21 March 2024

LockBit ransomware is becoming a bigger problem in a world where hacking is always changing. LockBit is ransomware-as-a-service (RaaS), which means that its developers give hackers the tools and infrastructure they need to start attacks. It first showed up in September 2019. This affiliate plan has helped LockBit grow. In the first half of 2022 alone, it is thought to have made an amazing $100 million in ransom payments.

LockBit is famous for its cruel strategies and constant changes. LockBit 3.0, which is also called LockBit Black, was released in June 2022 and claims to be the most advanced version yet. It uses features like encrypted executables and self-destructive routines that make it harder for security pros to find and analyze. LockBit 3.0 is also said to give its agents up to 80% of the ransom, which makes attacks even more likely [source needed].

A lot of different types of organizations have been hit by recent LockBit attacks, from businesses and schools of all sizes to healthcare facilities and providers of key infrastructure. In the first half of 2023, the FBI's Internet Crime Complaint Center (IC3) received an amazing 2,084 reports of ransomware. LockBit was one of the most common types of malware [source: FBI IC3]. It's terrible that these hacks happen because they mess up operations, leak data, and cost a lot of money.

The fact that LockBit ransomware is getting smarter and more common shows how important it is for businesses to put strong protection defenses first. This blog post will go into detail about how LockBit works, looking at how it can be attacked and the newest versions. Then, we'll talk about what groups can do to strengthen their defenses and lower their chances of falling victim to this growing threat.

How LockBit Works?

As a Ransomware as a Service (RaaS) company, LockBit is known for encrypting files and asking a ransom to unlock them. This group operates in secret and targets large companies around the world using the RaaS model and complex attack plans. They get into systems through security holes, encrypt files, and demand a ransom in the form of a note, usually in cryptocurrency. They keep up their image of being sneaky and changing all the time across different cybersecurity incidents.

Breakdown of the LockBit ransomware attack (LockBit 3.0)

Gaining Access

The first step in a LockBit hack is to get into the target's computer system. LockBit 3.0 members use a variety of methods to get into networks, including taking advantage of flaws in the Remote Desktop Protocol (RDP), starting drive-by attacks, starting hacking campaigns, abusing real accounts, and taking advantage of flaws in applications that are available to the public. It's also possible that they want to increase their entry rights during the installation stage.

Executing Encryption

Once it gets into a network, LockBit 3.0 either uses pre-set passwords or local accounts that have been hacked to move around and encrypt it. It is sent out using Group Policy Objects and PsExec over the Server Message Block interface. This step encrypts data while protecting important system files, shows a blackmail note, labels the device with LockBit 3.0 images, and sends the encrypted data to a control server. Then, based on its build, LockBit 3.0 might delete itself and undo any Group Policy changes.

Data Exfiltration

Before encrypting data, LockBit 3.0 often gets it out. To do this, it usually uses StealBit, a tool from LockBit 2.0. Additionally, it uses Clone, an open-source cloud storage tool, and other file-sharing programs such as MEGA to get rid of company data files. This pre-encryption capture shows how dangerous LockBit 3.0's attacks are on a wide range of levels.

LockBit Types: A Brief Look

Changes and Effects of LockBit 2.0

LockBit 2.0 is an updated version of the malware-as-a-Service (RaaS) that came out in June 2021. It is built on LockBit and the ABCD malware that was found in September 2019. LockBit 2.0 gained popularity in the third quarter of 2021 by hiring people through groups on the dark web. It stood out with its lightning-fast encryption, and it kept running even after many other RaaS services shut down in 2021.

LockBit 3.0: Targets and Strategies for the Profession

This version, which is also called LockBit Black, came out in March 2022 when its creators said they were going to put the data of people who didn't follow the rules online in a way that made it easy to find. LockBit 3.0 mostly targets important data in the US, UK, and Germany. It does this by taking advantage of weak passwords and the fact that management accounts don't have Multi-Factor Authentication (MFA). The fact that this version comes with a bug bounty program, which pays hackers to find bugs, shows how advanced the technology is.

