Under Attack? Breach Response Hotline: Call 833.997.7327 (US/CAN)

Day 5: lockbit Ransomware

Common Attack Vectors

  • RDP
  • Phishing Emails
  • VPN

Vulnerabilities Exploited

  • CVE-2018-13379 – a critical vulnerability that exists in FortiOS SSL VPN
  • Microsoft Exchange Servers
  • Software & Hardware

Industries Targeted Frequently


Threat actors target manufacturing facilities to disrupt product distribution.


Threat actors target financial institutions to steal people's names, financial records, social security numbers, and bank accounts.


Threat actors target legal companies and law firms stealing their clients' confidential information.


Threat actors target wholesale stores stealing sensitive data, including customers' credit card information.

Recent Activity

LockBit accessed Irish IT giant Accenture and demanded a $50 million dollar ransom after stealing six terabytes of data, including information on many of the firm’s clients.

Within a month of the Accenture attack, LockBit accessed Bangkok Airways, exfiltrating and releasing sensitive information, including names, phone numbers, email and physical addresses, passport information, and some credit card data. A similar attack was alleged to have taken place against Ethiopian Airlines, though no data has been leaked to verify this claim.

Common File Extensions




Known Aliases

  • ABCD
  • LockFile

How LockBit Ransomware is Distributed

LockBit typically utilizes email phishing to gain initial network access, but may also enter via application exploits or unpatched vulnerabilities. Once the threat actor places the malware, it begins to automatically self-propagate per its intended design. After one host is infected, the ransomware can locate additional connected hosts and extend the infection with a unique script.

What makes LockBit difficult to identify is that its encryption file is sometimes disguised as .PNG and it spreads using tools common in computers with Windows Operating Systems, such as PowerShell and Server Message Block (SMB). LockBit exploits CVE-2018-13379 to access valid VPN accounts by adding a code to the URL: /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession.

LockBit ransomware uses its own data-stealing tool called StealBit. They also have been known for self-propagation and printing out ransom notes on printers.


SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.