+30 2106897383 info@tictaclabs.com

Lockbit Ransomware

Who is Lockbit?

LockBit belongs to the “LockerGoga & MegaCortex” malware family. It targets medium and large organisations, even governmental ones. His major goals were in Indies, China, the United States, Ukraine, and Indonesia. It has also affected organisations in European countries, such as France and Britain. In particular, Lockbit does not target victims in Russia and other countries of the Commonwealth of Independent States.

It was originally known as the ABCD cryptovirus. “ABCD” began attacking in September 2019. Essentially, it took the name “ABCD”due to the extension .abcd, during the encryption process.

Moreover, Lockbit administrators have a forum in a well-known underground web board to promote their product. In fact, they presented “LockBit Cryptolocker Affiliate Program” in order to advertise the possibilities of their malware.

How does Lockbit attack the victims?

Its main goal is to infect and encrypt all computer systems in a network. In this manner, the endpoint user does not have access to the systems and has to pay ransom in return. More specifically,  the Lockbit programmers group receive the ransom, while the 3/4 appears to be received by the third party. The average ransom demand according to January 2021 figures is $29.250.

Furthermore, it usually threatens victims either by sudden pause of basic functions, by stealing data, or by publishing sensitive data illegally in the event of non-compliance. Recently, LockBit disables the security options that users may have when an application attempts to function as an administrator. However, Lockbit attackers also form a list of services (files, folders) that are not the target of encryption. They do this so that the company’s operating system is not deactivated and the victim can finally receive and act upon the ransom note.

Further, LockBit operates as ransomware-as-a-service (RaaS). It contains a feature that allows attackers to encrypt hundreds of devices within few hours when breaking down a corporate network. In particular, a subsidiary of LockBit ransomware invaded a corporate network and encrypted 25 servers and 255 jobs in just three hours.

At last, this is a relatively new Ransomware. Lockbit developers usually cowork with third parties. Once they penetrate a network, they redirect the victim to a ransom payment TOR site in order to speed up the process of receiving the decryption tool. Lockbit developers manage TOR site. They often force victims to pay twice or simply ignore them after payment, or even send another virus instead of the decryption tool.

In general, it is evident that Lockbit programmers are constantly improving their malware and have developed an interesting technique to bypass “Windows User Account Control (UAC)”.

How can Lockbit infect an organisation?

Lockbit self-spreads within an organization without requiring human intervention to direct it. Lockbit uses tools such as Windows Powershell and Server Message Block (SMB) in order to  spread automatically. Indeed, after manually contaminating a host, then it uses a script that infects the entire system automatically. This makes it different from attacks by other cryptoviruses, who are entering a process of tracking and tracing the victim several weeks before the attack.

In addition, it uses tools in patterns that are inherent in almost all Windows computer systems. This makes it difficult to see the malicious activities through the organisation’s protection systems.

However, in order to be able to invade and spread itself, it follows some common methods:

  • E-mails accompanied by malicious attachments. These messages are usually filled with MS Office, PDF, RAR or ZIP documents, executable (.exe) and JavaScript files.
  • Trojans causing chain infections. If you download them, you will be infected with other software that will damage your privacy and steal your data.
  • It uses a so-called genuine pop-up software application
  • It manages Integration with third party applications
  • Spam e-mails from unrecognised senders
  • Websites providing free hosting services
  • Pirate peer shots (P2P).

The 3 stages of the LockBit attack

Identification of vulnerabilities:

In the first stage, attackers seek the weaknesses of the organisation’s network in order to exploit them to achieve the initial invasion. Initial infringement can be done e.g. by phishing, or by other methods as mentioned above, in order to mislead the victim and obtain access to credentials. Also, several times the initial attack is on intranet servers and the organisation’s network systems. Then, the preparation step is following for releasing the contaminated load to each device.


In the second phase penetration is deeper and all activities are directed independently. This is the stage that prepares the field for the development of encryption. The attackers therefore try to disable the security systems and anything that could be helpful in retrieving the system, so that the only recovery solution is ransom payment.


In the latter phase, Lockbit develops and spreads the contaminated load wherever it has managed to access. This is the case through a single system unit ordering other network units to download the malicious material.

In addition to encrypting the files of a target device, LockBit also performs ARP requests to find other active hosts in a network and tries to connect to them via the protocol “Server Message Block”  (SMB). If the cryptovirus is successfully able to connect to a computer via SMB, then it issues a remote PowerShell command to download ransomware and run it.

Thus, as LockBit spreads to more computers in a network, these computers are used to accelerate the development of ransomware on other network devices. This is what makes LockBit so dangerous, because unlike other kinds of ransomware, it can spread on its own and at a much higher rate.

All system files will display a lock as proof that they have been encrypted.

Lockbit ransom note

As in other cryptovirus cases, there is a ransom note in each system folder. To attract user attention, malware displays the ransom note on the screen wallpaper. Created wallpaper is stored as “% APPDATA %\Local\Temp\A7D8.tmp.bmp”.

