# LockBit

Based on open-source intelligence, the MITRE ATT&CK® Evaluations team created the LockBit scenario leveraging techniques seen in operations in the wild. The scenario was designed based on tools, resources, and intelligence available at the time.

# Adversary Overview

First launched as “ABCD” ransomware in 2019, LockBit is a notorious ransomware variant known for its use of sophisticated tools, extortion methods, and high-severity attacks. LockBit operates a Ransomware-as-a-Service (RaaS) model, enabling affiliates to launch attacks using its tools. This decentralized approach democratizes access to ransomware tools and fosters a variety of behaviors that make detection and response more complex and unpredictable. Law enforcement agencies deemed LockBit the “most deployed ransomware variant across the world” in 2022, and nearly 30% of all ransomware attacks between 2022 and 2023 were conducted by LockBit affiliates. LockBit adapted continuously, launching bug bounty programs with LockBit 3.0 to improve its tools, targeting both Windows and Linux systems with evolving evasion tactics, and incorporating elements from the now-defunct Conti ransomware into LockBit Green, reflecting the code and tactic recycling trend in the ransomware ecosystem. To gain access on target systems, LockBit attackers have used legitimate resources (e.g., penetration testing tools Metasploit and Cobalt Strike, leveraging remote desktop protocols (RDP), native utilities such as PowerShell and batch scripts) as well as the exploitation of well-known vulnerabilities (e.g., CVE-2018-13379, CVE-2019-0708, and CVE-2020-1472). LockBit remained pervasive until its global impact prompted a multinational law enforcement operation to disrupt LockBit-affiliated platforms in February 2024. Despite the operation, LockBit continued to be the most prevalent strain until May 2024. Ongoing efforts under Operation Cronos led to the arrest and sanction LockBit operators in October 2024.

# Quick Links

# Resources

The Resources Folder contains the emulated software source code.

All other pre-built executables have been removed. To rebuild the binaries, follow the documentation for the respective binary.

# Emulation Key Software 💻

• Firepwd
• StealBit
• ThunderShell
• LockBit

# Scenario Walkthrough

• LockBit Scenario Overview: Overview of the LockBit scenario
• LockBit Emulation Plan: Step by step walkthrough of the LockBit red team emulation plan

# Acknowledgements

We would like to formally thank the people that contributed to the content, review, and format of this document. This includes the MITRE ATT&CK and MITRE ATT&CK Evaluations teams, the organizations and people that provided public intelligence and resources, as well as the following organizations that participated in the community cyber threat intelligence contribution process:

• CrowdStrike
• Microsoft
• Sophos

# Connect with us 🗨️

We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you and what we can do better.

• Email: evals@mitre.org
• Twitter: https://x.com/MITREcorp
• LinkedIn: https://www.linkedin.com/showcase/attack-evaluations/

# Liability / Responsible Usage

This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.

# Notice

© 2024 MITRE Engenuity. Approved for Public Release. Document number CT0005.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project makes use of ATT&CK®

ATT&CK Terms of Use