181222 hacker 2
LockBit is the cyber criminal gang behind the LockBit 2.0 fast-spreading 'ransomware'. Image Credit: File / Gulf News


  • ‘Self-piloted’ attacks by LockBit allows it to automatically block access to victim computer systems — until a sum of money is paid. 
  • Hacker gangs behind “ransomware” attacks threaten to spill valuable data from networks they hacked into.
  • If a victims does not pay up, then they also sell that same data to the “dark web” market for hackers.

There’s a new variant of cyber attacks. It is known as LockBit. It’s gaining notoriety for its stealth abilities. It’s no ordinary “ransomware”.

It belongs the latest crop of “self-piloted” malicious software, automatically blocking access to computer networks — until a sum of money is paid.

What we know so far:

What is it?

In the cyber-security community, it is known as LockBit 2.0.

Who’s behind it?

LockBit is the cyber criminal gang behind this malware, and are known to for close relations with a “family" of malware, including LockerGoga and MegaCortex, according to cyber security company Kaspersky.

It shares common tactics, techniques, and procedures (TTPs) with these malicious attacks.

What does the FBI say about it?

In a “flash report” the US Federal Bureau of Investigation (FBI) published February 4, 2022, the agency explains: “LockBit 2.0 is best described as a heavily-obfuscated ransomware application leveraging bitwise operations to decode strings and load required modules to evade detection.”

What does that mean?

LockBit is inherently designed to evade detection. It has the ability to target specific victims, instead of random networks or users. This capability to propagate automatically to new targets allows it to be used in targeted attacks — instead of simply “spamming” or attacking random users or organisations.

Lockbit 2.0
A screenshot indicating a victim network or user has been attacked by LockBit 2.0 ransomware. Image Credit: 'Flash Report' / FBI

What is the underlying tool behind it? Does it affect Mac networks too?

It mostly attacks Windows-based system — by using tools and protocols that are native to the Window environment.

Some of the known underlying tools it relies on — such as Windows PowerShell and Server Message Block (SMB) — allows it to lock (encrypt) target networks.

Ransomware as a Service (RaaS) is a "business" model between ransomware operators and affiliates in which affiliates pay to launch ransomware attacks developed by operators. It’s a variant of software as a service (SaaS) business model, but with nefarious intent.

Why is it dangerous?

One reason is that LockBit 2.0 has become the malware of choice for many “Dark Web” type of attack groups in recent months. It has increased in popularity, due to its nature as a “service”, a new way for the hacker community to make money.

How it works is a bit like this: when a host is compromised, LockBit then “scans” the network — and finds and infects other accessible devices. This makes it more difficult for a set security tools known as “endpoint security” to detect or identify the activity as malicious.


How it works is a bit like this: when a host is compromised, LockBit then “scans” the network — and finds and infects other accessible devices. This makes it more difficult for a set security tools known as “endpoint security” to detect or identify the activity as malicious.

What do cyber security companies say about it?

According to Kaspersky, the gang behind LockBit 2.0 follow the “Ransomware-as-a-Service” (RaaS) “business model”, which lets other groups use the “tool” to encrypt and attack target company networks as they wish.

How many are the known victims of LockBit?


Known victims of LockBit 2.0 as of October 2021

As of October 2021, the malware had at least 203 known victims, as per a list on its data-leak site. In terms of the number of claimed victims, the ransomware Conti is the second-highest, with 71 listed victims, according to cybernews.com, which tracks the cyber security community.

What happens when a network is hit by LockBit 2.0?

LockBit 2.0 is similar to DarkSide, BlackMatter and REvil. The outcome of an attack is similar. As such, LockBit it is programmed to search and analyse valuable targets, spread the infection, and encrypt all accessible computer systems on a network (user/data owner is deprived of access).

What does a “self-piloted” cyberattack mean?

As a “self-piloted cyberattack”, LockBit attackers have distinguished themselves by threatening businesses and organisation — anywhere in the world — with some of the following threats:

  • > Disruption of operations, with key business processes coming to a sudden halt.
  • > Extortion, with the aim of financial benefit for the hacker.
  • > Blackmail through illegal publication of sensitive information and data theft.

In a blog, Tom Bradley of Cybereason, states that LockBit “continues to adapt and evolve”, sort of like a virus that is programmed by its developers to “mutate” or develop variants, for use in targeted attacks.

Are more LockBit attacks to be expected?

In its “flash report” publicshed on the government-owned ic3.gov site, the FBI detailed “indicators of compromise” (IOCs) associated with attacks using LockBit 2.0. The agency says the malware “employs a wide variety of tactics, techniques, and procedures, creating significant challenges for defence and mitigation.”

Does it have other 'variants'?

Yes. More recent “variants” of LockBit have adopted the “double extortion” model— locating and “exfiltrating” valuable data before encrypting systems.

This way, the stolen data provides additional incentive for victims with a stake in the stolen data, forcing them pay the ransom.

When owners of victim network that is able to restore data from backups refuses to pay — it could lead to sensitive corporate data being published publicly or sold to competitors or other interested in the “Dark Web”, the hidden collective of internet sites only accessible by a specialised web browser utilised for maintaining anonymity on the internet.

What about steps to curb risk of ransomware attack?

There are key steps FBI recommended to curb exposure to ransomware attacks. Some specific steps organisations can take to minimise their vulnerability to an attack by the ransomware, including the usual key defences:

  • Employing multi-factor and strong authentication
  • Updating software
  • Using network segmentation
  • Restricting user privileges to admin accounts
  • Running a host-based firewall that limits connects to admin shares
  • Ensuring offline data backups
  • Other "best practices”.

Top 10 most well-known ransomware strains

  • Bad Rabbit
  • Cryptolocker
  • GoldenEye
  • Jigsaw
  • Locky
  • Maze
  • NotPetya
  • Petya
  • Ryuk
  • Wannacry