LockBit Defensive Triage Notes
Ransomware notes for educational and defensive malware triage.
Executive Summary
LockBit is commonly discussed as ransomware used in intrusion-driven extortion cases. Defensive triage focuses on impact preparation, encryption indicators, lateral movement evidence, and recovery disruption attempts.
Malware Type
Ransomware
Common Behavior
- Attempts to inhibit recovery through shadow copy or backup deletion.
- Encrypts files and may leave ransom notes or renamed extensions.
- Often appears after credential access, discovery, and lateral movement activity.
MITRE ATT&CK Mapping
- T1486 Data Encrypted for Impact
- T1490 Inhibit System Recovery
- T1083 File and Directory Discovery
IOCs Placeholder
IOCs vary by campaign and should be validated before use. Add confirmed hashes, domains, URLs, IPs, registry paths, file paths, or mutexes from authorized investigations only.
Detection Opportunities
- Monitor for shadow copy deletion commands and rapid file rename/write patterns.
- Hunt for unusual archive, discovery, and remote execution activity before encryption.
- Review EDR process trees for scripting engines launching recovery-disruption utilities.
Defensive Recommendations
- Isolate affected hosts, preserve forensic evidence, and validate backup integrity before restoration.
- Rotate credentials that may have been exposed during the intrusion.
- Review remote access paths and lateral movement telemetry.
Disclaimer
Educational and defensive use only. These notes support authorized analysis and detection engineering. They are not attribution claims and should not be treated as a complete malware verdict by themselves.