Lockbit 2.0 Ransomware: TTPs Used in Emerging Ransomware Campaigns

Keypoints

LockBit 2.0 is a ransomware-as-a-service (RaaS) operator, previously known as the ABCD ransomware group, with affiliates and developers rising in the last six months.
The ransomware encrypts victim files and appends the .lockbit extension, and it changes the wallpaper and drops a ransom note named Restore-My-Files.txt upon completion.
LockBit 2.0 encodes its executable to evade detection and decodes required modules/strings as needed.
The malware performs language checks and avoids attacking systems with specific languages (e.g., Russian, Belarusian, Tajik, Armenian, and others).
It damages built-in recovery and logging mechanisms by deleting shadow copies and disabling recovery, then ignoring boot failures.
LockBit 2.0 deletes itself and related logs to hinder post-incident investigations.
The article provides IOCs (MD5, SHA-1, SHA-256 hashes) to aid identification of samples and IOCs.

MITRE Techniques

[T1027] Obfuscated/Compressed Files and Information – The LockBit executable is encoded and decodes modules/strings as needed. Quote: “The LockBit executable is encoded. Ransomware decodes required modules and strings as needed.”
[T1078] Valid Accounts – Initial access via valid accounts. Quote: “T1078 Valid Accounts”
[T1190] Exploit Public-Facing Application – Exploitation of exposed applications. Quote: “T1190 Exploit Public-Facing Application”
[T1047] Windows Management Instrumentation – Use of WMI in operations. Quote: “T1047 Windows Management Instrumentation”
[T1059.003] Windows Command Shell – Command-line execution. Quote: “T1059.003 Windows Command Shell”
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Autostart persistence. Quote: “T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder”
[T1055] Process Injection – Privilege/Process manipulation. Quote: “T1055 Process Injection”
[T1070.004] Indicator Removal on Host: File Deletion – Cleaning traces by deleting files. Quote: “T1070.004 Indicator Removal on Host: File Deletion”
[T1112] Modify Registry – Registry modification for persistence/defense evasion. Quote: “T1112 Modify Registry”
[T1497] Virtualization/Sandbox Evasion – Evading analysis environments. Quote: “T1497 Virtualization/Sandbox Evasion”
[T1056.004] Credential API Hooking – Credential access via API hooking. Quote: “T1056.004 Credential API Hooking”
[T1110] Brute Force – Credential access via brute force. Quote: “T1110 Brute Force”
[T1012] Query Registry – Discovery of registry information. Quote: “T1012 Query Registry”
[T1018] Remote System Discovery – Discovery of remote systems. Quote: “T1018 Remote System Discovery”
[T1057] Process Discovery – Detecting running processes. Quote: “T1057 Process Discovery”
[T1021] Remote Services – Lateral movement via remote services. Quote: “T1021 Remote Services”
[T1021.001] Remote Services: Remote Desktop Protocol – RDP usage. Quote: “T1021.001 Remote Services: Remote Desktop Protocol”
[T1021.002] Remote Services: SMB/Windows Admin Shares – Lateral movement via SMB/Win Admin Shares. Quote: “T1021.002 Remote Services: SMB/Windows Admin Shares”
[T1090.003] Proxy: Multi-hop Proxy – C2/proxy techniques via multi-hop proxies. Quote: “T1090.003 Proxy: Multi-hop Proxy”
[T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Data exfiltration via cloud storage. Quote: “T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage”
[T1486] Data Encrypted for Impact – Data encryption for impact. Quote: “T1486 Data Encrypted for Impact”
[T1490] Inhibit System Recovery – Preventing recovery. Quote: “T1490 Inhibit System Recovery”

Indicators of Compromise

[MD5] context – af9ff037caca1f316e7d05db86dbd882, b7f1120bcff47ab77e74e387805feabe, and 2 more hashes
[SHA-1] context – 844e9b219aaecb26de4994a259f822500fb75ae1, a185904a46b0cb87d38057fc591a31e6063cdd95, and 2 more hashes
[SHA-256] context – f3e891a2a39dd948cd85e1c8335a83e640d0987dbd48c16001a02f6b7c1733ae, 4de287e0b05e138ab942d71d1d4d2ad5fb7d46a336a446f619091bdace4f2d0a, and 2 more hashes