LockBit Reborn: Inside the Group’s Post-Takedown Evolution

Summary

LockBit is a long-running ransomware-as-a-service (RaaS) operation active since 2019 that relies on double extortion tactics. Following a large-scale law-enforcement takedown in February 2024, the group re-emerged with new strains, including LockBit-NG-Dev and LockBit 5.0. These latest variants introduce cross-platform support, stronger anti-analysis defenses, and more destructive post-encryption behavior. The operation continues to go after high-value organizations across multiple sectors worldwide.

Investigation

The report traces LockBit’s progression from version 3.0 (LockBit Black), through the experimental LockBit-NG-Dev build, to the current 5.0 iteration. It details technical aspects such as custom cryptographic routines, DLL reflection, .NET CoreRT usage, MPRESS packing, and heavy reliance on hashed service names for stopping processes and services. Documented behavioral shifts include “invisible” execution modes, ETW tampering, and automatic log wiping. The analysis also covers infrastructure disruption carried out under Operation Cronos.

Mitigation

Defenders should maintain offline, immutable backups and routinely verify their restore procedures. Deploy endpoint detection that looks for hallmark ransomware behaviors, including suspicious PowerShell activity, use of VSS administration commands, and abnormal mutex creation. Limit privileged account usage, constrain token duplication techniques, and block known LockBit C2 domains while monitoring for anomalous TLS traffic patterns.

Response

When LockBit activity is detected, immediately isolate the compromised system, capture volatile memory, and gather all pertinent log data. Identify and block the C2 host, terminate the ransomware process, and retain the mutex value for later forensic work. Begin restoration from trusted backups and escalate to internal or external incident response teams. Share indicators of compromise with relevant threat-intelligence and information-sharing communities.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

• Attack Narrative & Commands:
  The attacker has already placed the ransomware binary on the victim host. To cover tracks, the ransomware invokes fsutil.exe to overwrite its own file with null bytes, effectively erasing its executable from disk. This is performed after the payload has completed its encryption phase. The steps are:

  1. Determine the path of the running ransomware executable ($MyPath).
  2. Call fsutil.exe file setZeroData on $MyPath with the 0 flag to zero‑out the entire file.
  3. Optionally, delete the now‑empty file to remove the filesystem entry.

  This sequence produces a process‑creation event where Image=*\fsutil.exe* and CommandLine=*file setZeroData <path>*, matching the Sigma rule.

• Regression Test Script:

  # Simulate LockBit-NG-Dev self‑deletion via fsutil
  # 1. Create a dummy “malicious” executable (simulates the ransomware binary)
  $maliciousPath = "$env:TEMP\malicious.exe"
  Set-Content -Path $maliciousPath -Value ([byte[]](0..255)) -Encoding Byte -Force
  
  # 2. Verify the file exists and its size (optional)
  Write-Host "Created dummy ransomware at $maliciousPath (Size: $(Get-Item $maliciousPath).Length bytes)"
  
  # 3. Overwrite the file with zero‑bytes using fsutil
  Write-Host "Overwriting the file with zeros using fsutil..."
  fsutil.exe file setZeroData $maliciousPath 0
  
  # 4. Optional: delete the now‑empty file to fully remove traces
  Write-Host "Deleting the zeroed file..."
  Remove-Item -Path $maliciousPath -Force
  
  Write-Host "Simulation complete. Verify detection in SIEM."

• Cleanup Commands:

  # Ensure any leftover artifacts are removed
  $maliciousPath = "$env:TEMP\malicious.exe"
  if (Test-Path $maliciousPath) {
      Remove-Item -Path $maliciousPath -Force
      Write-Host "Removed leftover file $maliciousPath"
  } else {
      Write-Host "No leftover artifacts found."
  }