SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockbit (Back to overview)

LockBit

aka: ABCD Ransomware

There is no description at this point.

References
2021-10-05Seguranca InformaticaPedro Tavares
@online{tavares:20211005:malware:b92d5a9, author = {Pedro Tavares}, title = {{Malware analysis: Details on LockBit ransomware}}, date = {2021-10-05}, organization = {Seguranca Informatica}, url = {https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/}, language = {English}, urldate = {2021-10-11} } Malware analysis: Details on LockBit ransomware
LockBit
2021-09-24YoroiLuigi Martire, Luca Mella
@online{martire:20210924:hunting:d29a5e6, author = {Luigi Martire and Luca Mella}, title = {{Hunting the LockBit Gang's Exfiltration Infrastructures}}, date = {2021-09-24}, organization = {Yoroi}, url = {https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/}, language = {English}, urldate = {2021-09-24} } Hunting the LockBit Gang's Exfiltration Infrastructures
LockBit StealBit
2021-09-09IBMMegan Roddie
@online{roddie:20210909:lockbit:8b80ed5, author = {Megan Roddie}, title = {{LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment}}, date = {2021-09-09}, organization = {IBM}, url = {https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/}, language = {English}, urldate = {2021-09-10} } LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment
LockBit
2021-08-26Advanced IntelligenceAnastasia Sentsova
@online{sentsova:20210826:from:29830d8, author = {Anastasia Sentsova}, title = {{From Russia With… LockBit Ransomware: Inside Look & Preventive Solutions}}, date = {2021-08-26}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions}, language = {English}, urldate = {2021-08-31} } From Russia With… LockBit Ransomware: Inside Look & Preventive Solutions
LockBit
2021-08-24Palo Alto Networks Unit 42Ruchna Nigam, Doel Santos
@online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty hive LockBit
2021-08-17Amged Wagih
@online{wagih:20210817:lockbit:6ee0432, author = {Amged Wagih}, title = {{LockBit Ransomware - Technical Anlysis}}, date = {2021-08-17}, url = {https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511}, language = {English}, urldate = {2021-08-17} } LockBit Ransomware - Technical Anlysis
LockBit
2021-08-16cybleCyble
@online{cyble:20210816:deepdive:b23c978, author = {Cyble}, title = {{A Deep-dive Analysis of LOCKBIT 2.0}}, date = {2021-08-16}, organization = {cyble}, url = {https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/}, language = {English}, urldate = {2021-09-19} } A Deep-dive Analysis of LOCKBIT 2.0
LockBit
2021-08-16Trend MicroJett Paulo Bernardo, Jayson Chong, Nikki Madayag, Mark Marti, Cris Tomboc, Sean Torre, Byron Gelera
@online{bernardo:20210816:lockbit:d709d4c, author = {Jett Paulo Bernardo and Jayson Chong and Nikki Madayag and Mark Marti and Cris Tomboc and Sean Torre and Byron Gelera}, title = {{LockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK}}, date = {2021-08-16}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html}, language = {English}, urldate = {2021-08-23} } LockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK
LockBit
2021-08-12NetskopeGustavo Palazolo
@online{palazolo:20210812:netskope:b320543, author = {Gustavo Palazolo}, title = {{Netskope Threat Coverage: LockBit}}, date = {2021-08-12}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-lockbit}, language = {English}, urldate = {2021-09-02} } Netskope Threat Coverage: LockBit
LockBit
2021-08-06The RecordCatalin Cimpanu
@online{cimpanu:20210806:australian:8543b09, author = {Catalin Cimpanu}, title = {{Australian cybersecurity agency warns of spike in LockBit ransomware attacks}}, date = {2021-08-06}, organization = {The Record}, url = {https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/}, language = {English}, urldate = {2021-08-09} } Australian cybersecurity agency warns of spike in LockBit ransomware attacks
LockBit
2021-08-04Bleeping ComputerSergiu Gatlan
@online{gatlan:20210804:energy:687b773, author = {Sergiu Gatlan}, title = {{Energy group ERG reports minor disruptions after ransomware attack}}, date = {2021-08-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/}, language = {English}, urldate = {2021-08-06} } Energy group ERG reports minor disruptions after ransomware attack
LockBit
2021-08-04Bleeping ComputerLawrence Abrams
@online{abrams:20210804:lockbit:c6ab8ec, author = {Lawrence Abrams}, title = {{LockBit ransomware recruiting insiders to breach corporate networks}}, date = {2021-08-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/}, language = {English}, urldate = {2021-08-06} } LockBit ransomware recruiting insiders to breach corporate networks
LockBit
