Surviving LockBit: How to Protect Your Organization

LockBit ransomware attacks are on the rise and pose a major threat to organizations of all sizes. In 2022 alone, LockBit is estimated to have been responsible for 44% of all known incidents. This ransomware’s primary goal is to quickly gain full control of an environment to demand money from businesses.

LockBit attackers often compromise Active Directory (AD), the core of many IT environments. By seizing control of AD, they gain widespread power to encrypt files, disrupt critical systems, and steal sensitive data. The LockBit ransomware group, known for its efficiency and aggressiveness, has evolved into one of the most powerful ransomware operators in the world.

This guide will equip you with the knowledge to fight back. We’ll dive into LockBit’s tactics, then arm you with practical prevention strategies, detection methods, and a rock-solid response plan to keep your data safe.

What is LockBit Ransomware?

LockBit is a ransomware designed to disrupt victim’s networks by encrypting crucial files/servers and demanding payment for decryption. Initially emerging in September 2019 as “.abcd ransomware,” LockBit has rapidly become a major threat worldwide, with notable attacks targeting organizations across the globe. It seeks out large, well-funded companies that are highly likely to pay significant amounts of money to regain access to critical files and systems. It’s operated by the LockBit ransomware group, which provides the ransomware tools and infrastructure to affiliates on a ransomware-as-a-service (RaaS) model. LockBit often prioritizes getting access to one critical target: Active Directory (AD). By compromising AD, LockBit gains widespread control, enabling them to encrypt your most valuable data, lock you out of essential systems, and cripple your entire business operation.

Understanding the LockBit Ransomware Attack

To effectively protect your company against the threat of LockBit, it’s crucial to take a deeper look at its typical attack methods and the following key steps:

Step 1: Initial Foothold

LockBit attackers frequently scan for systems with exposed Remote Desktop Protocol (RDP) ports and attempt to gain access through brute-force attacks or by exploiting known vulnerabilities. Weak passwords and a lack of multi-factor authentication make RDP a prime target. Additionally, phishing emails designed to trick users into clicking malicious links or opening infected attachments remain a common delivery mechanism for LockBit. These emails often impersonate trusted entities or use urgent language to manipulate users into enabling malware installation. Finally, LockBit operators aggressively target unpatched vulnerabilities in internet-facing software like VPNs, firewalls, or servers, often attacking before companies have a chance to fix them.

Step 2: Lateral Movement

Once inside the network, attackers aggressively seek out privileged accounts and valuable credentials. This includes password dumping, keylogging, and exploiting vulnerabilities. They hunt for domain administrator accounts that grant them control of the entire network. To blend in with normal activity, they’ll often use legitimate tools like Cobalt Strike, PsExec, and PowerShell. This makes it harder to spot their tracks in a busy network environment.

Step 3: Data Theft, Encryption, and Demanding Payments

LockBit attackers don’t just encrypt your files – they steal your most valuable data first. They’ll aggressively hunt down file shares, databases, and even your backups, compressing and stealing it all off to their own servers. This isn’t only about locking you out, it’s about squeezing you for maximum profit. They now have two ways to cripple your business: holding your operations hostage with encryption and threatening to sell or leak your sensitive information on the dark web, destroying your reputation.

With your data safely in their hands, LockBit unleashes their infamous high-speed ransomware. They’re not aiming for every file on your network – they’ll go straight for the jugular, hitting essential servers, databases, and the critical applications that keep your business running. Their strategy is ruthless efficiency, causing the most disruption in the least amount of time. Victims then find ransom notes with personalized payment demands, often escalating with tight deadlines and threats to increase pressure.

Key Strategies to Protect Your Organization From LockBit

The threat of LockBit underscores the critical importance of a comprehensive cybersecurity plan. To safeguard your organization against this ransomware, you need a strategy built on three pillars: prevention, detection, and response.

Prevent LockBit and Other Ransomware Attacks

The most effective way to defend against LockBit is to prevent it from infiltrating your network in the first place. This requires a multi-layered approach:

Patching and Vulnerability Management

Implement a strict patching schedule – establish a patching policy that requires regular updates to operating systems, applications, and firmware across all devices. Prioritize critical systems and those directly exposed to the internet. To minimize potential disruption to production systems, develop a process for testing patches before deployment within a staging environment.

Additionally, stay aware of newly discovered zero-day vulnerabilities that might not have patches immediately available. Proactively monitor security resources such as CISA alerts, vendor announcements, and security blogs to track these threats. Where possible, implement temporary workarounds or mitigating controls (such as disabling vulnerable services or temporarily isolating affected systems) while awaiting official patches.

