Update: LockBit Ransomware | Intel 471 Skip to content

Update: LockBit Ransomware

Mar 17, 2025
Homepage slide 1

Threat Overview - LockBit Ransomware

UPDATE 03/13/2025: Lockbit 4.0, the most recent iteration of the notorious ransomware family at this time, continues to pose significant threats to organizations worldwide. Researchers have observed this version to have enhanced its techniques related to stealth and adaptability. This can be seen in the inclusion of various evasion techniques, including disabling security features and utilizing obfuscation methods to hinder detection(s). The attack initiates with a modified PowerShell script that executes a secondary script, extracting and deploying a malicious DLL payload. After file encryption, the appending of the ".lockbit" extension and dropping of a ransom note in .txt format mirrors previous iterations of the variant. With new information and research uncovering techniques most recently baked into Lockbit 4.0, threat hunters at Intel 471 have updated the collection with applicable Hunt Packages.

LockBit Ransomware Emerging Threat Hunt Collection

Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!

Related Hunt Packages

 

Autorun or ASEP Registry Key Modification

A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.

ACCESS HUNT PACKAGE

 

Possible Delayed Execution in CommandLine Argument Using Ping.exe and Loopback Address

This content is designed to detect when ping.exe contains a flag (-n) with a high number and targets any loopback address. This technique is sometimes used to delay the rest, or a chained command, of the command from executing. 

ACCESS HUNT PACKAGE

 

Windows Management Instrumentation (WMI) Call to delete ShadowCopy via WMIC Command

The intent of this Hunt Package is to identify when the wmic command is utilized to delete shadow copies. The provided logic utilizes the Command Line to identify matching activities as to include the wmic command being executed as a standalone command via wmic.exe or by other applications such as Windows Command Prompt or PowerShell. The wmic command utilizes Windows Management Instrumentation (WMI) to delete the ShadowCopy. This activity is commonly done to disrupt restoration and recovery capabilities.

ACCESS HUNT PACKAGE

 

RansomWare Desktop Wallpaper Notifications

This package identifies activity typically associated to common ransomware notices being created and displayed as the desktop wallpaper. 

ACCESS HUNT PACKAGE

 

Potential Exfiltration - Common Rclone Arguments

This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.

ACCESS HUNT PACKAGE

 

UAC Bypass Attempt via Elevated COM Abuse

This content is designed to detect User Account Control Bypass attempts abusing common COM interfaces within the registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\UAC\\COMAutoApprovalList. These COM Objects are designed to start at a higher integrity level and can be manipulated to open another process at the same higher level. 

ACCESS HUNT PACKAGE

 

UAC Bypass Method - Cmstplua COM (Process Execution)

This content is designed to detect when the UAC Bypass method is executed via DllHost.exe OR CMSTP.exe.

ACCESS HUNT PACKAGE

 

Display Calibrator Registry Key Modification - Potential UAC Bypass Attempt

This package has been designed to capture activity  the "CurrentVersion\\ICM\\Calibration" registry key has been modified. This activity was recently seen during a LockBit attack.

ACCESS HUNT PACKAGE

 

Remote Desktop Protocol Configuration File Created

This Threat Hunt package identifies the creation or modification of Remote Desktop Protocol (RDP) configuration files (.rdp files) on an endpoint. RDP files can be leveraged by attackers to configure connections with potentially sensitive settings, such as alternate shells or mapped drives, to facilitate unauthorized access or data exfiltration. By looking for the appearance of new or altered .rdp files, this hunt package aims to identify suspicious activity that may indicate a phishing attempt, unauthorized access setup, or lateral movement preparation.

ACCESS HUNT PACKAGE

 

Active Directory Discovery and Reconnaissance - ADFind.exe Execution

This provided logic is designed to identify when ADFind.exe is executed with common flags and designations related to Active Directory enumeration and reconnaissance. Examples would be utilizing AdFind to enumerate users on a domain or enumerate administrators on a domain in an attempt to identify potential targets within the organization. 

ACCESS HUNT PACKAGE

 

Force Group Policy Update across entire Domain - Powershell

This Hunt Package is designed to identify PowerShell commands consistent with malware attempting to force update and deploy a GPO policy. GPO is abused by malware operators to distribute their malware easily across all systems on the domain when the malware successfully compromises a DC in a target environment and reaches sufficient privileges.

ACCESS HUNT PACKAGE

 

Methods for Downloading Files with PowerShell

This threat hunt package identifies instances where PowerShell is being used to download files from external sources, a common technique used in malware delivery and lateral movement. The hunt examines various methods by which PowerShell can be leveraged for file downloads, including the use of cmdlets such as Invoke-WebRequest (iwr), Invoke-RestMethod (irm), and Start-BitsTransfer (sbt), as well as direct utilization of .NET classes like System.Net.WebClient and HttpClient. The package also checks for potentially suspicious use of aliases (curl, wget) and other common executables that invoke PowerShell scripts to download malicious payloads.

ACCESS HUNT PACKAGE

 

Wevtutil Cleared Log

This use case is designed to detect when "wevtutil" is used to clear logs to potentially obfuscate malicious events occurring prior to the clean up.

ACCESS HUNT PACKAGE

 

Potential UAC Bypass via Display Calibrator Registry Key - Powershell Script Block Logging

This package has been designed to capture activity when PowerShell CmdLets are executed to modify the "`Software\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\Calibration`" registry key, changing the value for "`\"DisplayCalibrator`". This technique has been observed during LockBit attacks to elevate their privileges on the target system.

ACCESS HUNT PACKAGE

 

Suspicious Executable or Scripts Launched in Common Configuration or System Related Folders

This Hunt Package is intended to identify when suspicious executables or scripts are launched in common configuration or system function related folders. This behavior can be indicative of an adversary attempting to hide their payload as a "legitimate" file or script. A common technique used by various threat actors, including APT groups, to evade detection and maintain persistence on a compromised system is to create such files within the common system folders.

ACCESS HUNT PACKAGE

 

User Added to Default Privileged Windows Security Groups

This package is designed to capture the activity surrounding the execution of command line arguments that add a user to default privileged Windows Security Groups (local and domain).

ACCESS HUNT PACKAGE

 

Mimikatz Driver Installed

This package is meant to identify when the driver named "mimidrv" is installed on a machine. When downloading Mimikatz and installing it's associated drivers with the command "!+", it will include a signed driver called Mimidrv, which can be used in conjunction with the Mimikatz executable by adding an exclamation point before certain commands. Mimidrv is not widely known or documented, but it enables users to perform actions with a high level of system access, known as "ring 0" privilege.

ACCESS HUNT PACKAGE

 

Display Calibrator Registry Key Modification - Command Line Arguments

The provided logic is designed to capture activity when command line arguments are executed to modify the "CurrentVersion\\ICM\\Calibration" registry key. This activity was recently seen during a LockBit attack.

ACCESS HUNT PACKAGE

 

Zeroing Out a File with 'fsutil.exe'

This content is looking for instances where 'fsutil.exe' is being used to zero out a file by writing '0000's to the location of where the file is stored on disk.

ACCESS HUNT PACKAGE

 

Suspicious bcdedit Activity - Potential Ransomware

BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.

ACCESS HUNT PACKAGE

 

Mshta Executing Embedded or Appended Code

This package identifies when mshta.exe executes a file that is not a HyperText Application (HTA), VBscript, or JavaScript. This is indicative of possible embedded or appended code in the file argument that is passed that is executable by mshta.exe.

ACCESS HUNT PACKAGE

 

Local Data Staging - ADFind.exe

This content has been designed to identify when ADFind.exe is staging data, possibly for exfil, on a local resource. 

ACCESS HUNT PACKAGE

 

Excessive Windows Discovery CommandLine Arguments - Potential Malware Installation

This content is designed to detect when the same discovery tool (ifconfig.exe, netstat.exe, ping.exe) is executed in quick succession that contains different arguments and strings.

ACCESS HUNT PACKAGE

 

Microsoft Defender Antivirus Disabled via Registry Key Manipulation

This content is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key or by modifying how Microsoft Defender will respond to threats based by changing the configuration through registry keys.

ACCESS HUNT PACKAGE

 

Shadow Copies Deletion Using Operating Systems Utilities

Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.

ACCESS HUNT PACKAGE

 

Mega CMD activity potential data exfiltration

MegaCMD is a command-line tool used to manage (and potentially exfiltrate) files on cloud storage. A larger number of ransomware cases have been uncovered where Mega CMD has been utilized to exfiltrate files off of victim machines.

ACCESS HUNT PACKAGE

Featured Resource
Intel 471 Logo 2024

AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild.