in May 2020 before\r\nbeginning to launch its own attacks several months later. Experts say LockBit appeared to recruit a number of\r\nformer Maze affiliates by offering them a better cut of every ransom paid.\r\nLockBit has continued to significantly refine its malware, and with LockBit 2.0 in particular, it has added cutting-edge features previously seen in Ryuk and Egregor ransomware, Trend Micro says. Like Ryuk, LockBit 2.0 can\r\nnow send a \"magic packet\" that executes a wake-on-LAN command, which wakes offline devices so they can be\r\nencrypted as well as enumerate printers and do a print-bombing run via the WritePrinter API, as Egregor has done.\r\nThis allows the ransomware to print ransom notes on printers across a victim's organization.\r\nHive Ransomware Swarms Victims\r\nWhile LockBit operates at the more sophisticated end of the ransomware spectrum, new Hive ransomware is\r\nrelatively unsophisticated, and yet it's still amassing victims, experts warn.\r\nThe emergence of Hive was first reported on June 26 by the self-described South Korea-based \"ransomware\r\nhunter\" behind the @fbgwls245 Twitter account, who spotted the malicious executable after it was uploaded to the\r\nVirusTotal malware-scanning service the prior day.\r\n.hive #Ransomware\r\nC3ACEB1E2EB3A6A3EC54E32EE620721E pic.twitter.com/HAJGyklnKu— dnwls0719\r\n(@fbgwls245) June 26, 2021\r\nhttps://www.bankinfosecurity.com/ransomware-lockbit-20-borrows-ryuk-egregors-tricks-a-17335\r\nPage 4 of 7\n\nSecurity firm McAfee says that based on its telemetry, the regions so far most hit by Hive affiliates are Belgium\r\nand Italy, followed by India, Spain and the United States.\r\nLocation of Hive victims in recent days (Source: McAfee)\r\nOne apparent victim of Hive is the Memorial Health System in Ohio, Bleeping Computer reported earlier this\r\nweek, based on \"evidence\" it's seen.\r\nSo far, however, Memorial Health System doesn't appear to have been added to the operation's dedicated data leak\r\nsite, \"Hive Leaks.\"\r\nAs of Friday, the leak site listed 28 victims, including a Florida-based industrial equipment manufacturer; a\r\nFlorida-based, privately owned vendor of health information technology - including integrated electronic health\r\nrecord systems; a Chinese motor manufacturer; a Pennsylvania school district; and an Ohio-based turkey farm,\r\namong many others. The quantity of victims marked a sharp rise from July 22, when the research and intelligence\r\nteam at BlackBerry counted seven victims being listed.\r\nhttps://www.bankinfosecurity.com/ransomware-lockbit-20-borrows-ryuk-egregors-tricks-a-17335\r\nPage 5 of 7\n\nHive ransom note (Source: BlackBerry)\r\nBased on samples of Hive seen in the wild, the ransomware code appears to be \"still under development,\"\r\nBlackBerry says.\r\nAll versions of the Hive executable seen so far have been written in the Go language. They've been seen targeting\r\nboth 32-bit and 64-bit versions of Windows. \"After compiling the samples, a packer - UPX - is used to obscure the\r\ncode and make generic detection based on strings more difficult,\" McAfee says. \"File sizes for Go language\r\nbinaries can be very large; using UPX will make the file-size smaller.\"\r\nhttps://www.bankinfosecurity.com/ransomware-lockbit-20-borrows-ryuk-egregors-tricks-a-17335\r\nPage 6 of 7\n\nHive's \"customer service\" portal (Source: BlackBerry)\r\nWhoever developed Hive doesn't appear to be bringing advanced coding skills to bear.\r\n\"Hive uses an idiotic and amateurish cryptographic scheme in which 100 RSA keys of varying bit size are used to\r\nencrypt files,\" Brett Callow, a threat analyst at security firm Emsisoft, tells Information Security Media Group.\r\nThe result for any organization that pays to obtain a decryptor will be extremely slow recovery efforts,\r\ncompounded by all of the other \"usual bugs and annoyances that are pretty much standard in threat actors' tools,\"\r\nhe says. \"Combined, these factors make for a very slow recovery process in cases where the demand needs to be\r\npaid.\"\r\nSource: https://www.bankinfosecurity.com/ransomware-lockbit-20-borrows-ryuk-egregors-tricks-a-17335\r\nhttps://www.bankinfosecurity.com/ransomware-lockbit-20-borrows-ryuk-egregors-tricks-a-17335\r\nPage 7 of 7\n\n.hive #Ransomware C3ACEB1E2EB3A6A3EC54E32EE620721E   pic.twitter.com/HAJGyklnKu— dnwls0719 \n(@fbgwls245) June 26, 2021  \n   Page 4 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bankinfosecurity.com/ransomware-lockbit-20-borrows-ryuk-egregors-tricks-a-17335"
	],
	"report_names": [
		"ransomware-lockbit-20-borrows-ryuk-egregors-tricks-a-17335"
	],
	"threat_actors": [],
	"ts_created_at": 1775490842,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7e981421907295b91b9f0c6b276e0f3a1d6e03b.pdf",
		"text": "https://archive.orkl.eu/f7e981421907295b91b9f0c6b276e0f3a1d6e03b.txt",
		"img": "https://archive.orkl.eu/f7e981421907295b91b9f0c6b276e0f3a1d6e03b.jpg"
	}
}