lockbit

T1078Valid Accounts

Use of compromised credentials purchased from initial access brokers or obtained through phishing to authenticate to victim environments via RDP or VPN.

T1190Exploit Public-Facing Application

LockBit actors exploit vulnerabilities in public-facing applications including Citrix Bleed (CVE-2023-4966), Fortinet, and other perimeter devices to gain initial access.

T1566Phishing

Spear-phishing emails with malicious attachments or links used to deliver initial stagers.

T1047Windows Management Instrumentation

WMI used for remote execution of payloads across compromised hosts.

T1053.005Scheduled Task/Job: Scheduled Task

Scheduled tasks created for persistent execution of the LockBit payload and post-compromise tooling.

T1059.001Command and Scripting Interpreter: PowerShell

PowerShell scripts used to deploy ransomware payloads and execute post-exploitation modules.

T1547.001Boot or Logon Autostart Execution: Registry Run Keys

Registry Run keys modified to ensure ransomware payload executes on system reboot.

T1027Obfuscated Files or Information

LockBit payloads are packed and obfuscated; LockBit 3.0 (Black) uses code from BlackMatter ransomware with added anti-analysis techniques.

T1070.001Indicator Removal: Clear Windows Event Logs

Event logs cleared to remove forensic evidence of the intrusion prior to or after ransomware deployment.

T1562.001Disable or Modify Tools

Windows Defender and other AV/EDR tools disabled via PowerShell commands and Group Policy modifications prior to ransomware deployment.

T1003.001OS Credential Dumping: LSASS Memory

Mimikatz and custom tools used to dump LSASS memory for credential harvesting to facilitate lateral movement.

T1110Brute Force

Brute force attacks against RDP and other remote services to obtain valid credentials.

T1046Network Service Discovery

Network scanning tools (Advanced IP Scanner, nmap) used to enumerate hosts, open ports, and services within the victim environment.

T1482Domain Trust Discovery

Active Directory enumeration to map domain trusts and identify targets for lateral movement and domain compromise.

T1021.001Remote Services: Remote Desktop Protocol

RDP used extensively for lateral movement across the victim network using stolen credentials.

T1021.002Remote Services: SMB/Windows Admin Shares

PsExec and SMB admin shares leveraged to propagate the ransomware payload laterally.

T1210Exploitation of Remote Services

Exploitation of unpatched internal services to move laterally within the network.

T1560.001Archive Collected Data: Archive via Utility

7-Zip and WinRAR used to compress stolen data prior to exfiltration as part of double extortion operations.

T1048Exfiltration Over Alternative Protocol

SFTP and FTP used to transmit stolen data to actor-controlled infrastructure.

T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage

Rclone and MEGASync used to exfiltrate victim data to cloud storage services ahead of encryption as part of the double extortion model.

T1090.003Proxy: Multi-hop Proxy

Tor and other anonymization networks used to obfuscate C2 infrastructure.

T1219Remote Access Software

AnyDesk and other legitimate remote access tools deployed as backdoors for persistent C2 access.

T1486Data Encrypted for Impact

LockBit uses AES-256 for file encryption with RSA-2048 for key protection. LockBit 3.0 uses Salsa20; files are appended with a victim-specific extension. Operates as RaaS with affiliate program.

T1489Service Stop

Database, backup, and security services terminated before encryption to maximize file access and encryption coverage.

T1490Inhibit System Recovery

Shadow copies and backups deleted using vssadmin and wmic commands to prevent recovery without paying the ransom.