LockBit Ransomware: A Comprehensive Guide to the Most Prolific Cyber Threat

LockBit ransomware has emerged as one of the most dangerous and prolific cyber threats in recent years. Using a Ransomware-as-a-Service (RaaS) model, LockBit has targeted thousands of organizations worldwide, causing billions of dollars in damages and extorting, according to the Department of Justice, over $120 million in ransom payments.

First appearing in September 2019, LockBit quickly evolved into a sophisticated and highly adaptable malware strain. Its success can be attributed to several factors:

1. A user-friendly interface that allows even less technically skilled affiliates to deploy attacks
2. Innovative payment structures that incentivize affiliates to join the operation
3. Constant development and improvement of the ransomware code
4. Aggressive marketing tactics in cybercriminal forums

In June 2024, the FBI announced that it had obtained over 7,000 LockBit ransomware decryption keys. Victims are urged to contact the FBI’s Internet Crime Complaint Center (IC3) for assistance in recovering encrypted data.

LockBit variants

The LockBit operation has released several variants over time, each with improved capabilities:

1. ABCD ransomware (September 2019) – The predecessor to LockBit
2. LockBit 2.0 / LockBit Red (June 2021) – Introduced StealBit, a built-in information-stealing tool
3. LockBit Linux-ESXi Locker (October 2021) – Expanded capabilities to target Linux and VMware ESXi systems
4. LockBit 3.0 / LockBit Black (March 2022) – Shared similarities with BlackMatter and Alphv ransomware
5. LockBit Green (January 2023) – Incorporated source code from Conti ransomware
6. LockBit macOS (April 2023) – Encryptors targeting macOS systems

LockBit main attacks

Since its inception, LockBit has been responsible for numerous high-profile attacks across various sectors. Some notable incidents include:

1. Lurie Children’s Hospital in Chicago (February 2024) – The attack forced the hospital to take its IT systems offline, disrupting normal operations and delaying patient care.
2. Saint Anthony Hospital in Chicago (December 2023) – LockBit demanded a ransom of nearly $900,000 and posted the hospital’s information on its leak site.

Global impact

The FBI reports that LockBit has attacked approximately 1,700 organizations in the United States since 2020, with victims paying around $91 million in ransom. Globally, LockBit has claimed over 2,000 victims and received more than $120 million in ransom payments.

LockBit ransomware methods of infection and execution

LockBit affiliates employ various tactics to gain initial access to victim networks:

Initial access

LockBit affiliates employ a variety of sophisticated tactics to gain initial access to victim networks. One of the most common methods is through phishing emails, which contain malicious attachments or links that, when opened or clicked, deploy the ransomware onto the target system. Another frequently used approach is the exploitation of unpatched software vulnerabilities, taking advantage of organizations that need to keep their systems up-to-date with the latest security patches. Brute force attacks on remote desktop protocol (RDP) connections are also prevalent, where attackers use automated tools to guess weak or commonly used passwords. Additionally, some affiliates purchase stolen access credentials from other cybercriminals on dark web forums, providing them a direct entry point into compromised networks.

Post-exploitation activities

Once LockBit affiliates have successfully infiltrated a network, they follow a systematic approach to maximize the impact of their attack. The first step typically involves privilege escalation, where the attackers seek to gain higher-level access rights within the system, often targeting administrator accounts. This is followed by network reconnaissance, during which they map out the network architecture and identify valuable targets, such as critical servers or databases containing sensitive information. The attackers then engage in lateral movement, spreading across the network to infect multiple systems and expand their control. Before initiating the encryption process, LockBit operators often exfiltrate sensitive data, which serves as leverage for their extortion demands. The next phase involves encrypting files and systems using robust encryption algorithms, effectively locking the victim out of their data. Finally, the attackers deliver a ransom note containing payment instructions and threats, initiating extortion.

Double extortion tactics

LockBit has refined its approach by employing a double extortion strategy, significantly increasing the pressure on victims to pay the ransom. The primary extortion involves demanding a ransom to decrypt the locked files, which is the traditional ransomware model. However, LockBit takes this a step further with secondary extortion. In this phase, the attackers threaten to publish the stolen data on leaked sites if the ransom is not paid. This additional layer of extortion exploits the victim’s fear of data exposure, reputational damage, and potential legal consequences. By leveraging both the inaccessibility of crucial data and the threat of its public release, LockBit significantly increases the likelihood of ransom payment, making their operations more lucrative and devastating for their victims.

LockBit Ransomware Indicators of Compromise (IOCs)

Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used to detect future attack attempts early using intrusion detection systems and antivirus software.

