IAS Gyan

Daily News Analysis

LockBit ransomware

9th May, 2024 Security

LockBit ransomware

Disclaimer: Copyright infringement is not intended.


  • S. announces $10 million bounty for alleged LockBit ransomware creator.

LockBit Ransomware

  • LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group (also called ransomware) enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom but also threaten to leak it publicly if their demands are not met.
  • Formerly known as “ABCD” ransomware, it has since grown into a unique threat within the scope of these extortion tools. LockBit is a subclass of ransomware known as a ‘crypto virus’ due to forming its ransom requests around financial payment in exchange for decryption. It focuses mostly on enterprises and government organizations rather than individuals.
  • According to a joint statement by various government agencies, LockBit was the world's most prolific ransomware in 2022. It was estimated in early 2023 to be responsible for 44% of all ransomware incidents globally.
  • In the United States between January 2020 and May 2023, Lockbit was used in approximately 1,700 ransomware attacks, with US$91 million paid in ransom to hackers.


  • Operations disruption with essential functions coming to a sudden halt.
  • Extortion for the hacker’s financial gain.
  • Data theft and illegal publication as blackmail if the victim does not comply.

How does LockBit ransomware work?

Self-spreading within an organization rather than requiring manual direction:

  • Most significant is its ability to self-propagate, meaning it spreads on its own. In its programming, LockBit is directed by pre-designed automated processes. This makes it unique from many other ransomware attacks that are driven by manually living in the network — sometimes for weeks — to complete recon and surveillance.

Targeted rather than spread in a scattershot fashion like spam malware:

  • After the attacker has manually infected a single host, it can find other accessible hosts, connect them to infected ones, and share the infection using a script. This is completed and repeated entirely without human intervention.

Using similar tools to spread, like Windows Powershell and Server Message Block (SMB):

  • It uses tools in patterns that are native to nearly all Windows computer systems. Endpoint security systems have a hard time flagging malicious activity. It also hides the executable encrypting file by disguising it as the common .PNG image file format, further deceiving system defenses.

LockBit attacks can be understood in roughly three stages:

  1. Exploit
  2. Infiltrate
  3. Deploy

Stage 1: Exploit weaknesses in a network:

  • The initial breach looks much like other malicious attacks. An organization may be exploited by social engineering tactics like phishing, in which attackers impersonate trusted personnel or authorities to request access credentials. Equally viable is the use of brute force attacks on an organization’s intranet servers and network systems. Without proper network configuration, attack probes may only take a few days to complete.
  • Once LockBit has made it into a network, the ransomware prepares the system to release its encrypting payload across every device it can. However, an attacker may have to ensure a few additional steps are completed before they can make their final move.

Stage 2: Infiltrate deeper to complete the attack setup if needed:

  • From this point forward, the LockBit program directs all activity independently. It is programmed to use what are known as “post-exploitation” tools to get escalate privileges to achieve an attack-ready level of access. It also roots through access already available via lateral movement to vet for target viability.
  • It is at this stage that LockBit will take any preparative actions before deploying the encryption portion of the ransomware. This includes disabling security programs and any other infrastructure that could permit system recovery.
  • The goal of infiltration is to make unassisted recovery impossible or slow enough that succumbing to the attacker’s ransom is the only practical solution. When the victim is desperate to get operations back to normal, this is when they will pay the ransom fee.

Stage 3: Deploy the encryption payload:

  • Once the network has been prepared for LockBit to be fully mobilized, the ransomware will begin its propagation across any machine it can touch. As stated previously, LockBit doesn’t need much to complete this stage. A single system unit with high access can issue commands to other network units to download LockBit and run it.

Types of LockBit threats

Variant 1 —. abcd extension

  • LockBit’s original version renames files with the “.abcd” extension name. Additionally, it includes a ransom note with demands and instructions for alleged restorations in the “Restore-My-Files.txt” file, which has been inserted into every folder.

Variant 2 —. LockBit extension

  • The second known version of this ransomware adopted the “.LockBit” file extension, giving it the current moniker. However, victims will find that other traits of this version appear mostly identical despite some backend revisions.

Variant 3 —. LockBit version 2

  • The next identifiable version of LockBit no longer requires downloading the Tor browser in its ransom instructions. Instead, it sends victims to an alternate website via traditional internet access.

How to protect against LockBit ransomware

  • Strong passwords should be implemented.
  • Activate multi-factor authentication.
  • Reassess and simplify user account permissions, Limit permissions to more strict levels to limit potential threats from passing undeterred.
  • Clean out outdated and unused user accounts.
  • Ensure system configurations are following all security procedures. System-wide backups and clean local machine images prepared.




Q. "Ransomware attacks have become a significant cybersecurity threat globally, with LockBit being one of the prominent ransomware variants. Discuss the modus operandi of LockBit ransomware, its impact on critical infrastructure, and the challenges it poses to cybersecurity measures."( 250 words)