LockBit

LockBit, ABCD Ransomware, LockBit Black
(Type: Ransomware, Big Game Hunting, Reconnaissance, Remote command)

(Kaspersky) LockBit ransomware is malicious software designed to block user access to computer systems in exchange for a ransom payment. LockBit will automatically vet for valuable targets, spread the infection, and encrypt all accessible computer systems on a network. This ransomware is used for highly targeted attacks against enterprises and other organizations. As a self-piloted cyberattack, LockBit attackers have made a mark by threatening organizations globally with some of the following threats: • Operations disruption with essential functions coming to a sudden halt. • Extortion for the hacker’s financial gain. • Data theft and illegal publication as blackmail if the victim does not comply.

[News Analysis] Trends:

Total Trend: 138

Trend Per Year
12
2020
42
2021
67
2022
17
2023


Trend Per Month
3
Apr 2020
1
Jul 2020
4
Sep 2020
2
Oct 2020
1
Nov 2020
1
Dec 2020
2
Jan 2021
1
Feb 2021
1
Mar 2021
4
Apr 2021
3
May 2021
1
Jun 2021
3
Jul 2021
15
Aug 2021
2
Sep 2021
4
Oct 2021
5
Nov 2021
1
Dec 2021
4
Jan 2022
8
Feb 2022
9
Mar 2022
9
Apr 2022
8
May 2022
6
Jun 2022
10
Jul 2022
5
Aug 2022
3
Sep 2022
3
Oct 2022
2
Nov 2022
1
Jan 2023
3
Feb 2023
1
Mar 2023
4
Apr 2023
2
May 2023
3
Jun 2023
1
Jul 2023
1
Sep 2023
1
Oct 2023



[News Analysis] News Mention Another Threat Name:

160 - LockBit110 - Conti10 - BianLian76 - Clop31 - Royal Ransom5 - 8Base5 - Money Message46 - Babuk2 - Silence60 - Hive8 - WhiteRabbit38 - Black Basta67 - BlackCat73 - MedusaLocker15 - PLAY19 - QUIETEXIT19 - AppleJeus19 - CaddyWiper96 - Cobalt Strike71 - Dharma19 - HermeticWiper19 - INDUSTROYER219 - Ladon19 - Meterpreter23 - PartyTicket93 - PlugX97 - QakBot135 - REvil47 - SystemBC19 - WhisperGate90 - RagnarLocker33 - Cuba85 - Emotet62 - Mount Locker58 - Zloader56 - Amadey59 - Gandcrab30 - MimiKatz13 - Avoslocker68 - BlackMatter101 - DarkSide41 - HelloKitty13 - Luna67 - RansomEXX13 - RedAlert Ransomware40 - FAKEUPDATES8 - BlackByte63 - Mespinoza77 - Ragnarok1 - BITWISE SPIDER40 - Blister75 - DoppelPaymer69 - Dridex37 - FriedEx44 - Hades11 - Macaw40 - Phoenix Locker99 - WastedLocker6 - DEADBOLT6 - DoubleZero6 - StealBit34 - AnchorDNS34 - Griffon53 - ATOMSILO81 - BazarBackdoor45 - FiveHands34 - Gozi82 - IcedID61 - ISFB34 - JSSLoader53 - LockFile123 - Maze34 - NightSky34 - Pandora65 - Phobos37 - PhotoLoader34 - Rook98 - Ryuk112 - TrickBot34 - BRONZE STARLIGHT44 - STOP63 - SunCrypt9 - Buer99 - Mailto80 - Avaddon30 - AvosLocker28 - BlackKingdom Ransomware28 - Cring28 - dearcry81 - Egregor28 - Entropy28 - Epsilon Red28 - Karma43 - Nefilim36 - RobinHood37 - SamSam33 - Snatch54 - WannaCryptor13 - Kronos13 - Nanocore RAT42 - NjRAT13 - PrivateLoader62 - Quasar RAT13 - RedLine Stealer15 - Remcos62 - SmokeLoader13 - Tofsee13 - Vidar3 - Babadeda3 - BitRAT4 - Andromeda4 - Squirrelwaffle25 - BADHATCH25 - MegaCortex84 - Nemty58 - Pay2Key59 - PwndLocker58 - Sekhmet27 - ThunderX59 - VIKING SPIDER17 - TA210153 - Anchor53 - Cutwail78 - DanaBot53 - Hakbit53 - JSOutProx53 - KerrDown53 - NedDnLoader53 - Pushdo53 - PyXie53 - ShadowPad53 - Snake53 - SUNBURST53 - TEARDROP53 - Winnti53 - KNOCKOUT SPIDER56 - OUTLAW SPIDER53 - RIDDLE SPIDER53 - SOLAR SPIDER13 - MIMIC SPIDER13 - PIZZO SPIDER8 - OVERLORD SPIDER32 - DEFENSOR ID32 - HiddenAd32 - Bundlore32 - Pirrit32 - Agent.BTZ32 - Cerber32 - ClipBanker32 - CROSSWALK32 - Cryptowall32 - CTB Locker32 - Formbook32 - Grandoreiro32 - Houdini32 - Locky32 - Microcin32 - Pony32 - Socelars32 - Tinba7 - Paradise


