LockBit Ransomware Removal Guide

Signs of Infection

LockBit infection presents several distinct indicators across the file system, running processes, and network activity.

File System Artifacts:

• Presence of ransom notes named Restore-My-Files.txt or similar variants in multiple directories, including root drives (C:) and user desktops.
• Files across the system appended with the .lockbit extension (e.g., document.pdf.lockbit). Earlier variants may use .abcd or other extensions.
• Creation of suspicious executables in temporary directories, often with random names (e.g., C:\Users\[Username]\AppData\Local\Temp\[random].exe).
• System tools like wevtutil.exe may be used to clear Windows Event Logs, leaving traces of such commands in command-line logs.

Process Behaviors:

• Unusual processes consuming high CPU and disk I/O, often masquerading with names like svchost.exe but running from non-standard locations.
• Attempts to stop or disable security services and backup solutions using commands like net stop or sc config.
• Use of legitimate system administration tools for malicious purposes, such as vssadmin.exe to delete Volume Shadow Copies (vssadmin delete shadows /all /quiet).

Network Signs:

• Outbound connections to known command-and-control (C2) IP addresses or domains associated with LockBit affiliates. Traffic often uses HTTPS on non-standard ports.
• Internal network scanning from the infected host using tools like nltest or net.exe to enumerate domain controllers and shared drives.
• Increased SMB traffic as the ransomware attempts to propagate to accessible network shares.

Immediate Containment Steps

Within the first 15 minutes of detection, take these actions to prevent further encryption and spread.

1. Network Isolation:

   • Immediately disconnect the infected host from the network. Physically unplug the Ethernet cable or disable the network adapter via the OS.
   • If the host is part of a VLAN, quarantine it via network access control or firewall policy changes.
   • Block known LockBit C2 domains and IPs (referenced in the Current LockBit IOCs) at the network perimeter firewall.

2. Process Termination:

   • On the isolated host, use a trusted command-line tool or process explorer from a clean USB drive to identify and kill malicious processes. Look for processes with high file system activity or those matching hashes from IOCs.
   • Do not reboot the system yet, as this may trigger a persistence mechanism or cause further data loss.

3. Credential Rotation Priorities:

   • Immediate Rotation: Change passwords for any domain or local administrator accounts that were logged into the infected host. Assume they are compromised.
   • Service Accounts: Rotate credentials for service accounts running on the infected host and any accounts used for privileged access management (PAM).
   • Remote Access: Change credentials for VPN, RDP, and other remote access solutions, especially if the host was an entry point.

Manual Removal Process

This process should be performed on an isolated system, preferably from a clean, bootable USB environment to prevent the malware from interfering.

Step 1: Terminate Malicious Processes Boot into Safe Mode with Command Prompt or a WinPE environment.

1. Use the command tasklist to view running processes.
2. Identify suspicious processes (e.g., random names in Temp folders). Terminate them using taskkill /PID [Process ID] /F.
3. Check for and kill any unusual instances of cmd.exe, powershell.exe, or wscript.exe with suspicious parent processes.

Step 2: Delete Persistence Mechanisms LockBit commonly establishes persistence via the Windows Registry and Scheduled Tasks.

1. Registry: Use the reg command to query and delete malicious entries.
   • Check common run keys:

     reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
     reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"

   • Delete any entries pointing to suspicious files in Temp or AppData folders.
2. Scheduled Tasks: Use schtasks to list and remove malicious tasks.
   • schtasks /query /fo LIST
   • Look for tasks with random names or triggers related to system startup. Delete with schtasks /delete /TN "TaskName" /F.

Step 3: Remove Dropped Files Navigate to and delete all files associated with the infection.

1. Delete the primary payload, typically found in:
   • C:\Users\[Username]\AppData\Local\Temp\
   • C:\Users\[Username]\AppData\Roaming\
   • C:\Windows\Temp\
2. Delete ransom notes (Restore-My-Files.txt) from all directories.
3. Crucial: Do NOT delete the encrypted files (.lockbit) if data recovery is desired.

Step 4: Clean Registry Entries Remove any other configuration or execution traces.

1. Search for and delete registry keys created by LockBit, which may be under:
   • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ (used for disabling security tools).
   • HKLM\SOFTWARE\LockBit or similar.
   • Use reg delete to remove identified malicious keys.

Verifying Removal

After the manual process, confirm the system is clean before reconnecting it to the network.

1. System Scans:

   • Perform a full system scan with an updated, offline antivirus or anti-malware scanner.
   • Use a dedicated rootkit detection tool to check for hidden components.
   • Verify the Detection Rate for current scanner efficacy against LockBit.

2. Log Analysis:

   • Review surviving Windows Event Logs (especially Security, System, and PowerShell logs) for any post-removal execution attempts. Look for Event ID 4688 (process creation) or 4104 (PowerShell script block logging).
   • Check Prefetch files (C:\Windows\Prefetch\) for traces of the malicious executable names.

3. Network Traffic Monitoring:

   • Before full network reintegration, place the host in a monitored, isolated VLAN segment.
   • Use a network monitoring tool to watch for any outbound beaconing attempts to known-bad IPs or domains from the IOC list.
   • Monitor for anomalous SMB or RDP traffic originating from the host.

Post-Removal Security Hardening

Implement these measures to prevent reinfection and strengthen defenses against similar ransomware attacks.

1. Configuration Changes:

   • Application Whitelisting: Implement application control policies to allow only authorized, signed executables to run from standard system paths (e.g., Program Files, Windows). Block execution from Temp and AppData directories.
   • Privilege Access Management: Enforce the principle of least privilege. Remove local administrator rights from standard users and use dedicated admin accounts for elevation.
   • Disable Unnecessary Services: Disable or restrict services like RDP and SMBv1 if not critically needed. For required services, enforce strong authentication and network-level access controls.

2. Monitoring Rules:

   • SIEM/SOC Rules: Create alerts for behaviors characteristic of LockBit:
     • Multiple file extension changes to .lockbit within a short timeframe.
     • Use of vssadmin.exe delete shadows or bcdedit commands.
     • Processes spawning from cmd.exe that attempt to stop security services (net stop "AntivirusServiceName").
     • Outbound network connections to IPs in threat intelligence feeds associated with ransomware.
   • Endpoint Monitoring: Configure your EDR solution to flag and block process hollowing, credential dumping from LSASS memory, and lateral movement tools like PsExec.

3. Policy Updates:

   • Backup Policy: Ensure the 3-2-1 backup rule is enforced: three copies, on two different media, with one copy offline or immutable. Regularly test restoration procedures.
   • Patch Management Policy: Prioritize and enforce rapid patching for public-facing services, VPN gateways, and all endpoints. LockBit often exploits known vulnerabilities in these systems.
   • Incident Response Plan: Update your IR plan with the specific containment steps for ransomware. Define clear roles for isolation, communication, and recovery. Conduct regular tabletop exercises.

For more background on this threat, see the LockBit Overview.