LockBit is a Ransomware-as-a-Service (RaaS) operation active since 2019. Core developers maintain the malware while affiliates carry out intrusions and share profits.
1. Threat Model Overview
Operating Model
LockBit operates a mature Ransomware-as-a-Service (RaaS) framework with:
- Core developers (malware, infrastructure, branding)
- Affiliate operators (initial access + execution)
- Revenue split (typically 70–80% affiliate)
- Continuous version churn for:
- Evasion
- Psychological pressure
- Law-enforcement confusion
“LockBit 5” should be treated as an evolutionary campaign label, not a cryptographically distinct family.
2. Initial Access (TA0001)
Primary Vectors
| Vector | Technical Details |
|---|---|
| Phishing | HTML smuggling, ISO/IMG delivery, OneNote abuse |
| VPN Exploits | FortiGate, Pulse Secure, Citrix ADC |
| RDP | Credential stuffing + brute force |
| Stolen Creds | InfoStealer logs (RedLine, Vidar) |
| Web Apps | Unpatched edge services |
Indicators
- User execution from:
%AppData% %Temp% Downloads\ - LNK → PowerShell → DLL sideload chains
3. Execution & Payload Deployment (TA0002)
Loader Characteristics
- PE packed with:
- UPX-like custom packers
- Manual API resolution
- Drops payload under benign names:
svchost.exe winlogon.exe taskhost.exe
Execution Methods
powershell.exe -nop -w hidden -EncodedCommand <base64>
rundll32.exe payload.dll,Start
Evasion
- Delayed execution (Sleep loops)
- Sandbox detection:
- Low RAM / CPU checks
- VM registry artifacts
- API hashing to avoid static detection
4. Privilege Escalation (TA0004)
Techniques
- Token impersonation
- Exploitation of:
- Print Spooler (historical)
- Unpatched local privilege escalation CVEs
- Abuse of legitimate admin tools
Artifact
- Sudden privilege jump followed by:
SeDebugPrivilege enabled
5. Persistence (TA0003)
Registry
HKCU\Software\LockBit
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Scheduled Tasks
schtasks /create /sc onlogon /tn <random> /tr <payload>
Services
- Unsigned service masquerading as Windows component
6. Discovery & Lateral Movement (TA0007 / TA0008)
Network Recon
net view
arp -a
nltest /dclist
Credential Access
- LSASS memory scraping
- Dump via:
procdump.exe -ma lsass.exe
Lateral Tools
- PsExec
- SMB
- WMI
- RDP pivoting
Key Signal
- Same binary hash executed across multiple hosts in minutes
7. Defense Evasion (TA0005)
Security Kill Chain
taskkill /IM MsMpEng.exe /F
sc stop WinDefend
Backup Destruction
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
Boot Modification
bcdedit /set {default} recoveryenabled no
bcdedit /set {default} bootstatuspolicy ignoreallfailures
Logging Suppression
- Clearing Windows Event Logs
- Tampering with EDR agents
8. Data Exfiltration (TA0010)
Tools
- Rclone
- Custom HTTP(S) POST clients
- TOR-wrapped exfiltration
Targets
- File servers
- SQL databases
- Email PST/OST
- VM disk images
Network Pattern
- Sustained outbound traffic
- Small encrypted POST payloads (<1KB control, larger chunk uploads)
9. Encryption Phase (TA0040 – Impact)
Encryption Design
- Hybrid crypto:
- AES-256 per file
- RSA-2048/4096 per victim
- Partial encryption for large files (fast mode)
- Multithreaded I/O (LockBit hallmark)
File Impact
filename.ext.lockbit
filename.ext.lockbit-black
Ransom Notes
Restore-My-Files.txt
README_LOCKBIT.txt
Execution Logic
- Kill processes (DBs, mail servers)
- Encrypt local drives
- Enumerate network shares
- Encrypt accessible shares
- Drop ransom note
10. Command & Control (TA0011)
Infrastructure
- TOR hidden services
- Rotating .onion domains:
lockbitxyz.onion lockbitapt.onion
Traffic Characteristics
- Encrypted HTTP POST
- Legitimate User-Agent strings
- No DNS resolution on clear-net
11. Leak Site & Extortion
Extortion Model
- Double extortion (data + encryption)
- Triple extortion:
- Public leak
- DDoS threats
- Regulatory pressure
Timeline
| Day | Action |
|---|---|
| 0 | Initial encryption |
| 1–3 | Negotiation |
| 7 | Leak warning |
| 14 | Partial data dump |
| 30 | Full publication |
12. IOCs
Hashes
5b40f04166f0c952db2163c9d41fda47e74a51f6d78acc75efcbdcec0c61b401
19F7D53C4A9BA784FD4C64A06FC6A88CAF5A4D9913341A625582D51B1C095BA0Commands
vssadmin delete shadows /all /quiet
bcdedit /set {default} recoveryenabled no
13. Detection Strategy (What Actually Works)
Ineffective
- Static hashes
- File extension alerts
- Single IOC blocking
Effective
- Behavioral correlation
- Kill-chain based detection
- Time-bounded anomaly detection
High-Signal Alerts
- Shadow copy deletion + mass file rename
- TOR traffic from endpoints
- Unsigned binary spawning
vssadmin - Scheduled task creation post-credential access
14. Incident Response Timeline (Best Practice)
| Phase | Time | Action |
|---|---|---|
| Detection | Minutes | Isolate endpoints |
| Containment | <1 hr | Disable SMB, revoke creds |
| Eradication | 1–3 days | Reimage, reset identity |
| Recovery | Days–Weeks | Restore offline backups |
| Lessons | Post-IR | Close access gaps |
15. Strategic Conclusion
There is no meaningful defensive value in tracking “LockBit 5” as a version.
LockBit is a methodology, not a binary.
If your detection stack can stop:
- Credential theft
- Lateral movement
- Backup destruction
Then any LockBit iteration fails, regardless of branding.
