Analytics Story: LockBit Ransomware

Updated Date: 2026-05-13 ID: 67e5b98d-16d6-46a6-8d00-070a3d1a5cfc Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the LockBit ransomware, including looking for file writes (file encryption and ransomware notes), deleting services, terminating processes, registry key modification and more.

Why it matters

LockBit ransomware was first seen in 2019. This ransomware was used by cybercriminal in targeting multiple sectors and organizations. Lockbit is one of the ransomware being offered as a Ransomware-as-a-Service(RaaS) and also known to affiliates to implement the 'double extortion' techniques by uploading the stolen and sensitive victim information to their dark website and then threatening to sell/release it in public if their demands are not met. LockBit Ransomware advertised opportunities for threat actors that could provide credential access via RDP and VPN. Aside from this it is also uses threat emulation like Cobalt Strike and Metasploit to gain foot hold to the targeted host and persist if needed.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Modification Of Wallpaper	Defacement	TTP
Windows Suspicious C2 Named Pipe	SMB/Windows Admin Shares, Process Injection, Inter-Process Communication	TTP
Executables Or Script Creation In Temp Path	Masquerading	Anomaly
Ransomware Notes bulk creation	Data Encrypted for Impact	Anomaly
Wbemprox COM Object Execution	CMSTP	TTP
Windows Suspicious Named Pipe	SMB/Windows Admin Shares, Process Injection, Inter-Process Communication	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Windows Suspicious Process File Path	Match Legitimate Resource Name or Location, Create or Modify System Process	TTP
Recon Using WMI Class	PowerShell, Gather Victim Host Information	Anomaly
Common Ransomware Notes	Data Destruction	Hunting
Windows Remote Image Load	Command and Scripting Interpreter, Exploitation for Privilege Escalation, Shared Modules, Exploitation for Client Execution	Anomaly
Deleting Shadow Copies	Inhibit System Recovery	TTP
Common Ransomware Extensions	Data Destruction	TTP
UAC Bypass With Colorui COM Object	CMSTP	TTP
CMLUA Or CMSTPLUA UAC Bypass	CMSTP	TTP
Windows New Custom Security Descriptor Set On EventLog Channel	Disable or Modify Windows Event Log	Anomaly
Fsutil Zeroing File	Indicator Removal	TTP
Windows Security And Backup Services Stop	Inhibit System Recovery	TTP
Windows Modify Registry Default Icon Setting	Modify Registry	Anomaly
High Process Termination Frequency	Data Encrypted for Impact	Anomaly
Windows New EventLog ChannelAccess Registry Value Set	Disable or Modify Windows Event Log	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 18	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 17	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Powershell Script Block Logging 4104	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Windows Event Log System 7036	Windows	`XmlWinEventLog`	`XmlWinEventLog:System`
Sysmon EventID 5	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`

References

Source: GitHub | Version: 2