In particular, the text file “Restore-My-Files.txt” contains the ransom message, which informs victims that their data has been encrypted and provides guidance on how to recover them. Victims must contact LockBit developers via the e-mail addresses provided. They also send as attachment an encrypted file, that attackers will decrypt as “proof” that recovery is possible. This test file is decrypted free of charge, but cannot be larger than 1 MB. Then, victims are asked to pay the requested ransom in Bitcoin in order to receive the decryption tools.

Finally, the message ends with warnings so that victims do not rename encrypted files or attempt manual decryption with third party software. In his most recent attacks Lockbit appears more threatening. In other words, it threatens to leak customer information, passwords and bank account data if ransom is not paid.

Delete Shadow copies

Once Lockbit encrypt the files and the ransom note is displayed, a CMD command is given in order to delete back-up shadow copies, and the user’s backup directory (using “VSSADMIN” and “WMIC.exe.”). In this way, attackers try to prevent any possibility of recovering the system by the victim. Accordingly, they also deactivate the Windows option for automatic repair.

LockBit Variants

Three variants of Lockbit have been identified, based on file extensions due to Lockbit encryption. Initially, Lockbit renamed files with .abcd extension. It included a ransom note which contained recovery instructions in the “Restore-My-Files.txt” file.

Afterwards, its second version identifies its name with the extension of files, i.e. .lockbit. In fact, no particular differentiation has been observed compared to its original version, apart the different extension of files.

Finally, the third recognizable version of LockBit redirects victims to a payment website via traditional internet access.

Lockbit Short Description

Name LockBit Ransomware
File extensions during encryption process .lockbit, .abcd
Type Ransomware, Crypto Virus, Files locker
Summary Description Encrypts all data of a system and requires the payment of ransom for recovery.
Symptoms of infection Encryption with AES and RSA algorithms and addition of .lockbit extension to files.
Means of distibution Spam Emails, Malicious attachments, Pirate downloads
Ransom Note Restore-My-Files.txt
Possible contact email with attackers goodmen@countermail.com and goodmen@cock.li email addresses, chat in Tor website
Registry Keys


LockBit\PublicThese registry keys are associated with the victim’s identity, file indices and the only TOR URL ID that manufactures LockBit for each system it throws.
Τρόποι ενίσχυσης απόδοσης Lockbit Lockbit efficiency enhancers use advanced tools such as Input/Output Completion Ports (IOCP). ”

Open files with FILE_FLAG_NO_BUFFERING flag

Transfer work with files to Native API

Use asynchronous I/O file

How to deal with Lockbit

As in any cryptovirus’ case, each organisation should take protective measures to ensure that it does not fall victim to ransomware.

In particular:

  • The activation of multiple factor identification prevents such attacks.
  • Passwords and credentials should be strong.
  • Access should be restricted by endpoint users. In other words, access licences should be reassessed and previous unused officials’ accounts should be deactivated or closed.
  • Equally important is that – in remote work – online meeting services and business databases should be secure.
  • The organisation should keep backups off-line, as this will enable the data encrypted to be retrieved.
  • In any case, security policies should be reassessed in order to identify any deficiencies in security arrangements and if they are outdated.
  • In addition, the organization should apply an integrated cyber security solution.
  • All applications and operating systems (OSS) should be up-to-date.
  • Employees should be careful with the links and addresses of websites they visit. The security of websites should be verified and particular attention should be paid to the opening of e-mails and their attached files.
  • The staff of an organisation should keep their personal data secure. The information it submits should be encrypted.
  • Cybersecurity education is particularly important. Every organisation should  train its staff about existing cyber threats, so that they can be identified.

What can I do if I get infected by Lockbit?

  • Immediately the victim should report the ransomware incident to the IT department or security office.
  • It is clear that endpoint user should fully protect the devices, always in line with the Agency’s Security Policies.
  • Perhaps -if it is not disabled- it is possible to restore your system to an earlier operating mode through the relevant Windows option. Similarly you can act with the help of Shadow Explorer or DropBox.
  • However, removing Lockbit does not allow access to files. The key of decryption is therefore essential.
  • It is important to isolate the contaminated system. If possible, all infected and potentially infected computers and devices should be collected and secured at a central location.
  • Backup should be scanned to ensure it is free from malware.
  • All passwords should be changed once ransomware is removed.

It is a fact that even if you pay the ransom nobody can guarantee you will be given the right decryption tool.

Therefore, you can contact Tictac Labs in order to identify the cryptovirus and clarify whether there are automatic decryptors for this threat or other relevant tools. We will fix a call in order to inform you about the alternatives and the cost of your case. You will just need to provide the ransom note and an encrypted file sample.

In any case, we are here driven by our experience to help you negotiate with the attacker and complete the process of retrieving your files.