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
82.102.20.219:802022-08-18
51.15.18.180:802022-08-18
52.237.96.13:802022-08-18
62.76.112.121:802022-08-18
167.172.239.68:802022-08-18
82.202.247.81:802022-08-18
185.202.2.121:802022-08-18
51.89.134.150:802022-08-18
104.237.255.254:802022-08-18
54.38.212.197:802022-08-18
Domain Timestamp
tinneatonenessnabobical.com2022-10-04
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Article (Credit @Malpedia)

Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and more)

2023-10-03 by Luca Mella from

PTI-257 (ex-Wizard Spider) - IOCs

2023-09-07 by PRODAFT from PRODAFT

Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical

2023-07-26 by Nicole Hoffman from Talos

LockBit Green and phishing that targets organizations

2023-06-22 by GReAT from Kaspersky Labs

ransomware-descendants

2023-06-17 by EmissarySpider from Github (EmissarySpider)

Understanding Ransomware Threat Actors: Lockbit

2023-06-14 by FBI from CISA

Taming the Storm: Understanding and Mitigating the Consequences of CVE-2023-27350

2023-05-23 by Saharsh Agrawal from loginsoft

Russian Hacker “Wazawaka” Indicted for Ransomware

2023-05-16 by Brian Krebs from KrebsOnSecurity

March 2023 broke ransomware attack records with 459 incidents

2023-04-19 by Bill Toulas from Bleeping Computer

M-Trends 2023

2023-04-18 by Mandiant from Mandiant

Tweet on MacOS Lockbit sample

2023-04-16 by MalwareHunterTeam from Twitter (@malwrhunterteam)

Lockbit changes color

2023-04-14 by GLIMPS from GLIMPS

Cracked Cobalt Strike (1:23-cv-02447)

2023-03-30 by Microsoft from United States District Court (Eastern District of New York)

Can You See It Now? An Emerging LockBit Campaign

2023-02-28 by Eliran Voronovitch from Fortinet

Uncovering LockBit Black’s Attack Chain and Anti-forensic activity

2023-02-01 by Sathwik Ram Prakki from Seqrite

New LockBit Green ransomware variant borrows code from Conti ransomware

2023-02-01 by Pierluigi Paganini from Security Affairs

Unlocking Lockbit: A Ransomware Story

2023-01-16 by Jon DiMaggio from ANALYST1

LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling

2022-11-30 by Andrew Brandt from Sophos

LockBit 3.0 Being Distributed via Amadey Bot

2022-11-08 by ASEC from AhnLab

Hunting Lockbit Variation

2022-10-18 by Anish Bogati from Logpoint

LockBit 3.0 Ransomware Unlocked

2022-10-15 by Dana Behling from vmware

From Exchange Server vulnerability to ransomware infection in just 7 days

2022-10-11 by ASEC Analysis Team from AhnLab

ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)

2022-09-28 by Giovanni Vigna from vmware

Quick Overview of Leaked LockBit 3.0 (Black) builder program

2022-09-22 by Yang HuiSeong from Medium s2wlab

A Technical Analysis Of The Leaked LOCKBIT 3.0 Builder

2022-09-22 by Vlad Pasca from Cyber Geeks

LockBit ransomware gang gets aggressive with triple-extortion tactic

2022-08-28 by Ionut Ilascu from BleepingComputer

Back in Black: Unlocking a LockBit 3.0 Ransomware Attack

2022-08-19 by Ross Inman from nccgroup

The Increase in Ransomware Attacks on Local Governments

2022-08-11 by Robert Ames from SecurityScorecard

Indian Power Sector targeted with latest LockBit 3.0 variant

2022-08-10 by Sathwik Ram Prakki from Quick Heal

LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool

2022-08-04 by Arda Büyükkaya from YouTube (Arda Büyükkaya)

Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool

2022-07-28 by Júlio Dantas from SentinelOne

LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities

2022-07-25 by Ivan Nicole Chavez from Trend Micro

LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques

2022-07-21 by Jim Walter from Sentinel LABS

LockBit: Ransomware Puts Servers in the Crosshairs

2022-07-20 by Vishal Kamble from Symantec

Ransomware Roundup: Protecting Against New Variants

2022-07-18 by FortiGuard Labs from Fortinet

Lockbit 3.0

2022-07-13 by GLIMPS from GLIMPS

Lockbit 3.0 AKA Lockbit Black is here, with a new icon, new ransom note, new wallpaper, but less evasiveness?

2022-07-10 by Natalie Zargarov from Minerva Labs

THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom

2022-07-07 by Cybereason Global SOC Team from Cybereason

LockBit 3.0: “Making The Ransomware Great Again”

2022-07-06 by Cluster25 from Cluster25

Lockbit 3.0 – Ransomware Group Launches New Version

2022-07-05 by Cyble Research Labs from cyble

LockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed

2022-06-24 by ASEC from AhnLab

The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)

2022-06-23 by Nikita Nazarov from Kaspersky

The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs

2022-06-23 by Nikita Nazarov from Kaspersky

LockBit 2.0: How This RaaS Operates and How to Protect Against It

2022-06-09 by Amer Elsad from Palo Alto Networks Unit 42

A SecPro Super Issue: Understanding LockBit

2022-06-02 by packtsecurity from Packt

To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions

2022-06-02 by Mandiant Intelligence from Mandiant

LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022 (PDF)

2022-05-23 by Trend Micro Research from Trend Micro

LockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1 2022

2022-05-23 by Matsugaya Shingo from Trend Micro

New ransomware trends in 2022

2022-05-11 by GReAT from Kaspersky

Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself

2022-05-09 by Microsoft 365 Defender Threat Intelligence Team from Microsoft

Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself

2022-05-09 by Microsoft Threat Intelligence Center from Microsoft Security

Twitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader, CobaltStrike, Lockbit and followed by Hands On Keyboard activity

2022-05-06 by Microsoft Security Intelligence from Twitter (@MsftSecIntel)

Ransomware: LockBit 3.0 Starts Using in Cyberattacks

2022-05-06 by Valéry Rieß-Marchive from LeMagIT

Cybercrime loves company: Conti cooperated with other ransomware gangs

2022-05-05 by Intel 471 from Intel 471

LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility

2022-04-27 by James Haughom from Sentinel LABS

LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility

2022-04-27 by James Haughom from Sentinel LABS

Attackers linger on government agency computers before deploying Lockbit ransomware

2022-04-12 by Andrew Brandt from Sophos

Threat Profile: LockBit

2022-04-12 by ConnectWise CRU from ConnectWise

Lockbit 3.0: Another Upgrade to World’s Most Active Ransomware

2022-04-06 by SOCRadar from SOCRadar

Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs)

2022-04-05 by Earle Maui Earnshaw from Trend Micro

Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload

2022-04-05 by Earle Maui Earnshaw from Trend Micro

Thwarting Loaders: From SocGholish to BLISTER’s LockBit Payload

2022-04-05 by Earle Earnshaw from Trend Micro

The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'

2022-04-01 by Lawrence Abrams from Bleeping Computer

Conti Leaks: Examining the Panama Papers of Ransomware

2022-03-31 by John Fokker from Trellix

LockBit victim estimates cost of ransomware attack to be $42 million

2022-03-31 by Bill Toulas from Bleeping Computer

Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed

2022-03-23 by Shannon Davis from splunk

VPN Appliance Forensics

2022-03-21 by Benjamin Bruppacher from COMPASS SECURITY

LockBit Ransomware v2.0

2022-03-19 by Chuong Dong from Chuongdong blog

The Ransomware Threat Intelligence Center

2022-03-17 by Tilly Travers from Sophos

Part 2: LockBit 2.0 ransomware bugs and database recovery attempts

2022-03-11 by Microsoft Detection and Response Team (DART) from Microsoft

LockBit ransomware gang claims attack on Bridgestone Americas

2022-03-11 by Ionut Ilascu from Bleeping Computer

Part 1: LockBit 2.0 ransomware bugs and database recovery attempts

2022-03-11 by Microsoft Detection and Response Team (DART) from Microsoft

Conti ransomware gang chats leaked by pro-Ukraine member

2022-02-27 by Catalin Cimpanu from The Record

An Empirically Comparative Analysis of Ransomware Binaries

2022-02-23 by Shannon Davis from splunk

A Detailed Analysis of The LockBit Ransomware

2022-02-14 by Vlad Pasca from LIFARS

Var tæt på at slukke tusindvis af vindmøller: Nu fortæller Vestas om cyberangreb

2022-02-14 by Allan Nisgaard from DR.DK

Dragos ICS/OT Ransomware Analysis: Q4 2021

2022-02-09 by Anna Skelton from Dragos

PrivateLoader: The first step in many malware schemes

2022-02-08 by Intel 471 from Intel 471

Ransomware Spotlight: LockBit

2022-02-08 by Trend Micro Research from Trend Micro

CU-000162-MW: Indicators of Compromise Associated with LockBit 2.0 Ransomware

2022-02-07 by FBI from FBI

Ransomware as a Service Innovation Curve

2022-01-27 by CoveWare from

ALPHV ransomware gang analysis

2022-01-26 by Intrinsec from Intrinsec

Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant

2022-01-24 by Junestherry Dela Cruz from Trend Micro

Better Together: The Power of Managed Cybersecurity Services in the Face of Pressing Global Security Challenges

2022-01-21 by Falcon OverWatch Team from CrowdStrike

Inside the LockBit Arsenal - The StealBit Exfiltration Tool

2021-12-16 by Aleksandar Milenkoski from Cybereason

Babadeda Crypter targeting crypto, NFT, and DeFi communities

2021-11-23 by Hido Cohen from Morphisec

BlackMatter, LockBit, and THOR

2021-11-18 by Josh Pyorre from Cisco

Intelligence Insights: November 2021

2021-11-18 by The Red Canary Team from Red Canary

Ransomware (R)evolution Plagues Organizations, But CrowdStrike Protection Never Wavers