To identify a LockBit infection, organizations should look for the following indicators:

File Extensions

• .abcd (early versions)
• .LockBit (later versions)

Ransom Note

• “Restore-My-Files.txt” – Typically left in each encrypted folder

File Hashes (SHA256)

Some example file hashes associated with LockBit ransomware:

• 74d9a91c4e6d2c15f3b6f8e7679e624f
• a3f2e7cb7315c1e48801cb8c6a86d2d2
• b8eac9e84b458976f3944bb56b18031d

Behavioral Indicators

• Sudden inability to access files or systems.
• Unusual network activity or data transfers.
• Appearance of ransom notes on infected systems.
• Unexpected system shutdowns or restarts.

How to handle a LockBit ransomware attack

The initial step in addressing a LockBit ransomware attack is to isolate the infected device by disconnecting it from the internet and detaching any connected peripherals. Following this, it is crucial to notify local authorities. This includes the FBI and the Internet Crime Complaint Center (IC3) for individuals and businesses in the United States.

To report a malware incident, compile all pertinent information, including:

• Screenshots of the ransom note
• Any communications with the attackers (if available)
• A sample of an encrypted file

If you prefer professional assistance, leave all infected devices untouched and seek an emergency ransomware removal service. Experts in this field can efficiently mitigate damage, gather evidence, reverse the encryption, and restore your system.

Rebooting or shutting down the infected device may jeopardize recovery efforts. Capturing the RAM of a live system can help obtain the encryption key, while identifying a dropper file—responsible for executing the malicious payload—may allow for reverse engineering, leading to data decryption or insights into the malware’s operation.

Do not delete the ransomware; retain all evidence of the attack. This is vital for digital forensics specialists to trace and identify the hacker group. The data on your compromised system is essential for authorities to investigate the incident. Like other criminal inquiries, cyber attack investigations require evidence to identify perpetrators.

1. Contact your Incident Response provider

Cyber Incident Response encompasses the strategies for managing and responding to cybersecurity incidents. An Incident Response Retainer is a service agreement with a cybersecurity firm that enables organizations to receive external assistance during such incidents. This arrangement provides structured expertise and support from a security partner, facilitating a swift and effective response during a cyber crisis.

Having an incident response retainer reassures organizations, ensuring expert support before and after a cybersecurity incident. The specifics of an incident response retainer can vary based on the provider and the organization’s needs. An effective retainer should be robust and adaptable, delivering proven services to bolster an organization’s long-term security posture.

Upon contacting your Incident Response service provider, they can immediately take charge and guide you through the ransomware recovery process. However, if you manage the malware removal and file recovery internally with your IT team, you can proceed with the following steps.

2. Use a backup to restore the data

The significance of backups in data recovery cannot be overstated, particularly concerning various risks and threats to data integrity.

Backups are a vital element of a comprehensive data protection strategy. They enable recovery from numerous threats, ensure operational continuity, and safeguard valuable information. In a ransomware attack, where malicious software encrypts your data and demands payment for its release, a backup allows you to restore your information without yielding to the attackers’ demands.

Regularly test and update your backup procedures to enhance its effectiveness against potential data loss scenarios. Choose the right backup medium and ensure at least one copy of your data is stored offsite and offline.

3. Contact a malware recovery service

Contact a data recovery service if you lack a backup or require assistance in malware removal and vulnerability elimination. Paying the ransom does not guarantee data recovery. The only assured method to restore all files is through a backup. If a backup is unavailable, ransomware data recovery services can assist in decrypting and recovering your files.

Prevent the LockBit ransomware attack

Preventing ransomware is the best solution for data security. It is easier and cheaper than recovering from it. LockBit Ransomware can cost your business its future and even close its doors. 

Here are several tips to help you avoid malware attacks:

• Keep your operating system and software updated with the latest security patches and updates to prevent vulnerabilities that attackers can exploit.
• To reduce the risk of unauthorized access, use strong, unique passwords for all accounts and enable two-factor authentication whenever feasible.
• Exercise caution with suspicious emails, links, and attachments. Avoid opening emails or clicking on links from unknown or dubious sources.
• Utilize reputable antivirus and anti-malware software, regularly updating it to detect and eliminate malware before it can inflict damage.
• Implement a firewall to block unauthorized access to your network and systems.
• Employ network segmentation to divide a more extensive network into smaller sub-networks with limited interconnectivity, restricting lateral movement by attackers and preventing unauthorized access to sensitive data.
• Limit user privileges to minimize the risk of attackers accessing sensitive data and systems.
• Train employees to recognize and avoid phishing emails and other social engineering tactics.