Is this host protected from LockBit?

LockBit 2.0 is an affiliate-based Ransomware-as-a-Service (RaaS) that was first observed in June 2021. This chain simulates post-exploitation activity of LockBit, including deleting Volume Shadow Copies, performing a UAC bypass, creating a named pipe, and writing a ransom note to the user's desktop. Endpoint detection should identify LockBit 2.0 ransomware activity and respond before it can cause damage. This chain must be run as Administrator.
This week, we're simulating LockBit 2.0 IOCs in your environment:
  • Is this host protected from LockBit?

Is this host protected from LockBit?

LockBit 2.0 is an affiliate-based Ransomware-as-a-Service (RaaS) that was first observed in June 2021.
LockBit 2.0 ransomware utilizes a variety of techniques including the use of access brokers, insider access, and zero day exploits, to gain initial access to the victim network. LockBit operators have been observed using publicly available tools such as Mimikatz during post-exploitation, as well as custom tools to exfiltrate data.

After encrypting victim data, LockBit operators use double extortion techniques, the threat of leaking or selling exfiltrated data, to pressure victims into paying.

In February 2022, the FBI released a Flash report sharing technical details of LockBit 2.0 ransomware, including associated TTPs and potential mitigations.


Execute Operator’s Is this host protected from LockBit? TTP on each host in your environment.

This chain is configured to delete VSS shadow copies via shell commands extracted from LockBit 2.0 ransomware. It then modifies a registry key used for UAC bypass, enabling LockBit to run with elevated permission. The chain then creates a named pipe used by LockBit 2.0 ransomware. Finally, files are encrypted and appended with the LockBit 2.0 file extension, .lockbit, and a ransom note is placed on the user's desktop.


To protect yourself, it is recommended to follow CISA's Ransomware Guide that includes best practices to help manage risk posed by ransomware, such as enabling MFA on accounts and services, employ network segmentation between business units or departments, and regularly patch software vulnerabilities.

Check out the TTP Is this host protected from LockBit? on the Prelude chains website.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator:
See the latest kill chain and TTP Releases:
See our open-source repositories:

Join our community


Read, watch, and listen

Listen to our Podcast:
Read our blog:
Watch our live streams:
Watch our pre-recorded content:

Follow our team


Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Is this host protected from LockBit?