S1199 LockBit 2.0
LockBit 2.0 is an affiliate-based Ransomware-as-a-Service (RaaS) that has been in use since at least June 2021 as the successor to LockBit Ransomware. LockBit 2.0 has versions capable of infecting Windows and VMware ESXi virtual machines, and has been observed targeting multiple industry verticals globally.21
| Item | Value |
|---|---|
| ID | S1199 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 24 January 2025 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | LockBit 2.0 can bypass UAC through creating the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ICM\Calibration.21 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | LockBit 2.0 can use a Registry Run key to establish persistence at startup.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | LockBit 2.0 can use the PowerShell module InvokeGPUpdate to modify Group Policy.21 |
| enterprise | T1059.003 | Windows Command Shell | LockBit 2.0 can use the Windows command shell for multiple post-compromise actions on objective.213 |
| enterprise | T1136 | Create Account | LockBit 2.0 has been observed creating accounts for persistence using simple names like “a”.1 |
| enterprise | T1486 | Data Encrypted for Impact | LockBit 2.0 can use standard AES and elliptic-curve cryptography algorithms to encrypt victim data.14 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | LockBit 2.0 can decode scripts and strings in loaded modules.21 |
| enterprise | T1484 | Domain or Tenant Policy Modification | - |
| enterprise | T1484.001 | Group Policy Modification | LockBit 2.0 can modify Group Policy to disable Windows Defender and to automatically infect devices in Windows domains.21 |
| enterprise | T1480 | Execution Guardrails | LockBit 2.0 will not execute on hosts where the system language is set to a language spoken in the Commonwealth of Independent States region.21 |
| enterprise | T1083 | File and Directory Discovery | LockBit 2.0 can exclude files associated with core system functions from encryption.2 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | LockBit 2.0 can execute command line arguments in a hidden window.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | LockBit 2.0 can disable firewall rules and anti-malware and monitoring software including Windows Defender.21 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | LockBit 2.0 can delete log files through the use of wevtutil.2134 |
| enterprise | T1070.004 | File Deletion | LockBit 2.0 can delete itself from disk after execution.213 |
| enterprise | T1490 | Inhibit System Recovery | LockBit 2.0 has the ability to delete volume shadow copies on targeted hosts.23 |
| enterprise | T1680 | Local Storage Discovery | LockBit 2.0 can enumerate local drive configuration.21 |
| enterprise | T1112 | Modify Registry | LockBit 2.0 can create Registry keys to bypass UAC and for persistence.2 |
| enterprise | T1135 | Network Share Discovery | LockBit 2.0 can discover remote shares.2 |
| enterprise | T1120 | Peripheral Device Discovery | LockBit 2.0 has the ability to identify mounted external storage devices.2 |
| enterprise | T1057 | Process Discovery | LockBit 2.0 can determine if a running process has administrative privileges and terminate processes that interfere with encryption or exfiltration.24 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | LockBit 2.0 has the ability to move laterally via SMB.14 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | LockBit 2.0 can be executed via scheduled task.1 |
| enterprise | T1489 | Service Stop | LockBit 2.0 can automatically terminate processes that may interfere with the encryption or file extraction processes.4 |
| enterprise | T1082 | System Information Discovery | LockBit 2.0 can enumerate system information including hostname and domain information.21 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | LockBit 2.0 can check if a targeted machine is using a set of Eastern European languages and exit without infection if so.21 |
| enterprise | T1047 | Windows Management Instrumentation | LockBit 2.0 can use wmic.exe to delete volume shadow copies.3 |
References
-
Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: LockBit 2.0 - All Paths Lead to Ransom. Retrieved January 24, 2025. ↩↩↩↩↩
-
SentinelOne. (n.d.). LockBit 2.0: In-Depth Analysis, Detection, Mitigation, and Removal. Retrieved January 24, 2025. ↩↩↩↩↩