Try in Splunk Security Cloud


Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2023-01-16
  • Author: Teoderick Contreras, Splunk
  • ID: 67e5b98d-16d6-46a6-8d00-070a3d1a5cfc


LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the ‘double extortion’ techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.


Name Technique Type
CMLUA Or CMSTPLUA UAC Bypass System Binary Proxy Execution, CMSTP TTP
Cobalt Strike Named Pipes Process Injection TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
Deleting Shadow Copies Inhibit System Recovery TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Fsutil Zeroing File Indicator Removal TTP
High Process Termination Frequency Data Encrypted for Impact Anomaly
Known Services Killed by Ransomware Inhibit System Recovery TTP
Modification Of Wallpaper Defacement TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Suspicious Process File Path Create or Modify System Process TTP
UAC Bypass With Colorui COM Object System Binary Proxy Execution, CMSTP TTP
Wbemprox COM Object Execution System Binary Proxy Execution, CMSTP TTP
Windows Modify Registry Default Icon Setting Modify Registry Anomaly


source | version: 1