| Category | Details | References |
|---|---|---|
| Actors | ||
| First Observed | mid-late 2021 | 1 |
| Threat Actors | UNC2165 EvilCorp | 2 |
| Environment | ||
| Platforms | Windows and Linux (ESXi) | 3 |
| Artifacts | ||
| Extensions | .lockbit | 4 |
| Ransomware Notes | Desktop Wallpaper Pop Up Windows (from .hta file) Restore-My-Files.txt | 5 |
| Services It Disables | Several MS SQL services, as well as changing Registry entries for AV/EDR solutions | 6 |
| Other Observables | Deletes System, Application, and Security Event logs, and ransomware executable Adds itself to Run key in case encryption process is interrupted Deletes backups and kills processes, services, etc | 6 7 |
| Automation | ||
| Automatically Gains Access | No | 6 |
| Automatically Escalates Privileges | Yes | 6 |
| Requires Human Interaction | No | |
| Automatic Exfiltration | No. Often uses StealBit, a seperate executable | 2 |
| Automatic Propagation | Yes. Will use GPO and Scheduled Task when run on domain controller. | 6 8 |
Please note, this page was last updated at 2023-03-14 20:21.
-
https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions ↩ ↩2
-
https://minerva-labs.com/blog/lockbit-2.0-ransomware-surges-in-2022/ ↩
-
https://www.pcrisk.com/removal-guides/21605-lockbit-2-0-ransomware ↩
-
https://www.picussecurity.com/resource/lockbit-2.0-ransomware-ttps-used-in-emerging-ransomware-campaigns ↩
-
https://chuongdong.com/reverse%20engineering/2022/03/19/LockbitRansomware/ ↩ ↩2 ↩3 ↩4 ↩5
-
https://www.packetlabs.net/posts/lockbit-automated-ransomware/ ↩
-
https://usa.kaspersky.com/blog/ransomware-group-policies/25107/ ↩