LockBit Ransomware Detection Guide
Behavioral Indicators
LockBit exhibits several distinct runtime behaviors that can be detected through endpoint monitoring. The malware typically executes with high privileges, often following exploitation or credential theft. A common process chain involves the initial payload spawning cmd.exe or powershell.exe to disable security measures. Look for commands that delete shadow copies (vssadmin delete shadows /all /quiet), stop backup services (wbadmin delete catalog -quiet), and disable Windows Defender (Set-MpPreference -DisableRealtimeMonitoring $true).
The malware makes specific API calls to enumerate and encrypt files. Monitor for FindFirstFileW/FindNextFileW loops targeting document, database, and image extensions while excluding system directories. LockBit calls CryptGenKey to generate its RSA encryption key and uses CryptEncrypt on file contents. It also accesses credential stores via CredEnumerateW to harvest credentials for lateral movement.
Post-encryption, LockBit terminates processes holding file locks using TerminateProcess and renames files with the .lockbit extension (or variant). The malware creates a ransom note (Restore-My-Files.txt) in each directory. Look for unusual file system activity where a single process rapidly modifies thousands of files across multiple drives.
Network Indicators
LockBit communicates with command-and-control (C2) servers over HTTPS using TLS 1.2/1.3. The malware beacons at randomized intervals between 5 to 15 minutes. Beacon requests are typically GET or POST requests to paths like /gate.php, /panel.php, or /api/v1/ containing base64-encoded system information (hostname, OS version, domain).
DNS queries often resolve to algorithmically generated domains (DGA) or bulletproof hosting providers. Look for queries to domains with high entropy names (e.g., x7b9f2k1d4.example.com). LockBit may also use public cloud storage (AWS S3, Azure Blob) for C2 fallback, generating URLs with random bucket names.
Data exfiltration occurs prior to encryption in some variants. Monitor for large outbound transfers of compressed archives (ZIP, RAR) to unfamiliar external IPs on ports 443 or 8080. The malware may also use SOCKS5 proxies for tunneling traffic. Block traffic to known ransomware affiliate IP ranges and domains hosting ransom notes.
File System Artifacts
LockBit drops several files during execution. The primary payload is often placed in %AppData%, %LocalAppData%, %Temp%, or C:\Windows\System32\ with names mimicking legitimate processes (svchost.exe, dllhost.exe, spoolsv.exe) or random alphanumeric strings (fg749h.exe).
Encrypted files receive the extension .lockbit, though variants use .abcd, .LockBit, or other identifiers. The ransom note is named Restore-My-Files.txt or README.txt and contains instructions, a unique victim ID, and Tor URLs. Look for a configuration file (config.json, config.bin) in the same directory as the payload, containing encryption keys and C2 settings.
Temporary files include a list of enumerated files (filelist.txt) and a log of encryption errors (error.log). LockBit may also drop a batch script (disable_defender.bat) or PowerShell script (bypass.ps1) to weaken defenses. Check for recently created executable files (1-5 MB) with low prevalence hashes in user writeable locations.
Registry and Persistence Mechanisms
LockBit establishes persistence through registry run keys, scheduled tasks, and service creation. Common registry entries include:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
The malware may create a Windows service with a random display name (Print Spooler Helper, Network Security Service) pointing to its executable path. Check HKLM\System\CurrentControlSet\Services for new services with image paths in temporary directories.
Scheduled tasks are created via schtasks with triggers at system startup or user logon. Task names often include Update, Maintenance, or Security. LockBit also uses WMI event subscriptions (__EventFilter, __EventConsumer) for persistence. Monitor for WMI creation events in root\subscription.
Some variants inject into legitimate processes (explorer.exe, svchost.exe) and use registry Debugger key hijacking (e.g., HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe). Regularly audit these locations for unauthorized modifications.
YARA Rule Guidance
When creating YARA rules for LockBit, focus on unique strings and byte patterns. Look for ransom note text such as “All your files are encrypted with LockBit” or “Your data is stolen and encrypted.” The malware often contains configuration strings like “AESKey”, “RSAKey”, and “C2Server” in plaintext or XOR-encoded form.
Target API function names used for evasion: “NtRaiseHardError”, “RtlSetProcessIsCritical”, “NtSuspendProcess”. LockBit samples may include debug strings referencing affiliate IDs (“AffiliateID:”) or version numbers (“LockBit 3.0”). Look for embedded Tor URLs (.onion) and ransom note HTML/RTF templates.
Byte sequences for encryption routines often include the pattern 48 8B C4 48 89 58 08 (x64 prologue) followed by cryptographic constants. The malware’s resource section may contain encrypted payloads or icons. Use condition combinations of these strings with a threshold (e.g., 3 out of 5 matches) to reduce false positives.
For current samples and indicators, refer to: