View All R&D Articles

LockBit Ransomware: Is Data Recovery Possible?

November 9, 2022

LockBit was first identified in September 2019. At the time, it was known as ABCD ransomware due to its method of attack: The ransomware would encrypt files and change their file extensions to .abcd. Newer versions of LockBit change the file extension to .lockbit.

Unlike other ransomware, LockBit self-executes — it doesn’t have a long dormant phase. Many other malware executables stay dormant for weeks, which allows attackers to perform reconnaissance. By studying their target’s security controls and backup/archive strategies, attackers can overcome those defenses, raising the chances of a successful ransom.

LockBit doesn’t use this tactic. Instead, it executes quickly, spreading through connected systems to maximize the impact of the attack. It often hides its executable as a common file format (such as a PNG), evading detection while encryption occurs. 

Below, we’ll discuss some of the unique characteristics of LockBit and explain why the ransomware is gaining traction among bad actors. If your organization has suffered a LockBit infection, we’re here to help. To discuss recovery options, call us at 1-800-237-4200 or click here to submit a case online.

Why is LockBit a serious threat for businesses?

The creators of LockBit established an affiliate system (also known as Ransomware-as-a-Service, or RaaS). Operators use LockBit to infect high-value targets, which are forced to pay a ransom to decrypt their files. 

Earlier versions of LockBit led victims to a ransom message using a tor browser, while newer variants use standard web browsers. The ransom payment is split between the operators and the original LockBit group.

The LockBit group also offers payment to security researchers who find vulnerabilities in the ransomware’s code via a “bug bounty” program. Contributors can earn up to $1 million (aiding ransomware creators is, of course, quite illegal). 

Since LockBit works quickly, it’s become a popular tool for bad actors in the RaaS community. The original LockBit group has also updated their “service” several times, strengthening its encryption and infiltration tactics to discourage data recovery.

In September 2022, LockBit suffered a security breach. The LockBit builder was released via Twitter, which will enable other ransomware groups to modify the ransomware (and avoid paying a portion of the ransom to the original group). This will likely lead to new ransomware variants that utilize LockBit’s approach.

What types of systems does LockBit ransomware infect?

Lockbit can infect Windows and Linux systems, and the operators are clearly working at expanding its capabilities.

While the ransomware itself is self-executing, attackers try to target systems that are more likely to result in a successful ransom. Targets have included: 

  • Healthcare providers
  • Educational institutions
  • Manufacturers and logistics providers 
  • Financial firms
  • Information technology (IT) businesses
  • Oil, gas, and other supply chain organizations
  • Retail businesses

The LockBit group maintains that it has a “code of ethics,” which prevents bad actors from attacking charities, educational institutions, and healthcare providers. In reality, however, attackers will target any institution with a vulnerability — and healthcare providers have been particularly common targets.

How can I avoid a LockBit ransomware attack?

The best tactics for preventing LockBit infection are consistent with the best practices of IT security:
Educate your team. Have strong password protocols and communicate the importance of strong security controls.

  • Assign user account permissions appropriately.
  • Use multi-factor authentication wherever possible.
  • Establish a backup and archival strategy that would allow for effective disaster recovery. Test your strategy regularly.
  • Engage in system penetration testing (PEN testing) and work with third-party security analysts to monitor potential threats.

Remember, many ransomware variants have a dormant phase. While a comprehensive backup strategy is a necessary component of a robust cyber security solution, it’s no substitute for strong security controls.

Is data recovery possible after a LockBit infection?

Generally speaking, yes. While LockBit encrypts files to prevent access, our engineers have discovered several vulnerabilities that allow for data recovery in many scenarios. 

The chances of a successful recovery depend on several factors:

  • The timespan of the infection 
  • The number of volumes infected
  • The version of LockBit (ABCD, LockBit 2.0, or LockBit 3.0) used
  • The size and complexity of the infected files

In most cases, infected databases are recoverable — which is crucial, given that LockBit seeks out these high-value files as targets. has developed methods for resolving LockBit infections on MySQL, Postgre SQL, Microsoft SQL Server, MongoDB, and other common formats.

If ransomware recovery is not possible, our team can help your organization create a disaster recovery strategy and protect against future attacks. To learn more, call 1-800-237-4200 and ask to speak with a ransomware recovery expert.