As part of the LockBit plan, application flaws are used to try brute-force Remote Desktop Protocol (RDP) password attacks, and phishing techniques are used. After these hacks, the attackers use PowerShell Empire to run the ransomware, delete logs, and encrypt data on local and networked devices.

LockBit Green: The Most Recent Version

LockBit Green, the newest variant, was first seen on January 27, 2023, when the vx-underground study team shared screenshots of it on social media. This version keeps up the trend of ransomware attacks that target Windows systems.

LockBit for Mac: A New Start

In April 2023, LockBit added encryption tools for macOS systems, which was a big step toward reaching more people. The MalwareHunterTeam brought this to our attention when they found a ZIP file on VirusTotal containing a brand-new set of LockBit encryption tools made for macOS.

The Royal Mail Attack is an important LockBit event.

The Guardian wrote in February 2023 about how Royal Mail refused to pay a $80 million ransom demand after the LockBit gang was blamed for a cyberattack in January 2023. The attack secured important files and made it very hard to send mail internationally. Even though the attacks put pressure on Royal Mail, they refused to give in to their growing demands.

SIEM solutions can find LockBit and help you deal with it.

To use ManageEngine Log360 to find LockBit, you need to take a comprehensive approach:

  • Behavioral Anomalies: Looking for strange patterns in how files are accessed, how the system works, or how network data flows could mean LockBit is active.
  • User Anomalies: Using UEBA to find unusual user actions like trying to get more access to data or increasing their privileges.
  • Keep an eye on endpoints for any strange processes or file changes that might be connected to LockBit.
  • Network data Analysis: Looking at network data to find proof that LockBit has spread across the network.
  • Alignment of the MITRE ATT&CK® Framework: focusing on methods related to LockBit for detection and response plans.
  • File Integrity Monitoring: Using checks to see if changes to files were made without permission, which could be a sign of a LockBit attack.

Important Safety Measures

  • Back up important info regularly, and keep the copies offline or in a safe, separate place.
  • Set up full antivirus, antimalware, and SIEM systems to stop ransomware before it starts spreading.
  • Use email screening tools to stop and delete emails that look fishy.
  • Set up endpoint protection to keep an eye on and control devices that are linked to a network and protect them from bad behavior.
  • Separate the network into segments to stop the spread of ransomware by cutting off important systems.
  • Use multifactor authentication (MFA) on sensitive data and platforms to protect them from being hacked.
  • Share threat data to get new information about LockBit and other types of ransomware.
  • Follow the rules for data safety and cybersecurity that apply.


The LockBit virus is a very dangerous piece of software that needs to be carefully studied and protected against. By looking closely at how it works and what effects it has, organizations can learn how to find and deal with this widespread threat. To protect against LockBit's disruptions, you need to create a multi-layered defense plan that focuses on preventative measures, early detection, and quick response. Along with advanced security technologies, education, and knowledge are the most important parts of good protection. As cyber threats change, so must our defenses. We need to be cautious and resilient in our fight against LockBit ransomware. Keeping our digital spaces safe from people who shouldn't be there is essential. Making sure that important data is always available and in good shape is crucial. You can seek expert assistance and advice while getting in touch with the experts of SafeAeon.

Why Do You Need Our Services

SafeAeon's 24×7 SOC operates ceaselessly to watch over, identify, and counter cyber attacks, ensuring your business remains resilient and unharmed

Watchguard It Infrastructure

24/7 Eyes On Screen

Rest easy with SafeAeon's continuous vigilance for your IT infrastructure. Our dedicated security analysts ensure prompt threat detection and containment.

Cybersecurity Price

Unbeatable Prices

Access cutting-edge cybersecurity products through SafeAeon's unbeatable deals. Premium solutions at competitive prices for top-tier security.

Threat Intelligence

Threat Intelligence

Stay ahead with SafeAeon's researched Threat Intelligence Data. Clients enjoy free access for informed and proactive cybersecurity strategies.

IT Team

Extended IT Team

Seamlessly integrate SafeAeon with your IT team. Strengthen controls against risks and threats with expert recommendations for unified security.

Ready to take control of your Security?

We are here to help

Reach out to schedule a demo with our team and learn how SafeAeon SOC-as-a-Service can benefit your organization