Strong Password Policies and MFA

Enforce strict password complexity requirements. Mandate minimum password lengths (ideally 12+ characters), a mix of uppercase, lowercase, numbers, and symbols, and forbid the use of dictionary words. Prevent password reuse across different accounts and consider using a password manager to help users generate and store strong, unique passwords. To reduce the risk of compromised credentials, implement regular password changes (e.g., every 60-90 days).
  • Deploy MFA across all sensitive systems and remote access points. Use authenticator apps, hardware tokens, or biometric authentication for an additional layer of security. Where available, explore passwordless authentication options, as they enhance security while reducing friction for users.
  • Limit the number of administrator-level accounts to minimize your attack surface.
  • Apply the principle of least privilege, granting users only the permissions necessary for their job functions. Regularly audit privileged accounts to ensure they are still required, and access levels are appropriate. This can be a complex task, especially in large Active Directory environments. Solutions like Cayosoft Administrator streamline this process, helping you clean up permissions, put controls around privileged groups, and enforce a true least-privilege model – even eliminating the need for native AD privileges.

Network Segmentation

Divide your network into smaller zones based on function, sensitivity, or criticality. Implement firewalls or access control lists (ACLs) to restrict traffic flow between these zones. This limits the potential spread of LockBit ransomware should an attacker gain a foothold.

Isolate your most critical systems and data, such as domain controllers, backups, and sensitive data repositories, on separate network segments with additional layers of security.

Tools like Cayosoft Guardian offer granular visibility into Active Directory, making it easier to identify and implement effective segmentation strategies.

User Education

Conduct regular phishing simulations to educate users on identifying malicious emails, attachments, and links, and reinforce the importance of reporting suspicious activity. Provide ongoing cybersecurity training in various formats (like videos and interactive modules) to keep users engaged.
  • Educate employees on the dangers of visiting untrusted websites, downloading unauthorized software, and clicking on links or attachments from unknown sources.
  • Consider implementing web filtering tools to help block access to known malicious websites.
Clearly communicate reporting procedures for potential security incidents, emphasizing the importance of timely reporting. Make reporting easy and accessible, and provide clear escalation paths for urgent situations.

Detect LockBit and Other Cyber Threats

Detect LockBit before it cripples your systems. This is one of your key weapons. Implement these strategies to spot an attack in progress and fight back:

Anomaly Detection

Establish a normal network traffic profile, including typical bandwidth usage, protocols employed, and expected communication patterns. Implement network monitoring tools to detect anomalies such as unexpected traffic spikes, unusual source/destination addresses, or communication on unusual ports.

Monitor Active Directory for unusual activity, such as unexpected login attempts (especially outside of normal business hours or from unusual locations), multiple failed logins, creation of new user accounts, changes to privileged groups, or modification of critical system files. Use User and Entity Behavior Analytics (UEBA) tools to help establish baselines and detect deviations. Specialized Active Directory monitoring tools like Cayosoft Guardian aid in establishing baselines and flagging unusual behavior that could signal a LockBit attack.

Endpoint Detection and Response (EDR)

EDR solutions track endpoints (laptops, servers, etc.) for signs of malicious activity, such as suspicious file modifications, unusual process starts, or attempts to connect to known malicious domains. They can often detect malicious behavior that traditional antivirus might miss. EDR tools enable proactive hunting for IOCs (Indicators of Compromise) associated with LockBit ransomware. Analyze EDR data for patterns that match known LockBit techniques, allowing you to identify the early stages of an attack.

Monitor for Data Exfiltration Attempts

Pay close attention to unusually large data transfers, especially outbound transfers to unknown destinations. Implement data loss prevention (DLP) tools to identify and potentially block unauthorized data transfer. Analyze network traffic for patterns associated with data exfiltration, such as file transfers to cloud storage or uploads to suspicious file-sharing platforms.

Additional Detection Measures

Conduct regular testing of detection mechanisms to validate their effectiveness and identify areas for improvement. Update threat intelligence feeds and detection signatures to stay ahead of evolving LockBit tactics. Additionally, fine-tune your detection systems to reduce false positives, which can lead to alert fatigue and missed critical red flags.

