惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Hacker News
The Hacker News
F
Full Disclosure
Cloudbric
Cloudbric
Blog — PlanetScale
Blog — PlanetScale
W
WeLiveSecurity
N
News and Events Feed by Topic
T
Troy Hunt's Blog
V2EX - 技术
V2EX - 技术
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
GbyAI
GbyAI
C
Check Point Blog
B
Blog RSS Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Recorded Future
Recorded Future
The Last Watchdog
The Last Watchdog
N
News and Events Feed by Topic
T
The Blog of Author Tim Ferriss
O
OpenAI News
V
V2EX
人人都是产品经理
人人都是产品经理
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
IT之家
IT之家
WordPress大学
WordPress大学
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Security @ Cisco Blogs
C
Cisco Blogs
Security Latest
Security Latest
S
Security Affairs
V
Visual Studio Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Hacker News - Newest:
Hacker News - Newest: "LLM"
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Microsoft Azure Blog
Microsoft Azure Blog
Last Week in AI
Last Week in AI
AWS News Blog
AWS News Blog
雷峰网
雷峰网
Apple Machine Learning Research
Apple Machine Learning Research
PCI Perspectives
PCI Perspectives
博客园_首页
U
Unit 42
Google DeepMind News
Google DeepMind News
Hugging Face - Blog
Hugging Face - Blog
Project Zero
Project Zero
Cisco Talos Blog
Cisco Talos Blog
The Register - Security
The Register - Security
N
Netflix TechBlog - Medium
L
LINUX DO - 热门话题
H
Hacker News: Front Page

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Vectra AI
Zoey Chu · 2026-02-25 · via Vectra AI Blog

LockBit is a prolific ransomware-as-a-service (RaaS) operation that has evolved through multiple versions since its debut in 2019. Despite a major law enforcement takedown (Operation Cronos in early 2024) that seized servers and leaked decryption keys, the group has re-emerged with LockBit 5.0. This latest version is positioned as a “comeback” for the gang, boasting faster encryption, stronger evasion, and a revamped affiliate program. This blog provides a comprehensive breakdown of LockBit 5.0’s technical features and actionable insights for SOC teams to strengthen defenses against its affiliate-driven campaigns.

LockBit 5.0 Login Page (Source: SOCRadar)

Quick Recap of LockBit Evolution

LockBit first appeared in 2019 under the name ABCD ransomware, a reference to the “.abcd” extension it added to encrypted files. This early version was relatively basic, focusing purely on fast encryption of local files without the advanced tactics we see today.

In 2021, LockBit 2.0 (Red) marked the first major leap. It introduced StealBit, a purpose-built data exfiltration tool that enabled attackers to steal sensitive data at scale. This version also added automated propagation through SMB and PsExec, giving affiliates the ability to spread rapidly across corporate networks. Around the same time, the group expanded to Linux and VMware ESXi targets, signaling the start of its big-game hunting focus.

LockBit 3.0 (Black), launched in 2022, pushed innovation even further. It was the first ransomware group to run a bug bounty program, openly inviting hackers to help improve its malware. It also deployed intermittent encryption to accelerate attacks, encrypting only chunks of large files while still rendering them useless. This version cemented LockBit as the most active ransomware group globally, responsible for more than 40% of reported incidents that year. A leaked builder kit in late 2022 also gave researchers—and rival criminals—a rare inside look at how customizable LockBit had become.

By late 2024, LockBit responded to law enforcement pressure with LockBit 4.0 (Green). This release was nearly a full rewrite, developed in .NET Core with a modular architecture and enhanced stealth. Gone were noisy features like printer spam, replaced by API unhooking, obfuscation, and stealthier execution. Encryption speed reached new highs, capable of crippling large networks in minutes. Affiliates gained more flexibility with customizable ransom notes and support for Linux and ESXi environments.

Now, with LockBit 5.0, the group is attempting a full comeback after global takedowns and internal leaks. This version continues the modular approach, introduces stronger evasion against modern EDR, and offers revamped affiliate incentives to rebuild its network. The result is a ransomware strain designed to be faster, more resilient, and more adaptable than any of its predecessors.

Version Timeframe Key Features & Changes
LockBit 1.0
“ABCD”
2019 to 2020 Initial family release, files appended with .abcd, basic but fast encryptor. Limited data theft capabilities at this stage. Early C or C++ implementation, no mature affiliate tooling yet.
LockBit 2.0
“Red”
2021 Introduction of StealBit for rapid exfiltration. Better automation for discovery and lateral movement using SMB, PsExec, WMI. Significant speed improvements. Added Linux and VMware ESXi lockers to hit virtual infrastructure. Formalized RaaS program with revenue split and panel access for affiliates.
LockBit 3.0
“Black”
2022 Added intermittent encryption to accelerate impact while keeping files unusable. Continued AES plus RSA hybrid crypto. Launched a public bug bounty for malware improvements. Mature point and click builder for affiliates. Double and triple extortion tactics increased. Builder later leaked which enabled copycats and signature coverage on older builds.
LockBit 4.0
“Green”
Late 2024 to early 2025 Major rework with .NET Core codebase and stealth-first design. Complex API hashing and user land unhooking to bypass EDR. Removed noisy self propagation and printer abuse to cut detections. Faster multi threaded encryption, customizable ransom notes for affiliates, decentralized Tor infrastructure for resiliency. Expanded Linux and ESXi targeting for data center impact.
LockBit 5.0 Mid to late 2025 Modular architecture so affiliates toggle components per campaign. Further speed optimizations and stronger anti analysis. Flexible comms during negotiation, Tor portals plus Tox where needed. Revamped affiliate incentives to rebuild the network, influx of new affiliates. Signals of cooperation with peer groups, potential cartel style coordination. Goal is faster time to impact with lower detection surface.

