Goldberg's technical analysis of a real, high-impact threat. Atomic indicators vary per affiliate and build — see references; pull current IOCs before hunting.
Overview
LockBit ran one of the most industrialised RaaS operations in the ecosystem: core developers maintain the encryptor and infrastructure, while affiliates do the intrusions and split the proceeds. That division of labour, plus relentless engineering for speed, made LockBit a dominant ransomware brand for years.
Encryption & evasion
- Intermittent encryption (from 3.0): encrypting only chunks of each file dramatically speeds the attack and weakens detection that watches for full-file rewrites.
- Speed: later versions lock large estates in minutes — compressing the defender's response window.
- Obfuscation: dynamic API resolution via hashing; in recent builds, payloads loaded by DLL reflection to stay off disk.
- Disables/deletes shadow copies and tampers with recovery and security tooling pre-encryption.
Operation Cronos (Feb 2024)
An NCA-led, ten-country operation seized 34 servers, took the leak sites and payment portals, froze 200+ wallets, and — significantly — recovered source code, internal comms, and decryption keys. It badly damaged LockBit's brand and trust among affiliates. Yet the operation persisted, with LockBit 5.0 surfacing afterward — underscoring how hard it is to permanently kill a mature RaaS.
Detection & hardening
- Watch for mass file-modification with partial-write patterns (intermittent encryption) and shadow-copy deletion (
vssadmin/wmic). - Detect the precursors — the intrusion, not just the encryptor: stolen creds, RMM abuse, lateral movement.
- Offline, immutable backups; tested recovery; least-privilege and MFA to deny the affiliate the foothold.