2021-11-17 by Thomas Moses from CrowdStrike

BlackMatter ransomware moves victims to LockBit after shutdown

2021-11-03 by Lawrence Abrams from Bleeping Computer

ランサムウェア「LockBit2.0」の内部構造を紐

2021-10-27 by MBSD from MBSD

Recovering registry hives encrypted by LockBit 2.0

2021-10-15 by skyblue team from skyblue.team blog

ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity

2021-10-12 by CrowdStrike Intelligence Team from CrowdStrike

Malware analysis: Details on LockBit ransomware

2021-10-05 by Pedro Tavares from Seguranca Informatica

Hunting the LockBit Gang's Exfiltration Infrastructures

2021-09-24 by Luigi Martire from Yoroi

LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment

2021-09-09 by Megan Roddie from IBM

From Russia With… LockBit Ransomware: Inside Look & Preventive Solutions

2021-08-26 by Anastasia Sentsova from Advanced Intelligence

Ransomware Groups to Watch: Emerging Threats

2021-08-24 by Ruchna Nigam from Palo Alto Networks Unit 42

LockBit 2.0 Interview with Russian OSINT

2021-08-24 by KELA Cyber Intelligence Center from KELA

LockBit Ransomware Analysis Notes

2021-08-17 by Amged Wageh from Medium amgedwageh

LockBit Ransomware - Technical Anlysis

2021-08-17 by Amged Wagih from

LockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK

2021-08-16 by Jett Paulo Bernardo from Trend Micro

A Deep-dive Analysis of LOCKBIT 2.0

2021-08-16 by Cyble from cyble

The Ransomware Threat

2021-08-15 by Threat Hunter Team from Symantec

Netskope Threat Coverage: LockBit

2021-08-12 by Gustavo Palazolo from Netskope

The Rising Threat from LockBit Ransomware

2021-08-11 by Tony Bradley from Cybereason

Australian cybersecurity agency warns of spike in LockBit ransomware attacks

2021-08-06 by Catalin Cimpanu from The Record

LockBit ransomware recruiting insiders to breach corporate networks

2021-08-04 by Lawrence Abrams from Bleeping Computer

Energy group ERG reports minor disruptions after ransomware attack

2021-08-04 by Sergiu Gatlan from Bleeping Computer

Ransomware attack hits Italy's Lazio region, affects COVID-19 site

2021-08-03 by Lawrence Abrams from Bleeping Computer

An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil

2021-08-02 by Dmitry Smilyanets from The Record

BlackMatter Ransomware Emerges As Successor to DarkSide, REvil

2021-07-27 by Insikt Group® from Recorded Future

LockBit ransomware now encrypts Windows domains using group policies

2021-07-27 by Lawrence Abrams from Bleeping Computer

W4 July | EN | Story of the week: Ransomware on the Darkweb

2021-07-22 by Denise Dasom Kim from S2W LAB Inc.

LockBit RaaS In-Depth Analysis

2021-06-18 by PRODAFT from PRODAFT Threat Intelligence

Popular Russian hacking forum XSS bans all ransomware topics

2021-05-13 by Lawrence Abrams from Bleeping Computer

Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb

2021-05-10 by DarkTracer from DarkTracer

Ransomware: Hunting for Inhibiting System Backup or Recovery

2021-05-06 by Brandon Denker from Cyborg Security

UK rail network Merseyrail likely hit by Lockbit ransomware

2021-04-28 by Lawrence Abrams from Bleeping Computer

Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound

2021-04-26 by CoveWare from CoveWare

Ransom Mafia - Analysis of the World's First Ransomware Cartel

2021-04-07 by Jon DiMaggio from ANALYST1

Ransom Mafia Analysis of the World's First Ransomware Cartel

2021-04-07 by Jon DiMaggio from ANALYST1

Missed opportunity: Bug in LockBit ransomware allowed free decryptions

2021-03-17 by Catalin Cimpanu from The Record

2021 Global Threat Report

2021-02-23 by CrowdStrike from CrowdStrike

W4 Jan | EN | Story of the week: Ransomware on the Darkweb

2021-01-26 by Hyunmin Suh from Medium s2wlab

Interview with a LockBit ransomware operator

2021-01-04 by Azim Khodjibaev from Cisco Talos

Ransomware hits helicopter maker Kopter

2020-12-05 by Catalin Cimpanu from ZDNet

Zooming into Darknet Threats Targeting Japanese Organizations

2020-11-18 by Victoria Kivilevich from KELA

LockBit uses automated attack tools to identify tasty targets

2020-10-21 by Sean Gallagher from SophosLabs Uncut

Lockbit analysis

2020-10-02 by Lexfo from Lexfo

Double Trouble: Ransomware with Data Leak Extortion, Part 1

2020-09-25 by The Crowdstrike Intel Team from CrowdStrike

Double Trouble: Ransomware with Data Leak Extortion, Part 1

2020-09-24 by CrowdStrike Intelligence Team from CrowdStrike

Ransomware’s New Trend: Exfiltration and Extortion

2020-09-17 by Drew Schmitt from CRYPSIS

Quarterly Report: Incident Response trends in Summer 2020

2020-09-01 by David Liebenberg from Cisco Talos

THREAT REPORT Q2 2020

2020-07-29 by welivesecurity from ESET Research

Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk

2020-04-28 by Microsoft Threat Protection Intelligence Team from Microsoft

LockBit ransomware IoCs

2020-04-24 by Albert Zsigovits from Github (albertzsigovits)

LockBit ransomware borrows tricks to keep up with REvil and Maze

2020-04-24 by Albert Zsigovits from Sophos Labs

Basic Information (Credit @etda.or.th)

Tool: LockBit

Names: LockBit, ABCD Ransomware, LockBit Black

Description: (Kaspersky) LockBit ransomware is malicious software designed to block user access to computer systems in exchange for a ransom payment. LockBit will automatically vet for valuable targets, spread the infection, and encrypt all accessible computer systems on a network. This ransomware is used for highly targeted attacks against enterprises and other organizations. As a self-piloted cyberattack, LockBit attackers have made a mark by threatening organizations globally with some of the following threats: • Operations disruption with essential functions coming to a sudden halt. • Extortion for the hacker’s financial gain. • Data theft and illegal publication as blackmail if the victim does not comply.