2021-08-03Bleeping ComputerLawrence Abrams
@online{abrams:20210803:ransomware:d1b938f, author = {Lawrence Abrams}, title = {{Ransomware attack hits Italy's Lazio region, affects COVID-19 site}}, date = {2021-08-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/}, language = {English}, urldate = {2021-08-06} } Ransomware attack hits Italy's Lazio region, affects COVID-19 site
LockBit RansomEXX
2021-08-02The RecordDmitry Smilyanets
@online{smilyanets:20210802:interview:b42389c, author = {Dmitry Smilyanets}, title = {{An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil}}, date = {2021-08-02}, organization = {The Record}, url = {https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/}, language = {English}, urldate = {2021-08-03} } An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil
DarkSide LockBit REvil
2021-07-27Bleeping ComputerLawrence Abrams
@online{abrams:20210727:lockbit:095b8d6, author = {Lawrence Abrams}, title = {{LockBit ransomware now encrypts Windows domains using group policies}}, date = {2021-07-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/}, language = {English}, urldate = {2021-07-29} } LockBit ransomware now encrypts Windows domains using group policies
Egregor LockBit
2021-07-27Recorded FutureInsikt Group®
@online{group:20210727:blackmatter:db85bfb, author = {Insikt Group®}, title = {{BlackMatter Ransomware Emerges As Successor to DarkSide, REvil}}, date = {2021-07-27}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/}, language = {English}, urldate = {2021-07-29} } BlackMatter Ransomware Emerges As Successor to DarkSide, REvil
DarkSide LockBit REvil
2021-07-22S2W LAB Inc.Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim
@online{kim:20210722:w4:c901bea, author = {Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim}, title = {{W4 July | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-07-22}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a}, language = {English}, urldate = {2021-07-26} } W4 July | EN | Story of the week: Ransomware on the Darkweb
LockBit SunCrypt
2021-06-18PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20210618:lockbit:783c679, author = {PRODAFT}, title = {{LockBit RaaS In-Depth Analysis}}, date = {2021-06-18}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/LockBit_Case_Report___TLPWHITE.pdf}, language = {English}, urldate = {2021-06-22} } LockBit RaaS In-Depth Analysis
LockBit
2021-05-13Bleeping ComputerLawrence Abrams
@online{abrams:20210513:popular:62e98c8, author = {Lawrence Abrams}, title = {{Popular Russian hacking forum XSS bans all ransomware topics}}, date = {2021-05-13}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/}, language = {English}, urldate = {2021-05-17} } Popular Russian hacking forum XSS bans all ransomware topics
DarkSide DarkSide LockBit REvil
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-28Bleeping ComputerLawrence Abrams
@online{abrams:20210428:uk:2cce8c7, author = {Lawrence Abrams}, title = {{UK rail network Merseyrail likely hit by Lockbit ransomware}}, date = {2021-04-28}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/}, language = {English}, urldate = {2021-05-04} } UK rail network Merseyrail likely hit by Lockbit ransomware
LockBit
2021-04-26CoveWareCoveWare
@online{coveware:20210426:ransomware:12586d5, author = {CoveWare}, title = {{Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound}}, date = {2021-04-26}, organization = {CoveWare}, url = {https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound}, language = {English}, urldate = {2021-05-13} } Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-07ANALYST1Jon DiMaggio
@online{dimaggio:20210407:ransom:a109d6f, author = {Jon DiMaggio}, title = {{Ransom Mafia - Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, organization = {ANALYST1}, url = {https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel}, language = {English}, urldate = {2021-06-01} } Ransom Mafia - Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER
2021-04-07ANALYST1Jon DiMaggio
@techreport{dimaggio:20210407:ransom:a543eac, author = {Jon DiMaggio}, title = {{Ransom Mafia Analysis of the World's First Ransomware Cartel}}, date = {2021-04-07}, institution = {ANALYST1}, url = {https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf}, language = {English}, urldate = {2021-04-09} } Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-03-17The RecordCatalin Cimpanu
@online{cimpanu:20210317:missed:c4716fc, author = {Catalin Cimpanu}, title = {{Missed opportunity: Bug in LockBit ransomware allowed free decryptions}}, date = {2021-03-17}, organization = {The Record}, url = {https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/}, language = {English}, urldate = {2021-03-19} } Missed opportunity: Bug in LockBit ransomware allowed free decryptions
