SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockbit (Back to overview)

LockBit

aka: ABCD Ransomware

There is no description at this point.

References
2021-07-27Bleeping ComputerLawrence Abrams
@online{abrams:20210727:lockbit:095b8d6, author = {Lawrence Abrams}, title = {{LockBit ransomware now encrypts Windows domains using group policies}}, date = {2021-07-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/}, language = {English}, urldate = {2021-07-29} } LockBit ransomware now encrypts Windows domains using group policies
Egregor LockBit
2021-07-27Recorded FutureInsikt Group®
@online{group:20210727:blackmatter:db85bfb, author = {Insikt Group®}, title = {{BlackMatter Ransomware Emerges As Successor to DarkSide, REvil}}, date = {2021-07-27}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/}, language = {English}, urldate = {2021-07-29} } BlackMatter Ransomware Emerges As Successor to DarkSide, REvil
DarkSide LockBit REvil
2021-07-22S2W LAB Inc.Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim
@online{kim:20210722:w4:c901bea, author = {Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim}, title = {{W4 July | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-07-22}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a}, language = {English}, urldate = {2021-07-26} } W4 July | EN | Story of the week: Ransomware on the Darkweb
LockBit SunCrypt
2021-06-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210618:lockbit:783c679, author = {PRODAFT}, title = {{LockBit RaaS In-Depth Analysis}}, date = {2021-06-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf}, language = {English}, urldate = {2021-06-22} } LockBit RaaS In-Depth Analysis
LockBit
2021-05-13Bleeping ComputerLawrence Abrams
@online{abrams:20210513:popular:62e98c8, author = {Lawrence Abrams}, title = {{Popular Russian hacking forum XSS bans all ransomware topics}}, date = {2021-05-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/}, language = {English}, urldate = {2021-05-17} } Popular Russian hacking forum XSS bans all ransomware topics
DarkSide DarkSide LockBit REvil
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-28Bleeping ComputerLawrence Abrams
@online{abrams:20210428:uk:2cce8c7, author = {Lawrence Abrams}, title = {{UK rail network Merseyrail likely hit by Lockbit ransomware}}, date = {2021-04-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/}, language = {English}, urldate = {2021-05-04} } UK rail network Merseyrail likely hit by Lockbit ransomware
LockBit
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-07ANALYST1Jon DiMaggio
@online{dimaggio:20210407:ransom:a109d6f, author = {Jon DiMaggio}, title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel}, language = {English}, urldate = {2021-06-01} } Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-03-17The RecordCatalin Cimpanu
@online{cimpanu:20210317:missed:c4716fc, author = {Catalin Cimpanu}, title = {{Missed opportunity: Bug in LockBit ransomware allowed free decryptions}}, date = {2021-03-17}, organization = {The Record}, url = {https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/}, language = {English}, urldate = {2021-03-19} } Missed opportunity: Bug in LockBit ransomware allowed free decryptions
LockBit
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-26Medium s2wlabHyunmin Suh
@online{suh:20210126:w4:138a143, author = {Hyunmin Suh}, title = {{W4 Jan | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-01-26}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1}, language = {English}, urldate = {2021-01-27} } W4 Jan | EN | Story of the week: Ransomware on the Darkweb
Avaddon Babuk LockBit
2021-01-04Cisco TalosAzim Khodjibaev, Dmytro Korzhevin, Kendall McKay
@techreport{khodjibaev:20210104:interview:6735752, author = {Azim Khodjibaev and Dmytro Korzhevin and Kendall McKay}, title = {{Interview with a LockBit ransomware operator}}, date = {2021-01-04}, institution = {Cisco Talos}, url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf}, language = {English}, urldate = {2021-02-17} } Interview with a LockBit ransomware operator
LockBit
2020-12-05ZDNetCatalin Cimpanu
@online{cimpanu:20201205:ransomware:49c8fff, author = {Catalin Cimpanu}, title = {{Ransomware hits helicopter maker Kopter}}, date = {2020-12-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/}, language = {English}, urldate = {2020-12-08} } Ransomware hits helicopter maker Kopter
LockBit
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-10-21SophosLabs UncutSean Gallagher
@online{gallagher:20201021:lockbit:13c4faa, author = {Sean Gallagher}, title = {{LockBit uses automated attack tools to identify tasty targets}}, date = {2020-10-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets}, language = {English}, urldate = {2020-10-23} } LockBit uses automated attack tools to identify tasty targets
LockBit
2020-10-02LexfoLexfo
@online{lexfo:20201002:lockbit:3dc988e, author = {Lexfo}, title = {{Lockbit analysis}}, date = {2020-10-02}, organization = {Lexfo}, url = {https://blog.lexfo.fr/lockbit-malware.html}, language = {English}, urldate = {2020-10-23} } Lockbit analysis
LockBit
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
@online{team:20200924:double:3b3ade6, author = {CrowdStrike Intelligence Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1}, language = {English}, urldate = {2021-05-31} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-09-17CRYPSISDrew Schmitt
@online{schmitt:20200917:ransomwares:ca3dcee, author = {Drew Schmitt}, title = {{Ransomware’s New Trend: Exfiltration and Extortion}}, date = {2020-09-17}, organization = {CRYPSIS}, url = {https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion}, language = {English}, urldate = {2020-11-09} } Ransomware’s New Trend: Exfiltration and Extortion
LockBit
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-24Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200424:lockbit:b78dcba, author = {Albert Zsigovits}, title = {{LockBit ransomware IoCs}}, date = {2020-04-24}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md}, language = {English}, urldate = {2020-04-26} } LockBit ransomware IoCs
LockBit
2020-04-24Sophos LabsAlbert Zsigovits
@online{zsigovits:20200424:lockbit:8ebe6f8, author = {Albert Zsigovits}, title = {{LockBit ransomware borrows tricks to keep up with REvil and Maze}}, date = {2020-04-24}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/}, language = {English}, urldate = {2020-05-14} } LockBit ransomware borrows tricks to keep up with REvil and Maze
LockBit
Yara Rules
[TLP:WHITE] win_lockbit_auto (20210616 | Detects win.lockbit.)
rule win_lockbit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.lockbit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 660fefc1 660fefc2 0f1181a0000000 660f38db8190000000 0f1181b0000000 660f38db8180000000 0f1181c0000000 }
            // n = 7, score = 100
            //   660fefc1             | pxor                xmm0, xmm1
            //   660fefc2             | pxor                xmm0, xmm2
            //   0f1181a0000000       | movups              xmmword ptr [ecx + 0xa0], xmm0
            //   660f38db8190000000     | aesimc    xmm0, xmmword ptr [ecx + 0x90]
            //   0f1181b0000000       | movups              xmmword ptr [ecx + 0xb0], xmm0
            //   660f38db8180000000     | aesimc    xmm0, xmmword ptr [ecx + 0x80]
            //   0f1181c0000000       | movups              xmmword ptr [ecx + 0xc0], xmm0

