Practical Defense Guide: LockBit Ransomware

Attack Vectors to Block

LockBit primarily infiltrates networks through a combination of automated exploitation and human-operated techniques. Blocking these vectors requires a layered defense.

Initial Access via Exploited Vulnerabilities: LockBit affiliates frequently exploit public-facing applications. Prioritize patching for known vulnerabilities in VPN appliances (like Pulse Secure and Fortinet), Microsoft Exchange Server, and remote desktop services (RDS). Implement a vulnerability management program to identify and remediate external-facing assets with critical-rated flaws. Use an intrusion prevention system (IPS) or next-generation firewall to deploy virtual patches for vulnerabilities where immediate patching is not feasible.

Phishing and Malicious Email Campaigns: LockBit is often delivered via phishing emails containing malicious attachments or links. At the network perimeter, configure your email security gateway to block emails with executable attachments (.exe, .scr, .js, .vbs) and archive files (.zip, .iso) that contain executables. Implement strict policies for Microsoft Office macros, blocking them from the internet zone by default. This vector is detailed further in our guide on Distribution Methods.

Compromised Credentials and Remote Access: Attackers use stolen or brute-forced credentials to access RDP or VPN endpoints. Enforce multi-factor authentication (MFA) on all remote access solutions and internet-facing administrative interfaces. Implement an account lockout policy after a low number of failed login attempts and use dedicated administrative accounts that are not used for email or web browsing.

Malicious Websites and Drive-by Downloads: Block access to known malicious domains and IPs associated with LockBit distribution at the web proxy or firewall level. Use a web filtering solution to restrict access to high-risk categories like free file hosting and newly registered domains.

Email Security Configuration

Configure your organizational email gateway with the following specific rules to intercept LockBit phishing attempts.

Attachment Filtering Policies:

• Block all incoming emails with the following attachment extensions: .exe, .scr, .pif, .cmd, .bat, .js, .jse, .vbs, .vbe, .wsf, .ps1.
• Quarantine emails containing .zip, .rar, .7z, or .iso archive files. Implement a sandboxing or dynamic analysis feature to detonate and inspect the contents of these archives before release, checking for embedded executables or scripts.
• Enable file type verification to prevent extension spoofing (e.g., a file named document.pdf.exe should be treated as an executable).

URL Defense and Link Rewriting:

• Enable time-of-click URL protection. All links in emails should be rewritten through your security service’s proxy for real-time reputation checking when a user clicks them.
• Block URLs that lead to newly registered domains (e.g., domains less than 30 days old) or domains with a poor reputation score.
• Configure policies to flag or block emails containing URLs with IP addresses instead of domain names, a common tactic in phishing campaigns.

Content and Impersonation Rules:

• Implement strict DMARC, DKIM, and SPF policies to reject emails that fail domain alignment checks, preventing domain spoofing.
• Create transport rules that flag external emails with subject lines or body text containing high-pressure keywords often associated with ransomware lures (e.g., “Urgent Invoice,” “Payment Required,” “Security Alert”).

Endpoint Protection Tuning

Configure endpoint detection and response (EDR) and antivirus solutions to detect and block LockBit’s specific behaviors.

Behavioral Detection Rules:

• Create or enable high-fidelity alerts for processes that attempt to disable or uninstall security software, tamper with Windows Defender, or clear Windows event logs.
• Detect and block processes that use command-line tools for mass file enumeration and encryption, such as vssadmin.exe delete shadows, bcdedit, wbadmin, and wmic.exe shadowcopy delete.
• Alert on processes that attempt to modify boot configuration data or modify the Master Boot Record (MBR), indicative of ransomware preparing to encrypt the system.

Application Control and Restriction:

• Implement application allowlisting, if possible, to prevent the execution of unauthorized binaries from user writeable locations like %AppData%, %LocalAppData%, and %Temp%.
• Use a dedicated endpoint security policy to restrict the execution of scripting engines (wscript.exe, cscript.exe, powershell.exe) from these same user directories. Constrain PowerShell to Constrained Language Mode and enable extensive logging.
• Configure controlled folder access or anti-ransomware features to block unauthorized processes from making mass changes to files in key directories like Documents, Desktop, and network shares.

Privilege Management:

• Enforce the principle of least privilege. Standard user accounts should not have local administrator rights. This severely limits LockBit’s ability to disable security tools, spread laterally, and encrypt network drives.

Network-Level Defenses

Disrupt LockBit’s command-and-control (C2) communication and lateral movement at the network layer.

DNS Filtering and Sinkholing:

• Subscribe to and deploy threat intelligence feeds that provide domains and IPs associated with LockBit C2 servers. Block these indicators at the DNS resolver level.
• Configure your internal DNS servers to log and alert on queries for known-bad domains or for domains with a high degree of randomness (DGA-like patterns).
• Consider sinkholing traffic from known compromised internal hosts to prevent actual C2 communication while generating an alert.

Firewall and Proxy Rules:

• At the network perimeter, implement egress firewall rules to block traffic to known malicious IP addresses and to restrict outbound connections to only necessary ports and services.
• Use a web proxy to enforce strict outbound traffic policies. Block access to anonymization services like Tor and public VPNs which ransomware may use for C2.
• Segment your network. Restrict RDP (TCP/3389) and SMB (TCP/445) traffic between workstations and between user segments and critical servers. These are primary protocols for lateral movement.

Internal Traffic Monitoring:

• Deploy a network detection and response (NDR) solution or use your SIEM platform to analyze east-west traffic. Look for anomalies such as a single host making high-volume SMB connections to multiple file servers in a short period-a sign of file enumeration prior to encryption. Correlate this with the latest Current IOCs.

User Awareness Training Points

Training should move beyond generic advice to focus on the specific lures and techniques used by LockBit operators.

Recognizing High-Pressure Phishing Lures:

• Train users to be skeptical of emails with urgent financial themes (invoices, overdue payments, purchase orders) or fake security alerts prompting them to enable content or run an attachment. Emphasize that legitimate organizations will not demand immediate action via unsolicited email attachments.

Handling Attachments and Links:

• Instruct users never to enable macros in documents received via email, even if prompted. Provide a clear, safe procedure for verifying the legitimacy of such documents through alternative channels (e.g., a phone call).
• Teach users to hover over links to preview the actual URL before clicking. Warn them about links that use misleading text or lead to non-standard domains.

Reporting Procedures and “Break-Glass” Actions:

• Make the process for reporting suspicious emails (e.g., a “Report Phish” button) simple, well-known, and praised. Encourage a culture of reporting without blame.
• Train users on the immediate action to take if they suspect a ransomware infection: immediately disconnect the device from the network (pull the Ethernet cable or disable Wi-Fi) and contact the IT security team. This can contain the outbreak.

Understanding the Bigger Threat:

• Briefly educate users on the impact of ransomware like LockBit-that it encrypts files on their computer, shared drives, and often entire servers, halting business operations. This context helps them understand the critical importance of their vigilant role. For more on the malware’s capabilities, see the LockBit Overview.