Category: Malware

Type: Ransomware, Big Game Hunting, Reconnaissance, Remote command

Information: https://www.kaspersky.com/resource-center/threats/lockbit-ransomware

Information: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/

Information: https://arstechnica.com/information-technology/2020/05/lockbit-the-new-ransomware-for-hire-a-sad-and-cautionary-tale/

Information: https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/

Information: https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets/

Information: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-moves-quietly-on-the-network-strikes-fast/

Information: https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf

Information: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/

Information: https://www.cybereason.com/blog/lockbit-ransomware-wants-to-hire-your-employees

Information: https://www.bankinfosecurity.com/ransomware-lockbit-20-borrows-ryuk-egregors-tricks-a-17335

Information: https://www.cybereason.com/blog/cybereason-vs.-lockbit2.0-ransomware

Information: https://www.deepinstinct.com/blog/lockbit-2-0-ransomware-becomes-lockfile-ransomware-with-a-never-before-seen-encryption-method

Information: https://www.cybereason.com/blog/threat-analysis-report-inside-the-lockbit-arsenal-the-stealbit-exfiltration-tool

Information: https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html

Information: https://www.ic3.gov/Media/News/2022/220204.pdf

Information: https://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.htmlhttps://www.trendmicro.com/en_us/research/22/d/Thwarting-Loaders-From-SocGholish-to-BLISTERs-LockBit-Payload.html

Information: https://www.malvuln.com/advisory/96de05212b30ec85d4cf03386c1b84af.txt

Information: https://unit42.paloaltonetworks.com/lockbit-2-ransomware/

Information: https://www.trendmicro.com/en_us/research/22/f/conti-vs-lockbit-a-comparative-analysis-of-ransomware-groups.html

Information: https://www.csoonline.com/article/3665871/lockbit-explained-how-it-has-become-the-most-popular-ransomware.html

Information: https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom

Information: https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/

Information: https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html

Information: https://www.darkreading.com/vulnerabilities-threats/everything-you-need-to-know-about-lockbit

Information: https://asec.ahnlab.com/en/41450/

Information: https://www.tripwire.com/state-of-security/lockbit-ransomware-what-you-need-know

Information: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-green-uses-new-conti-based-encryptor/

Information: https://asec.ahnlab.com/en/47739/

Information: https://www.fortinet.com/blog/threat-research/emerging-lockbit-campaign

Information: https://thehackernews.com/2023/03/the-prolificacy-of-lockbit-ransomware.html

Information: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

Information: https://securelist.com/crimeware-report-lockbit-switchsymb/110068/

Information: https://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware

Information: https://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit

Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:lockbit

Playbook: https://pan-unit42.github.io/playbook_viewer/?pb=lockbit20-ransomware

Last-card-change: 2023-09-06

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

Indicators of Compromise (Credit @ThreatFox)

MD5_HASH
  • 2831b37cf521848142e8a5d69515b065
  • 5e7b650a6e0070bceed648681bff20fe
  • 03cea7c49abe78863ae2644ac77c8efb
  • f64b643de2bc7c368b0a13d12c584a09
  • 0f7c10dfa562adf15f1f6078ecaee788
  • fe5101b50e92a923d74cc6f0f4225539
  • 008520e6248952bd3ac9e16f144b6243
SHA256_HASH
  • 2daa5fa152b627f5ae23d2e8fa4e3e399d4899729ad32f184e32d59fd4dd20ef
  • 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845
  • 442f78f823663cea5da451a9710ece34dbbb29d61985381e6393f6ea1219466b
  • a2db758f099d8a6dec5fd500d033ce2fcd89b58b53d938fdb9d9cba2d91dba01
  • 67b05e96f47db0447da53beddbf9aff265cd02562c12428d787fdab0278ded2e
  • c6cf5fd8f71abaf5645b8423f404183b3dea180b69080f53b9678500bab6f0de
DOMAIN
  • tinneatonenessnabobical.com
IP:PORT
  • 82.102.20.219:80
  • 51.15.18.180:80
  • 52.237.96.13:80
  • 62.76.112.121:80
  • 167.172.239.68:80
  • 82.202.247.81:80
  • 185.202.2.121:80
  • 51.89.134.150:80
  • 104.237.255.254:80
  • 54.38.212.197:80

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact