After encrypting victim data, LockBit operators use double extortion techniques, the threat of leaking or selling exfiltrated data, to pressure victims into paying.
In February 2022, the FBI released a Flash report sharing technical details of LockBit 2.0 ransomware, including associated TTPs and potential mitigations.
Execute Operator’s Is this host protected from LockBit?
TTP on each host in your environment.
This chain is configured to delete VSS shadow copies via shell commands extracted from LockBit 2.0 ransomware. It then modifies a registry key used for UAC bypass, enabling LockBit to run with elevated permission. The chain then creates a named pipe used by LockBit 2.0 ransomware. Finally, files are encrypted and appended with the LockBit 2.0 file extension, .lockbit
, and a ransom note is placed on the user's desktop.
To protect yourself, it is recommended to follow CISA's Ransomware Guide that includes best practices to help manage risk posed by ransomware, such as enabling MFA on accounts and services, employ network segmentation between business units or departments, and regularly patch software vulnerabilities.
Check out the TTP Is this host protected from LockBit? on the Prelude chains website.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec