LockBit Ransomware: 11-Day Timeline from Initial Compromise to Deployment

A well-coordinated cyber intrusion, spanning 11 days, culminated in the deployment of LockBit ransomware across a corporate environment.

The attack, which began with the execution of a malicious file posing as a Windows Media Configuration Utility, displayed a sophisticated playbook leveraging Cobalt Strike, advanced persistence mechanisms, lateral movement, data exfiltration tools, and an eventual ransomware payload.

Cobalt Strike Deployment

The attack commenced in January 2024 with a targeted phishing lure.

The victim downloaded and executed a malicious file (setup_wm.exe) mimicking the Windows Media Configuration Utility.

This file acted as a loader for a Cobalt Strike beacon, a prominent threat actor tool for post-exploitation, establishing an initial Command and Control (C2) connection.

Within 30 minutes, the attackers escalated their foothold, deploying discovery commands to identify domain controllers and leveraging elevated privileges of the compromised user.

The attackers installed two proxy tools, SystemBC and GhostSOCKS, on the domain controller ...