LockBit is one of the most aggressive ransomware families currently in circulation, responsible for thousands of successful attacks against businesses and individuals worldwide. First appearing in September 2019, LockBit has evolved through multiple versions (LockBit 2.0 and LockBit 3.0) and operates as a Ransomware-as-a-Service (RaaS) platform, meaning cybercriminals can lease the malware to conduct their own attacks. What makes LockBit particularly dangerous is its speed—it can encrypt an entire network in minutes—and its sophisticated evasion techniques that help it bypass many security products.
If you're reading this because you've seen ransom notes on your computer, files with strange extensions, or desktop wallpaper demanding payment, you need to act quickly but carefully. LockBit doesn't just encrypt files; it often steals sensitive data before encryption and threatens to publish it if ransom demands aren't met, a tactic known as "double extortion."
Threat Profile
| Characteristic | Details |
|---|---|
| Threat Name | LockBit (also known as ABCD Ransomware) |
| Threat Type | Ransomware (file-encrypting malware) |
| Platform | Windows (PE executable) |
| First Observed | September 2019 |
| Current Versions | LockBit 1.0, 2.0, 3.0 (aka LockBit Black) |
| Distribution Model | Ransomware-as-a-Service (RaaS) with affiliate program |
| Encryption Method | AES-256 combined with RSA or elliptic curve cryptography |
| File Extensions | .lockbit, .abcd, or custom extensions (varies by version/affiliate) |
| Ransom Note Name | Restore-My-Files.txt or similar (placed in every encrypted folder) |
| Data Exfiltration | Yes—steals sensitive data before encryption for double extortion |
| Self-Propagation | Yes—spreads laterally across networks via SMB and group policies |
| Decryption Available | Limited—no universal decryptor; file recovery depends on backups |
How It Spreads
LockBit doesn't rely on a single infection method. Because it operates as a service with multiple affiliates conducting attacks, distribution techniques vary widely. The most common initial access vectors involve exploiting vulnerabilities in internet-facing systems—particularly Remote Desktop Protocol (RDP) servers with weak passwords or unpatched VPN appliances. Once an attacker gains initial access to one machine, LockBit's built-in spreading mechanisms take over, moving laterally through your network to infect as many systems as possible before triggering the encryption payload.
Many LockBit infections begin with phishing emails containing malicious attachments or links. These emails often impersonate shipping notifications, invoices, or urgent security alerts. The attachments might be Word documents with malicious macros, ZIP files containing executable payloads, or links to credential-harvesting pages. In business environments, attackers also purchase access from initial access brokers—criminals who specialize in compromising networks and selling that access to ransomware operators.
Common distribution methods include:
- RDP brute-force attacks: Scanning the internet for exposed Remote Desktop servers and cracking weak passwords
- Phishing campaigns: Emails with infected attachments or malicious links designed to steal credentials or deliver malware
- Exploiting unpatched vulnerabilities: Targeting known security flaws in VPNs, firewalls, and other network devices
- Software supply chain compromise: Injecting malware into legitimate software updates or installer packages
- Malicious advertisements: Drive-by downloads from compromised or malicious advertising networks
- Trojanized software: Legitimate-looking applications downloaded from unofficial sources that contain LockBit
What It Does On Your Machine
Once LockBit executes on a system, it moves with alarming speed. The malware first performs reconnaissance, mapping network shares, enumerating domain controllers, and identifying high-value targets like database servers and backup systems. Before encryption begins, newer LockBit variants exfiltrate sensitive documents, financial records, customer data, and anything else that could be used for extortion. This data theft happens silently in the background while the malware prepares for its main payload.
LockBit employs multiple techniques to evade detection and prevent recovery. It disables Windows Defender and other security software, clears event logs to hide its tracks, and deletes Volume Shadow Copies (Windows' built-in backup system) to prevent file restoration. The malware modifies Windows registry keys to ensure persistence and maintain access even after potential removal attempts. It also terminates processes associated with databases, email servers, and backup software to ensure those files can be encrypted.
The encryption phase is brutally efficient. LockBit uses multithreading to encrypt files simultaneously across multiple CPU cores, allowing it to lock down an entire system—or an entire network—in just minutes. The malware targets hundreds of file extensions including documents, spreadsheets, databases, images, videos, archives, and source code. After encryption, each folder receives a ransom note with instructions for payment and threats regarding stolen data publication.
Manual Removal — Step by Step
Isolate the Infected System Immediately
Disconnect the computer from all networks—unplug Ethernet cables and disable Wi-Fi. If this is a business environment with multiple computers, isolate the entire network segment if possible. Do not reconnect until you're certain the malware is removed and the infection vector is identified. If other computers on your network are on, shut them down to prevent further spread.
Document Everything Before Making Changes
Take photos of ransom notes, write down any email addresses or website URLs mentioned, and note which files are encrypted and their extensions. This information helps determine the specific LockBit variant and whether any decryption tools might be available. Do NOT delete the ransom notes yet—they contain information needed for potential recovery and law enforcement reporting.
Boot Into Safe Mode With Networking
Restart the computer and repeatedly press F8 (or Shift+F8 on newer systems) during boot to access Advanced Boot Options. Select "Safe Mode with Networking." This loads Windows with minimal drivers and services, which can prevent LockBit from activating while allowing you to download removal tools. On Windows 10/11, you may need to use Settings > Update & Security > Recovery > Advanced Startup instead.
