1. Home
  2. Software
  3. LockBit 2.0

LockBit 2.0

LockBit 2.0 is an affiliate-based Ransomware-as-a-Service (RaaS) that has been in use since at least June 2021 as the successor to LockBit Ransomware. LockBit 2.0 has versions capable of infecting Windows and VMware ESXi virtual machines, and has been observed targeting multiple industry verticals globally.[1][2]

ID: S1199
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 24 January 2025
Last Modified: 06 February 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

LockBit 2.0 can bypass UAC through creating the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ICM\Calibration.[1][2]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LockBit 2.0 can use a Registry Run key to establish persistence at startup.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

LockBit 2.0 can use the PowerShell module InvokeGPUpdate to modify Group Policy.[1][2]
.003 Command and Scripting Interpreter: Windows Command Shell

LockBit 2.0 can use the Windows command shell for multiple post-compromise actions on objective.[1][2][3]
Enterprise T1136 Create Account

LockBit 2.0 has been observed creating accounts for persistence using simple names like "a".[2]
Enterprise T1486 Data Encrypted for Impact

LockBit 2.0 can use standard AES and elliptic-curve cryptography algorithms to encrypt victim data.[2][4]
Enterprise T1140 Deobfuscate/Decode Files or Information

LockBit 2.0 can decode scripts and strings in loaded modules.[1][2]
Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

LockBit 2.0 can modify Group Policy to disable Windows Defender and to automatically infect devices in Windows domains.[1][2]
Enterprise T1480 Execution Guardrails

LockBit 2.0 will not execute on hosts where the system language is set to a language spoken in the Commonwealth of Independent States region.[1][2]
Enterprise T1083 File and Directory Discovery

LockBit 2.0 can exclude files associated with core system functions from encryption.[1]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

LockBit 2.0 can execute command line arguments in a hidden window.[2]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

LockBit 2.0 can disable firewall rules and anti-malware and monitoring software including Windows Defender.[1][2]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

LockBit 2.0 can delete log files through the use of wevtutil.[1][2][3][4]
.004 Indicator Removal: File Deletion

LockBit 2.0 can delete itself from disk after execution.[1][2][3]
Enterprise T1490 Inhibit System Recovery

LockBit 2.0 has the ability to delete volume shadow copies on targeted hosts.[1][3]
Enterprise T1112 Modify Registry

LockBit 2.0 can create Registry keys to bypass UAC and for persistence.[1]
Enterprise T1135 Network Share Discovery

LockBit 2.0 can discover remote shares.[1]
Enterprise T1120 Peripheral Device Discovery

LockBit 2.0 has the ability to identify mounted external storage devices.[1]
Enterprise T1057 Process Discovery

LockBit 2.0 can determine if a running process has administrative privileges and terminate processes that interfere with encryption or exfiltration.[1][4]
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

LockBit 2.0 has the ability to move laterally via SMB.[2][4]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

LockBit 2.0 can be executed via scheduled task.[2]
Enterprise T1489 Service Stop

LockBit 2.0 can automatically terminate processes that may interfere with the encryption or file extraction processes.[4]
Enterprise T1082 System Information Discovery

LockBit 2.0 can enumerate system information including hostname, domain information, and local drive configuration.[1][2]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

LockBit 2.0 can check if a targeted machine is using a set of Eastern European languages and exit without infection if so.[1][2]
Enterprise T1047 Windows Management Instrumentation

LockBit 2.0 can use wmic.exe to delete volume shadow copies.[3]

References

  1. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
  2. Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.
  1. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom. Retrieved January 24, 2025.
  2. SentinelOne. (n.d.). LockBit 2.0: In-Depth Analysis, Detection, Mitigation, and Removal. Retrieved January 24, 2025.