Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

LockBit v2.0 Ransomware (.lockbit / LockBit_Ransomware.hta + Restore-My-Files.txt / Version Mail)

  • Distribution Method : Mail attachment file
  • MD5 : af26ad535688c65ec72e70d0acf39606
  • Major Detection Name : Ransom.LockBit.Generic (Malwarebytes), Trojan:Win32/Mamson.A!ac (Microsoft)
  • Encrypted File Pattern : .lockbit
  • Malicious File Creation Location :
     - C:\Users\%UserName%\Desktop\LockBit_Ransomware.hta
     - C:\Windows\SysWOW64\AE4161.ico
     - <Drive Letter>:\AE41615B.lock
  • Payment Instruction File : LockBit_Ransomware.hta / Restore-My-Files.txt
  • Major Characteristics :
     - Offline Encryption
     - Block processes execution (Culture.exe, Defwatch.exe, httpd.exe, QBW32.exe, supervise.exe, winword.exe etc.)
     - Stop multi services (Acronis, DefWatch, QBIDPService, sophos, sqlagent, veeam etc.)
     - Disable system restore (vssadmin delete shadows /all /quiet, wmic shadowcopy delete, bcdedit /set {default} bootstatuspolicy ignoreallfailures, bcdedit /set {default} recoveryenabled no, wmic SHADOWCOPY /nointeractive)
     - Delete Volume Shadow Copy Service (Volume Shadow Copy)
     - Deletes event log (wevtutil cl application, wevtutil cl security, wevtutil cl system)
     - Change encrypted file (.lockbit) icon and display ransom note (%UserProfile%\Desktop\LockBit_Ransomware.hta) when user executes it.