LockBit
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-26Medium s2wlabHyunmin Suh
@online{suh:20210126:w4:138a143, author = {Hyunmin Suh}, title = {{W4 Jan | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-01-26}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1}, language = {English}, urldate = {2021-01-27} } W4 Jan | EN | Story of the week: Ransomware on the Darkweb
Avaddon Babuk LockBit
2021-01-04Cisco TalosAzim Khodjibaev, Dmytro Korzhevin, Kendall McKay
@techreport{khodjibaev:20210104:interview:6735752, author = {Azim Khodjibaev and Dmytro Korzhevin and Kendall McKay}, title = {{Interview with a LockBit ransomware operator}}, date = {2021-01-04}, institution = {Cisco Talos}, url = {https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf}, language = {English}, urldate = {2021-02-17} } Interview with a LockBit ransomware operator
LockBit
2020-12-05ZDNetCatalin Cimpanu
@online{cimpanu:20201205:ransomware:49c8fff, author = {Catalin Cimpanu}, title = {{Ransomware hits helicopter maker Kopter}}, date = {2020-12-05}, organization = {ZDNet}, url = {https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/}, language = {English}, urldate = {2020-12-08} } Ransomware hits helicopter maker Kopter
LockBit
2020-11-18KELAVictoria Kivilevich
@online{kivilevich:20201118:zooming:f28a9c1, author = {Victoria Kivilevich}, title = {{Zooming into Darknet Threats Targeting Japanese Organizations}}, date = {2020-11-18}, organization = {KELA}, url = {https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/}, language = {English}, urldate = {2020-11-19} } Zooming into Darknet Threats Targeting Japanese Organizations
Conti DoppelPaymer Egregor LockBit Maze REvil Snake
2020-10-21SophosLabs UncutSean Gallagher
@online{gallagher:20201021:lockbit:13c4faa, author = {Sean Gallagher}, title = {{LockBit uses automated attack tools to identify tasty targets}}, date = {2020-10-21}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets}, language = {English}, urldate = {2020-10-23} } LockBit uses automated attack tools to identify tasty targets
LockBit
2020-10-02LexfoLexfo
@online{lexfo:20201002:lockbit:3dc988e, author = {Lexfo}, title = {{Lockbit analysis}}, date = {2020-10-02}, organization = {Lexfo}, url = {https://blog.lexfo.fr/lockbit-malware.html}, language = {English}, urldate = {2020-10-23} } Lockbit analysis
LockBit
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
@online{team:20200924:double:3b3ade6, author = {CrowdStrike Intelligence Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1}, language = {English}, urldate = {2021-05-31} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-09-17CRYPSISDrew Schmitt
@online{schmitt:20200917:ransomwares:ca3dcee, author = {Drew Schmitt}, title = {{Ransomware’s New Trend: Exfiltration and Extortion}}, date = {2020-09-17}, organization = {CRYPSIS}, url = {https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion}, language = {English}, urldate = {2020-11-09} } Ransomware’s New Trend: Exfiltration and Extortion
LockBit
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-24Github (albertzsigovits)Albert Zsigovits
@online{zsigovits:20200424:lockbit:b78dcba, author = {Albert Zsigovits}, title = {{LockBit ransomware IoCs}}, date = {2020-04-24}, organization = {Github (albertzsigovits)}, url = {https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md}, language = {English}, urldate = {2020-04-26} } LockBit ransomware IoCs
LockBit
2020-04-24Sophos LabsAlbert Zsigovits
@online{zsigovits:20200424:lockbit:8ebe6f8, author = {Albert Zsigovits}, title = {{LockBit ransomware borrows tricks to keep up with REvil and Maze}}, date = {2020-04-24}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/}, language = {English}, urldate = {2020-05-14} } LockBit ransomware borrows tricks to keep up with REvil and Maze
LockBit
Yara Rules
[TLP:WHITE] win_lockbit_auto (20211008 | Detects win.lockbit.)
rule win_lockbit_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.lockbit."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a06 8d8c24d5000000 e8???????? 8d8c24d1000000 c60000 e8???????? 6a47 }
            // n = 7, score = 100
            //   6a06                 | push                6
            //   8d8c24d5000000       | lea                 ecx, dword ptr [esp + 0xd5]
            //   e8????????           |                     
            //   8d8c24d1000000       | lea                 ecx, dword ptr [esp + 0xd1]
            //   c60000               | mov                 byte ptr [eax], 0
            //   e8????????           |                     
            //   6a47                 | push                0x47

