S1199: LockBit 2.0
LockBit 2.0 is an affiliate-based Ransomware-as-a-Service (RaaS) that has been in use since at least June 2021 as the successor to LockBit Ransomware. LockBit 2.0 has versions capable of infecting Windows and VMware ESXi virtual machines, and has been observed targeting multiple industry verticals globally.[1][2]
Analyst context for executives and security teams
LockBit 2.0 is documented by ATT&CK as an affiliate-based ransomware-as-a-service successor to LockBit Ransomware, in use since at least June 2021, with Windows listed as the platform and official description noting versions capable of VMware ESXi infection. The business significance is not just malware execution: the mapped behaviors cover discovery, lateral movement over SMB/admin shares, remote execution via WMI, persistence through tasks/accounts/registry, defense impairment through GPO/registry changes, and impact through encryption, service stopping, and recovery inhibition. For leaders, this is a readiness test for whether identity controls, backup resilience, Windows administration monitoring, and incident response decision paths can withstand a fast-moving ransomware event.
Executive priority
Prioritize this as an operational resilience and recovery-risk scenario. The ATT&CK relationships point to behaviors that can turn normal administration pathways into ransomware deployment and recovery disruption paths: SMB/Windows admin shares, WMI, scheduled tasks, Group Policy changes, account creation, service stopping, data encryption, and inhibition of recovery. Executives should ask whether privileged access, backup restoration, domain administration, and SOC escalation evidence are tested together—not as separate control areas. This object also supports audit and compliance discussions around evidence of logging, privileged change control, recovery testing, and ransomware response readiness.
Technical view
ATT&CK provides no official detection text for S1199, so SOC and IR validation should be behavior-driven from the mapped techniques. Focus on Windows telemetry for remote administration and execution patterns: SMB/admin share access, WMI execution, PowerShell and cmd activity, scheduled task creation, registry modification, new account creation, GPO modification, service stop events, file deletion, discovery commands, and high-volume file changes consistent with encryption impact. Where VMware ESXi is in scope, validate that hypervisor and storage-related recovery telemetry are included, because the official description notes ESXi-capable versions even though the platform field lists Windows.
Likely telemetry
- Endpoint process creation and command-line telemetry for PowerShell, Windows Command Shell, discovery utilities, service control, registry tools, and task scheduling
- Windows Event Logs and EDR telemetry for WMI activity, scheduled task creation, registry modification, UAC-related elevation behavior, hidden-window execution, and file deletion
- SMB, file share, and Windows admin share access logs for lateral movement and network share discovery
- Active Directory telemetry for account creation, privileged account use, authentication, and Group Policy Object changes
- File system telemetry for local storage discovery, directory enumeration, rapid file modification, and encryption-like write patterns
Detection direction
- Build detections around chains of behavior rather than a single indicator: discovery activity followed by remote administration, persistence or policy change, recovery impairment, and encryption-impact activity is more meaningful than any one event alone.
- Tune for administrative false positives. WMI, SMB admin shares, scheduled tasks, PowerShell, cmd, registry changes, and GPO edits are legitimate in many environments; detections should compare against approved admin hosts, expected service accounts, maintenance windows, and change tickets.
- Validate visibility into identity-driven lateral movement. The SMB/Windows Admin Shares relationship depends on valid account use, so authentication logs, privileged session context, and endpoint telemetry should be correlated.
- Alert on unusual GPO modification, new account creation, task creation, registry run key changes, and service stops, especially when performed by accounts or hosts that do not normally administer broad system groups.
- Monitor for recovery impairment and encryption-impact precursors, including deletion or disabling of recovery features, service stops, and rapid file modifications across local or shared storage.
Mitigation priorities
- Start with recovery resilience: maintain protected backups, restrict backup administration, monitor backup access, and regularly test restoration because the mapped impact includes data encryption and inhibition of recovery.
- Reduce privileged lateral movement exposure by limiting administrative shares, constraining remote administration paths such as WMI to approved administrators and management hosts, and segmenting critical systems.
- Strengthen identity controls around privileged and service accounts, including least privilege, monitoring for new account creation, and review of accounts able to modify GPOs, scheduled tasks, registry settings, or services.
- Harden and govern Windows administration mechanisms: PowerShell, cmd, scheduled tasks, registry modifications, and GPO changes should be logged, change-controlled, and reviewed for abnormal use.
- Ensure incident response playbooks include rapid decisions for isolating systems, preserving evidence, disabling compromised accounts, protecting backups, and validating whether recovery mechanisms were impaired.
Analyst notes and limits
This take is based on the supplied ATT&CK software object, its official description, external references, and stated relationships. The object is classified as malware/software S1199 and describes LockBit 2.0 as affiliate-based RaaS observed across multiple industry verticals globally. ATT&CK did not provide official detection guidance, and tactics are not specified on the object itself; technique-level tactics come from the supplied relationship context.
No official detection text, aliases, labels, or tactic list were supplied for the object. The assessment does not include indicators of compromise, exploit details, victim claims, attribution beyond the malware name, or any assertion of current activity. Local environment evidence is required to determine exposure, control effectiveness, and detection coverage.