Respond to LockBit and Other Cyber Incidents

A successful response to a LockBit attack requires careful planning, coordination and quick action to contain the threat and restore operations. Here’s a more detailed look:

Incident Response Plan

  • Define clear triggers for activating the incident response plan, including thresholds for anomaly detection or suspected ransomware activity. Identify the incident response team members (IT security, management, legal, PR, etc.) and pre-assign roles and responsibilities.
  • Establish communication channels (both internal and external), reporting structures, and pre-defined templates for notifications. Consider creating different lists for stakeholders who need detailed updates and those requiring high-level summaries.
  • Outline precise steps for isolating infected systems: severing network connections, disabling compromised accounts, and preventing the spread of the ransomware using available firewall and segmentation controls. Plan out quarantine procedures and safe containment methods.
  • Identify procedures for collecting evidence: network logs, system logs, firewall logs, images of compromised systems, memory dumps, and copies of the ransomware files themselves. Emphasize preserving the chain of custody and the secure handling of potential evidence.

Immutable, Offline Backups

  • Determine the optimal frequency of backups based on criticality and rate of data change. Ensure backups cover all essential systems, applications, and data. Designate a specific schedule to test backup integrity and perform full restoration drills, practicing rapid recovery processes in a test environment.
  • Store primary backups offline (e.g., tapes, external hard drives) in a physically separate location. Explore using air-gapped backups for an additional layer of isolation.
  • Use object lock or other technologies to create backups that cannot be modified or deleted, even by privileged accounts, to protect them from encryption or tampering.

Active Directory-Specific Recovery

Traditional backups won’t always be enough when LockBit compromises your core AD infrastructure. Solutions like Cayosoft Guardian Forest Recovery specialize in AD protection. Its patented technology enables rapid forest recovery within minutes, minimizing downtime and ensuring data integrity. It also automates backups, deployment to clone environments, and threat scanning, streamlining the recovery process.

Cayosoft’s patent-pending instant forest recovery process automates back-ups, deployment to clone environment, scan for threats, and tests every day!

Ransom Payment Considerations

Perform a detailed risk assessment considering factors like the time and cost of recovery from backups vs. the potential impact of prolonged downtime. Recognize that payment does not guarantee recovery, has no ethical guarantee, and can incentivize future attacks.

Additional Response Measures

  • Consider using solutions like Cayosoft Guardian that offer specialized capabilities for Active Directory visibility, enhancing your ability to detect an attack quickly and recover compromised data. Explore how Cayosoft’s features can augment your response plan.
  • Understand your organization’s legal obligations to report the incident to law enforcement or regulatory agencies (consider industry-specific regulations). Cooperate with them, as your case may help track criminal groups and potentially disrupt LockBit operations.
  • Conduct a thorough post-mortem analysis to identify root causes, vulnerabilities that led to the attack, and any gaps in your response process. Implement changes to strengthen your defenses based on lessons learned to prevent future incidents.
The threat of LockBit ransomware is real and persistent. Organizations must prioritize a proactive, multi-layered approach to cybersecurity that encompasses prevention, detection, and response readiness. By understanding LockBit’s attack techniques, implementing the strategies outlined in this article, and leveraging the right tools, you can significantly reduce the risk of an attack.


LockBit employs various tactics to gain a foothold in a network. Common entry points include phishing emails with malicious attachments, exploiting vulnerabilities in exposed RDP services or leveraging unpatched software. It’s important to be vigilant against social engineering tactics, patch systems rigorously, and enforce strong security measures to prevent LockBit infiltration.
LockBit ransomware’s rapid encryption speed and the LockBit ransomware group’s ruthlessness in extorting victims make it a highly dangerous threat. It can cripple critical systems and cause significant financial and reputational damage to organizations.
With single extortion, the focus of ransomware attacks was solely on encrypting files and demanding payment for their decryption. LockBit escalated this threat by adopting double extortion – first stealing sensitive data and then encrypting files. This maximizes pressure on the victim, as their confidential information is threatened with release or sale on the dark web if the ransom is not paid.
Protecting your organization against LockBit demands a multi-layered approach. This involves implementing strong password policies with MFA, patching systems consistently, segmenting your network, educating users on cyber threats, and deploying tools for anomaly detection and endpoint protection.
Time is of the essence if you suspect a LockBit ransomware attack. Activate your incident response plan immediately. Focus on isolating infected systems and containing the spread of the ransomware. In case if attackers succeeded, make sure to do a post-incident analysis and employ tools that will help to avoid this in the future.

Want to See Cayosoft in Action?

Request a demo to learn more about how Cayosoft can help you protect against LockBit and other ransomware threats.

Check out these relevant resources.

New Survey Finds...

Active Directory forest recovery not taken serious enough. See what else your peers had to say.