SentinelOne Vs. “LockBit 2.0” Ransomware – Mitigation and Rollback

See how SentinelOne mitigates and rolls back LockBit 2.0 ransomware. LockBit 2.0 ransomware is the latest affiliate program operated by the “LockBit Gang”, operating since early 2020. The group touts strong and ‘unbeatable’ crypto, stating, “During two years none has managed to decrypt it.”

Modern variants of LockBit (2.0) can encrypt files regardless of online status (encryption works offline). Affiliates have complete control over their campaigns via an administrative panel hosted via TOR (.onion domain).

LockBit shares many features with other modern and successful ransomware families. These include:

– Network detection and spreading via DFS/SMB/WebDav (aka whatever is available)
– Automatic termination of processes that may interfere with the encryption or extraction processed (backup software, security agents/scanners)
– Blocking the launch of processes that may lead to termination of the encryption
– Removal of Shadow Copies
– Clearing of logs, self-cleaning
– Options for hidden or visible runtime modes
– Spread to hosts w/ Wake-On-Lan
– Interaction with networked Printers
– Support for “all” versions of Windows