LockBit 2.0
LockBit 2.0 is an affiliate-based Ransomware-as-a-Service (RaaS) that has been in use since at least June 2021 as the successor to LockBit Ransomware. LockBit 2.0 has versions capable of infecting Windows and VMware ESXi virtual machines, and has been observed targeting multiple industry verticals globally.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1564.003 | Hidden Window Sub-technique | LockBit 2.0 can execute command line arguments in a hidden window.CitationPalo Alto Lockbit 2.0 JUN 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | LockBit 2.0 can use a Registry Run key to establish persistence at startup.CitationFBI Lockbit 2.0 FEB 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | LockBit 2.0 can be executed via scheduled task.CitationPalo Alto Lockbit 2.0 JUN 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | LockBit 2.0 can use the Windows command shell for multiple post-compromise actions on objective.CitationFBI Lockbit 2.0 FEB 2022CitationPalo Alto Lockbit 2.0 JUN 2022CitationCybereason Lockbit 2.0 |
| Enterprise | T1685 | Disable or Modify Tools | LockBit 2.0 can disable firewall rules and anti-malware and monitoring software including Windows Defender.CitationFBI Lockbit 2.0 FEB 2022CitationPalo Alto Lockbit 2.0 JUN 2022 |
| Enterprise | T1489 | Service Stop | LockBit 2.0 can automatically terminate processes that may interfere with the encryption or file extraction processes.CitationSentinelOne LockBit 2.0 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | LockBit 2.0 can bypass UAC through creating the Registry key `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ICM\Calibration`.CitationFBI Lockbit 2.0 FEB 2022CitationPalo Alto Lockbit 2.0 JUN 2022 |
| Enterprise | T1136 | Create Account | LockBit 2.0 has been observed creating accounts for persistence using simple names like "a".CitationPalo Alto Lockbit 2.0 JUN 2022 |
| Enterprise | T1112 | Modify Registry | LockBit 2.0 can create Registry keys to bypass UAC and for persistence.CitationFBI Lockbit 2.0 FEB 2022 |
| Enterprise | T1082 | System Information Discovery | LockBit 2.0 can enumerate system information including hostname and domain information.CitationFBI Lockbit 2.0 FEB 2022CitationPalo Alto Lockbit 2.0 JUN 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | LockBit 2.0 can decode scripts and strings in loaded modules.CitationFBI Lockbit 2.0 FEB 2022CitationPalo Alto Lockbit 2.0 JUN 2022 |
| Enterprise | T1057 | Process Discovery | LockBit 2.0 can determine if a running process has administrative privileges and terminate processes that interfere with encryption or exfiltration.CitationFBI Lockbit 2.0 FEB 2022CitationSentinelOne LockBit 2.0 |
| Enterprise | T1083 | File and Directory Discovery | LockBit 2.0 can exclude files associated with core system functions from encryption.CitationFBI Lockbit 2.0 FEB 2022 |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | LockBit 2.0 can modify Group Policy to disable Windows Defender and to automatically infect devices in Windows domains.CitationFBI Lockbit 2.0 FEB 2022CitationPalo Alto Lockbit 2.0 JUN 2022 |
| Enterprise | T1120 | Peripheral Device Discovery | LockBit 2.0 has the ability to identify mounted external storage devices.CitationFBI Lockbit 2.0 FEB 2022 |
| Enterprise | T1135 | Network Share Discovery | LockBit 2.0 can discover remote shares.CitationFBI Lockbit 2.0 FEB 2022 |
| Enterprise | T1680 | Local Storage Discovery | LockBit 2.0 can enumerate local drive configuration.CitationFBI Lockbit 2.0 FEB 2022CitationPalo Alto Lockbit 2.0 JUN 2022 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | LockBit 2.0 can delete log files through the use of wevtutil.CitationFBI Lockbit 2.0 FEB 2022CitationPalo Alto Lockbit 2.0 JUN 2022CitationCybereason Lockbit 2.0CitationSentinelOne LockBit 2.0 |
| Enterprise | T1047 | Windows Management Instrumentation | LockBit 2.0 can use wmic.exe to delete volume shadow copies.CitationCybereason Lockbit 2.0 |
| Enterprise | T1480 | Execution Guardrails | LockBit 2.0 will not execute on hosts where the system language is set to a language spoken in the Commonwealth of Independent States region.CitationFBI Lockbit 2.0 FEB 2022CitationPalo Alto Lockbit 2.0 JUN 2022 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | LockBit 2.0 can check if a targeted machine is using a set of Eastern European languages and exit without infection if so.CitationFBI Lockbit 2.0 FEB 2022CitationPalo Alto Lockbit 2.0 JUN 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | LockBit 2.0 can delete itself from disk after execution.CitationFBI Lockbit 2.0 FEB 2022CitationPalo Alto Lockbit 2.0 JUN 2022CitationCybereason Lockbit 2.0 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | LockBit 2.0 has the ability to move laterally via SMB.CitationPalo Alto Lockbit 2.0 JUN 2022CitationSentinelOne LockBit 2.0 |
| Enterprise | T1486 | Data Encrypted for Impact | LockBit 2.0 can use standard AES and elliptic-curve cryptography algorithms to encrypt victim data.CitationPalo Alto Lockbit 2.0 JUN 2022CitationSentinelOne LockBit 2.0 |
| Enterprise | T1059.001 | PowerShell Sub-technique | LockBit 2.0 can use the PowerShell module `InvokeGPUpdate` to modify Group Policy.CitationFBI Lockbit 2.0 FEB 2022CitationPalo Alto Lockbit 2.0 JUN 2022 |
| Enterprise | T1490 | Inhibit System Recovery | LockBit 2.0 has the ability to delete volume shadow copies on targeted hosts.CitationFBI Lockbit 2.0 FEB 2022CitationCybereason Lockbit 2.0 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b35f98b61c22… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FBI Lockbit 2.0 FEB 2022
FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
Open source URL -
[2]
Palo Alto Lockbit 2.0 JUN 2022
Elsad, A. et al. (2022, June 9). LockBit 2.0: How This RaaS Operates and How to Protect Against It. Retrieved January 24, 2025.
Open source URL -
[3]
mitre-attack S1199Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.