LockBit Ransomware Incident Response Guide

Incident Triage Steps

Within the first 30 minutes, your priority is to confirm the incident, assess its scope, and determine potential data exfiltration. LockBit typically leaves a ransom note (Restore-My-Files.txt or similar) on the desktop and in affected directories. Immediately check for this hallmark.

1. Isolate the Initial Detection Point: Identify the first system where the ransom note or encrypted files (appended with a .lockbit extension or variant) were reported. Do not power it off. Check its running processes for known LockBit process names like LockBit.exe, LB3.exe, or suspicious, randomly named executables in C:\Windows\Temp\ or C:\Users\Public\.
2. Determine Scope: Use your EDR console or a trusted administrative tool to search for the ransom note filename across the network. Scan for files with the .lockbit extension. Check central logs for a spike in file system activity or volume shadow copy deletion events (Event ID 524 in Windows Event Logs) from multiple hosts, which indicates spreading.
3. Check for Exfiltration: LockBit operators often exfiltrate data before encryption. Review outbound network traffic logs from the last 72 hours from the initially affected system and any servers. Look for:
   • Large, sustained transfers to unfamiliar external IP addresses or domains.
   • Connections to known LockBit C2 infrastructure (check your threat intelligence feeds for recent IOCs).
   • Traffic on non-standard ports (e.g., 4444, 8080) from systems not expected to generate it.
   • Examine firewall, proxy, and SIEM logs for these patterns. The presence of exfiltration significantly changes the incident severity.

Evidence Collection

Before taking any containment or remediation action, preserve volatile and persistent evidence for later forensic analysis.

1. Memory Acquisition: Use a trusted, standalone memory forensic tool to capture a RAM dump from at least one actively infected, running system. This may contain encryption keys, C2 addresses, and the malware binary.
2. Process and System State:
   • From an isolated, trusted host, run command-line tools (like pslist or built-in admin tools) against compromised systems to capture a detailed process list with hashes.
   • Collect a list of all network connections (netstat -anob) from affected hosts.
   • Export the system registry hives (SAM, SYSTEM, SOFTWARE, NTUSER.DAT) using a tool like reg save.
3. File System Artifacts: Collect, without executing, the following LockBit-specific items:
   • The ransom note file.
   • Any executable found in C:\Windows\Temp\, C:\Users\Public\, or user AppData\Local\Temp\ with a recent timestamp.
   • Pre-encryption log files sometimes left in C:\ProgramData\ or C:\Intel\.
   • Scheduled tasks or services created by LockBit (look for tasks with random GUID-like names).
4. Log Aggregation: Ensure all relevant logs from the past 14 days are secured and exported from your SIEM, including Windows Event Logs (especially Security and System), firewall, DNS, and endpoint logs. Focus on events leading up to the first detection.

Containment Procedures

Contain the outbreak while preserving evidence for eradication.

1. Network Segmentation: Immediately segment the network. Disable switch ports for confirmed compromised hosts. Isolate entire VLANs or subnets showing signs of infection. If possible, create a quarantined network segment for affected systems to facilitate evidence collection without risking further spread.
2. Credential Reset: LockBit often harvests credentials. Reset passwords for:
   • All local administrator accounts on affected systems.
   • Any domain service accounts that were logged into those systems.
   • Domain administrator accounts as a precaution if any compromised host had high privileges. Perform this reset from a known-clean, isolated workstation.
3. C2 and Traffic Blocking: Update firewall and proxy rules to block communications to known LockBit C2 servers and kill-switch domains identified from your threat intel and log review. Block outbound SMB (ports 139, 445) and RDP (port 3389) from all workstations to limit lateral movement, allowing it only for essential servers.
4. Disable Maintenance Tools: Temporarily disable or heavily restrict tools commonly abused by LockBit for lateral movement, such as PsExec, WMI, and PowerShell remoting, across the enterprise.

Eradication and Recovery

Eradication must be thorough to prevent re-encryption.

1. Complete Removal: Follow the detailed, step-by-step instructions in the LockBit Removal Guide for each affected system. This includes killing malicious processes, deleting persistent artifacts like scheduled tasks and registry run keys, and removing all malware binaries.
2. Restore from Backups: After confirming eradication, restore encrypted data from known-clean, offline backups. Do not restore from backups taken after the initial compromise date, as they may contain the malware. Before bringing systems online, ensure the restoration environment is fully patched and the initial attack vector has been closed.
3. Verify Clean State: Before returning a system to production:
   • Re-scan it with updated antivirus and EDR tools.
   • Validate that no remnant LockBit files, processes, or scheduled tasks exist.
   • Check that system restore and volume shadow copy services are functional again.
   • Monitor the system closely for 24-48 hours in a test network for any anomalous activity.

Lessons Learned Checklist

After containment, conduct a formal review to improve resilience.

• Initial Access: How did LockBit gain entry? Was it via an unpatched vulnerability (e.g., in public-facing services), a successful phishing email, or compromised remote desktop credentials?
• Control Failures: Which security controls failed or were absent?
  • Was multi-factor authentication (MFA) not enabled for remote access or administrative accounts?
  • Were endpoint detection and response (EDR) alerts ignored or not configured for relevant TTPs?
  • Were network segmentation and least-privilege access principles properly enforced?
• Detection Gaps: How long was the threat actor in the environment before detonation? Review logs for the following missed LockBit precursor activities:
  • Use of legitimate admin tools (PsExec, Cobalt Strike) for lateral movement.
  • Disabling of security software via registry edits or taskkill.
  • Commands to delete volume shadow copies (vssadmin delete shadows).
• Improvement Plan: Based on findings, define actionable steps:
  • Implement or strengthen application allow-listing.
  • Enforce MFA universally, especially for all external and privileged access.
  • Improve and test offline backup procedures and recovery playbooks.
  • Update monitoring rules in your SIEM to detect the specific TTPs used in this attack.

For proactive measures, refer to the LockBit Detection Guide. For more background on this threat, see the LockBit Overview.