        $sequence_1 = { 50 6802020000 ff15???????? 85c0 755e 6a08 ff15???????? }
            // n = 7, score = 100
            //   50                   | push                eax
            //   6802020000           | push                0x202
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   755e                 | jne                 0x60
            //   6a08                 | push                8
            //   ff15????????         |                     

        $sequence_2 = { e8???????? 83c408 85c0 7408 0580bfffff 5e 5d }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   7408                 | je                  0xa
            //   0580bfffff           | add                 eax, 0xffffbf80
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp

        $sequence_3 = { c704240000c841 53 8b1d???????? ffd3 8945b0 85c0 744a }
            // n = 7, score = 100
            //   c704240000c841       | mov                 dword ptr [esp], 0x41c80000
            //   53                   | push                ebx
            //   8b1d????????         |                     
            //   ffd3                 | call                ebx
            //   8945b0               | mov                 dword ptr [ebp - 0x50], eax
            //   85c0                 | test                eax, eax
            //   744a                 | je                  0x4c

        $sequence_4 = { e8???????? 888424ce000000 33ff c68424cf00000000 6690 57 8d8c24cd000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   888424ce000000       | mov                 byte ptr [esp + 0xce], al
            //   33ff                 | xor                 edi, edi
            //   c68424cf00000000     | mov                 byte ptr [esp + 0xcf], 0
            //   6690                 | nop                 
            //   57                   | push                edi
            //   8d8c24cd000000       | lea                 ecx, dword ptr [esp + 0xcd]

        $sequence_5 = { 6a0a 8d8c24ff010000 e8???????? 8d8c24fb010000 c60000 }
            // n = 5, score = 100
            //   6a0a                 | push                0xa
            //   8d8c24ff010000       | lea                 ecx, dword ptr [esp + 0x1ff]
            //   e8????????           |                     
            //   8d8c24fb010000       | lea                 ecx, dword ptr [esp + 0x1fb]
            //   c60000               | mov                 byte ptr [eax], 0

        $sequence_6 = { ff05???????? 8b75f4 47 81ffff000000 0f8c62ffffff 8b75fc }
            // n = 6, score = 100
            //   ff05????????         |                     
            //   8b75f4               | mov                 esi, dword ptr [ebp - 0xc]
            //   47                   | inc                 edi
            //   81ffff000000         | cmp                 edi, 0xff
            //   0f8c62ffffff         | jl                  0xffffff68
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]

        $sequence_7 = { 8d8424b40f0000 50 c78424bc0f000000000000 c78424c00f000000000000 c78424d00f000000000000 c78424d40f000000000000 c78424d80f000000000000 }
            // n = 7, score = 100
            //   8d8424b40f0000       | lea                 eax, dword ptr [esp + 0xfb4]
            //   50                   | push                eax
            //   c78424bc0f000000000000     | mov    dword ptr [esp + 0xfbc], 0
            //   c78424c00f000000000000     | mov    dword ptr [esp + 0xfc0], 0
            //   c78424d00f000000000000     | mov    dword ptr [esp + 0xfd0], 0
            //   c78424d40f000000000000     | mov    dword ptr [esp + 0xfd4], 0
            //   c78424d80f000000000000     | mov    dword ptr [esp + 0xfd8], 0

        $sequence_8 = { c68424e102000000 90 57 8d8c24d5020000 e8???????? 57 8d8c24d5020000 }
            // n = 7, score = 100
            //   c68424e102000000     | mov                 byte ptr [esp + 0x2e1], 0
            //   90                   | nop                 
            //   57                   | push                edi
            //   8d8c24d5020000       | lea                 ecx, dword ptr [esp + 0x2d5]
            //   e8????????           |                     
            //   57                   | push                edi
            //   8d8c24d5020000       | lea                 ecx, dword ptr [esp + 0x2d5]

        $sequence_9 = { 334df4 03f9 8b4dec 03b844284200 03bc05ccfeffff 037df8 03cf }
            // n = 7, score = 100
            //   334df4               | xor                 ecx, dword ptr [ebp - 0xc]
            //   03f9                 | add                 edi, ecx
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   03b844284200         | add                 edi, dword ptr [eax + 0x422844]
            //   03bc05ccfeffff       | add                 edi, dword ptr [ebp + eax - 0x134]
            //   037df8               | add                 edi, dword ptr [ebp - 8]
            //   03cf                 | add                 ecx, edi

    condition:
        7 of them and filesize < 337568
}
Download all Yara Rules