Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Mail attachment file
- MD5 : af26ad535688c65ec72e70d0acf39606
- Major Detection Name : Ransom.LockBit.Generic (Malwarebytes), Trojan:Win32/Mamson.A!ac (Microsoft)
- Encrypted File Pattern : .lockbit
- Malicious File Creation Location :
- C:\Users\%UserName%\Desktop\LockBit_Ransomware.hta
- C:\Windows\SysWOW64\AE4161.ico
- <Drive Letter>:\AE41615B.lock
- Payment Instruction File : LockBit_Ransomware.hta / Restore-My-Files.txt
- Major Characteristics :
- Offline Encryption
- Block processes execution (Culture.exe, Defwatch.exe, httpd.exe, QBW32.exe, supervise.exe, winword.exe etc.)
- Stop multi services (Acronis, DefWatch, QBIDPService, sophos, sqlagent, veeam etc.)
- Disable system restore (vssadmin delete shadows /all /quiet, wmic shadowcopy delete, bcdedit /set {default} bootstatuspolicy ignoreallfailures, bcdedit /set {default} recoveryenabled no, wmic SHADOWCOPY /nointeractive)
- Delete Volume Shadow Copy Service (Volume Shadow Copy)
- Deletes event log (wevtutil cl application, wevtutil cl security, wevtutil cl system)
- Change encrypted file (.lockbit) icon and display ransom note (%UserProfile%\Desktop\LockBit_Ransomware.hta) when user executes it.