Evolution of LockBit RaaS, 2019 to 2025

LockBit 5.0 Features in Action: TTPs and What’s Changed

LockBit 5.0 introduces modularity, faster encryption, and stronger evasion—but the real impact is how these features play out during an intrusion. Below, we map the new capabilities to each stage of the attack lifecycle so SOC teams can see exactly where to focus detection and response.

Initial Access

  • What’s new: The affiliate program’s lowered barriers (auto-registration, wider recruitment) mean more varied intrusion techniques across campaigns.
  • Observed techniques: Phishing, brute-force and credential stuffing of RDP/VPN, exploitation of unpatched services like Exchange or Fortinet.
  • SOC focus: Monitor for abnormal login activity, repeated authentication failures, and unpatched public-facing infrastructure.

Execution & Privilege Escalation

  • What’s new: Payloads are often launched filelessly via PowerShell or LOLBins, and builds can include validity periods that expire, hindering analysis.
  • Observed techniques: In-memory loaders, mshta.exe execution, credential dumping from LSASS, registry hive exfiltration.
  • SOC focus: Detect suspicious script activity, especially PowerShell spawning child processes, and registry access outside normal baselines.

Lateral Movement

  • What’s new: Affiliates can toggle propagation modules, making LockBit less predictable and stealthier than earlier worm-like versions.
  • Observed techniques: PsExec, WMI jobs, Group Policy Object (GPO) abuse to spread ransomware across hosts.
  • SOC focus: Hunt for new service creations, unusual remote WMI commands, or lateral RDP connections outside business hours.

Defense Evasion

  • What’s new: Expanded process-kill lists, advanced API unhooking, and obfuscation built into the modular architecture.
  • Observed techniques: Termination of AV/backup agents, shadow copy deletion (vssadmin delete), log clearing, sandbox/VM checks.
  • SOC focus: Correlate mass process/service stoppages with registry edits or administrative command executions.

Impact & Extortion

  • What’s new: Encryption speed is faster through optimized intermittent encryption. Ransom notes may include tiered payment deadlines and Tox IDs instead of only Tor portals.
  • Observed techniques: Large-scale file renaming with randomized extensions, {random}.README.txt ransom notes in directories, wallpaper changes, exfiltration via StealBit/Rclone.
  • SOC focus: Detect bulk file renames, unexpected wallpaper changes, and abnormal outbound transfers to cloud storage or unknown servers.

Post on X containing screenshots of the LockBit 5.0 platform

Why Prevention Alone Isn’t Enough Against LockBit 5.0

LockBit 5.0 highlights the uncomfortable truth: even well-tuned prevention controls cannot stop every attack. Affiliates exploit weak credentials, unpatched systems, or phishing to get in—and once inside, they use tools and techniques that blend in with legitimate activity. By the time ransomware is detonated, the damage is already done.

Here’s where traditional prevention layers fall short:

  • Perimeter defenses like firewalls, VPNs, and MFA block many attempts but cannot recognize valid stolen credentials. If an attacker logs in as a trusted user, they walk straight through.
  • Endpoint agents can be killed or bypassed. LockBit 5.0 aggressively terminates AV and EDR processes, executes filelessly in memory, and unhooks APIs, leaving few traces.
  • Log-centric tools (SIEM, DLP) depend on visibility attackers can remove. LockBit clears event logs and deletes shadow copies, blinding defenders just before encryption begins.
  • Backups are directly targeted. Process kill lists include backup and recovery services, leaving organizations without their last line of defense.

For SOC teams, this means focusing only on prevention is not enough. A post-compromise detection and response strategy is critical—one that hunts for the behaviors attackers cannot hide:

  • Credential misuse and privilege escalation.
  • Unusual lateral movement via PsExec, WMI, or GPO.
  • Mass process termination and shadow copy deletion.
  • Abnormal outbound data transfers to cloud services or Tor/Tox channels.

Detect LockBit Related Activities With Vectra AI

The Vectra AI Platform is built to close this detection gap. Instead of relying solely on logs or signatures, it continuously analyzes behaviors across network, identity, cloud, and SaaS environments, surfacing real attacker activity in real time. By combining prevention with post-compromise detection and AI-driven response, SOC teams can stop LockBit 5.0 before encryption cripples business operations.

Explore our self-guided demo to see how Vectra AI closes the gap and ensures that when prevention fails, detection and response are ready.

---

Sources: The information in this blog is drawn from a variety of threat intelligence analyses, including industry research blogs and official advisories. Key references include the SOCRadar threat intel blog on LockBit 5.0’s features, the joint advisory (May 2025) detailing LockBit 3.0/4.0 TTP, Trend Micro’s report in collaboration with the UK NCA on LockBit’s new developments, and the Trellix research on LockBit’s leaked admin panel data.

FAQs