        $sequence_1 = { 8a442413 32e9 32c1 889424bf060000 888424c4060000 b643 32f1 }
            // n = 7, score = 100
            //   8a442413             | mov                 al, byte ptr [esp + 0x13]
            //   32e9                 | xor                 ch, cl
            //   32c1                 | xor                 al, cl
            //   889424bf060000       | mov                 byte ptr [esp + 0x6bf], dl
            //   888424c4060000       | mov                 byte ptr [esp + 0x6c4], al
            //   b643                 | mov                 dh, 0x43
            //   32f1                 | xor                 dh, cl

        $sequence_2 = { 72f2 8d44247f c68424a200000000 50 e8???????? 83c404 }
            // n = 6, score = 100
            //   72f2                 | jb                  0xfffffff4
            //   8d44247f             | lea                 eax, dword ptr [esp + 0x7f]
            //   c68424a200000000     | mov                 byte ptr [esp + 0xa2], 0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_3 = { 03d9 895de0 8bce c1c10f 8b9c059cfeffff 8bd3 c1c20e }
            // n = 7, score = 100
            //   03d9                 | add                 ebx, ecx
            //   895de0               | mov                 dword ptr [ebp - 0x20], ebx
            //   8bce                 | mov                 ecx, esi
            //   c1c10f               | rol                 ecx, 0xf
            //   8b9c059cfeffff       | mov                 ebx, dword ptr [ebp + eax - 0x164]
            //   8bd3                 | mov                 edx, ebx
            //   c1c20e               | rol                 edx, 0xe

        $sequence_4 = { 03f1 8b4dec 0375dc 8bd1 0175f4 8bc1 c1c00a }
            // n = 7, score = 100
            //   03f1                 | add                 esi, ecx
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   0375dc               | add                 esi, dword ptr [ebp - 0x24]
            //   8bd1                 | mov                 edx, ecx
            //   0175f4               | add                 dword ptr [ebp - 0xc], esi
            //   8bc1                 | mov                 eax, ecx
            //   c1c00a               | rol                 eax, 0xa

        $sequence_5 = { 85c0 7448 8d462c 6a00 50 e8???????? 83c408 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7448                 | je                  0x4a
            //   8d462c               | lea                 eax, dword ptr [esi + 0x2c]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_6 = { e8???????? 57 8d4c2476 8a00 89442410 e8???????? ff74240c }
            // n = 7, score = 100
            //   e8????????           |                     
            //   57                   | push                edi
            //   8d4c2476             | lea                 ecx, dword ptr [esp + 0x76]
            //   8a00                 | mov                 al, byte ptr [eax]
            //   89442410             | mov                 dword ptr [esp + 0x10], eax
            //   e8????????           |                     
            //   ff74240c             | push                dword ptr [esp + 0xc]

        $sequence_7 = { 88842492050000 e8???????? 6a73 8d8c2470050000 88842493050000 e8???????? 6a70 }
            // n = 7, score = 100
            //   88842492050000       | mov                 byte ptr [esp + 0x592], al
            //   e8????????           |                     
            //   6a73                 | push                0x73
            //   8d8c2470050000       | lea                 ecx, dword ptr [esp + 0x570]
            //   88842493050000       | mov                 byte ptr [esp + 0x593], al
            //   e8????????           |                     
            //   6a70                 | push                0x70

        $sequence_8 = { 8b0cb0 e8???????? 46 3b75f8 7cbd 8b35???????? 6a0a }
            // n = 7, score = 100
            //   8b0cb0               | mov                 ecx, dword ptr [eax + esi*4]
            //   e8????????           |                     
            //   46                   | inc                 esi
            //   3b75f8               | cmp                 esi, dword ptr [ebp - 8]
            //   7cbd                 | jl                  0xffffffbf
            //   8b35????????         |                     
            //   6a0a                 | push                0xa

        $sequence_9 = { 6a63 8d8c243e020000 88842447020000 e8???????? 6a65 8d8c243e020000 88842448020000 }
            // n = 7, score = 100
            //   6a63                 | push                0x63
            //   8d8c243e020000       | lea                 ecx, dword ptr [esp + 0x23e]
            //   88842447020000       | mov                 byte ptr [esp + 0x247], al
            //   e8????????           |                     
            //   6a65                 | push                0x65
            //   8d8c243e020000       | lea                 ecx, dword ptr [esp + 0x23e]
            //   88842448020000       | mov                 byte ptr [esp + 0x248], al

    condition:
        7 of them and filesize < 337568
}
Download all Yara Rules