Run Comprehensive Malware Scans
Download and run multiple reputable security tools: Malwarebytes, Kaspersky TDSS Killer, and ESET Online Scanner are good choices. Run full system scans with each—LockBit often leaves behind components that can re-infect the system or provide backdoor access for future attacks. Be patient; thorough scans take hours but are essential. Keep the computer disconnected from your network during this process.
Check and Clean Registry Entries
Open Registry Editor (regedit.exe) and navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for suspicious entries—especially those pointing to random folders in ProgramData, AppData, or Temp directories. Delete any entries you don't recognize. Also check HKLM\SOFTWARE\Policies\Microsoft\Windows Defender for the DisableAntiSpyware value and delete it if present. Make a registry backup before making changes.
Manually Remove Malware Files
Search for and delete suspicious executables, particularly in C:\ProgramData\, C:\Users\[Username]\AppData\Local\Temp\, and C:\Windows\Temp\. Look for recently created files with random names or files matching paths identified in your security scans. Show hidden files and system files through Folder Options to see everything. LockBit often hides components with system and hidden attributes.
Re-enable Security Features
LockBit disables Windows Defender and other security measures. Open Windows Security and ensure Real-time protection is enabled. Check that Windows Update is functioning and install all pending updates, especially security patches. Verify that your firewall is active. If these features won't enable, remaining malware components are likely still present—return to step 4.
Assess File Recovery Options
Unfortunately, LockBit encryption is currently unbreakable without the decryption key. Check NoMoreRansom.org for any available decryptors, though none exist for recent LockBit variants. Your realistic options are: restore from clean backups created before infection, attempt file recovery software to find unencrypted copies (low success rate), or accept data loss. Do NOT pay the ransom—payment doesn't guarantee decryption and finances continued criminal activity.
Change All Passwords From a Clean Device
LockBit often steals credentials during infection. From a different, uninfected computer, change passwords for all accounts—email, banking, work systems, and especially any administrator or domain credentials if this occurred in a business environment. Enable multi-factor authentication wherever possible. Assume any password stored on the infected machine was compromised.
Monitor for Re-infection and Consider Clean Installation
Even after removal, LockBit may have created backdoors or secondary access mechanisms. The most secure approach is backing up unencrypted personal files (documents, photos—not programs or system files) and performing a complete Windows reinstallation from verified media. If you choose to continue using the cleaned system, monitor closely for unusual behavior and run periodic security scans for at least 30 days.
Prevention
- Maintain offline, disconnected backups: Follow the 3-2-1 rule—three copies of important data, on two different media types, with one copy stored offline and disconnected from your network. Test backup restoration regularly. LockBit specifically targets network-attached and cloud-connected backup drives.
- Secure Remote Desktop Protocol: If you must use RDP, never expose it directly to the internet. Use a VPN for remote access, enforce strong passwords (minimum 16 characters with complexity), enable Network Level Authentication, and implement account lockout policies after failed login attempts. Consider changing RDP to a non-standard port.
- Keep everything patched and updated: Enable automatic updates for Windows, all applications, and firmware on network devices. LockBit frequently exploits known vulnerabilities in VPNs, remote access tools, and network equipment. Security patches exist for these flaws—applying them eliminates entire attack vectors.
- Implement email security and user training: Deploy email filtering to block malicious attachments and links. Train everyone who uses computers in your home or business to recognize phishing attempts, verify unexpected emails by contacting senders through known contact information, and never enable macros in documents from unknown sources.
- Use endpoint protection and network segmentation: Install reputable antivirus software on all devices and keep it updated. In business environments, segment networks so workstations, servers, and backups exist on separate network zones with restricted communication between them. This limits how far ransomware can spread.
- Disable unnecessary services and protocols: Turn off SMBv1 (an outdated file-sharing protocol LockBit exploits), disable PowerShell for users who don't need it, and restrict Windows Script Host. Apply the principle of least privilege—users should only have access to systems and data they actually need.
- Monitor network traffic and maintain logs: Implement monitoring for unusual outbound connections, large data transfers, and lateral movement within your network. Maintain security logs in a protected location so you can investigate how an attack occurred. Many LockBit infections could be stopped early if unusual activity were detected.
- Create an incident response plan: Document what to do if ransomware strikes—who to contact, which systems to isolate first, where offline backups are stored, and how to restore operations. Having a plan reduces chaos and mistakes during an actual incident when every minute counts.
Bring It In
LockBit removal requires specialized expertise, and file recovery is complex with no guaranteed outcomes. While the steps above outline the technical process, most home users and small businesses benefit from professional assistance—especially given the risk of data loss, the possibility of incomplete removal, and the need to identify how the infection occurred to prevent recurrence. Computer Repair Roswell has dealt with hundreds of ransomware cases and maintains relationships with data recovery specialists for situations where encrypted files hold critical information.
Our shop is located in Roswell, Georgia, and we're available by phone at (770) 615-3992 for immediate consultation. If you can bring the infected computer to us, we'll assess the damage, determine the infection scope, remove all malware components, and advise on realistic recovery options. We work with both individual homeowners and local businesses, and we understand the urgency ransomware creates. Don't let the stress of an infection push you toward paying criminals—call us first and let's explore every legitimate option available.