Ransom:Win32/Lockbit.AK!ibt - Windows Defender Threat Analysis

This is a concrete detection for a variant of the Lockbit ransomware, a highly destructive malware family. The threat is designed to encrypt files on the compromised system and demand a ransom payment for their recovery. The detection is based on specific code signatures, indicating a very low risk of a false positive.

No specific strings found for this threat

rule Ransom_Win32_Lockbit_AK_2147897364_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Ransom:Win32/Lockbit.AK!ibt"
        threat_id = "2147897364"
        type = "Ransom"
        platform = "Win32: Windows 32-bit platform"
        family = "Lockbit"
        severity = "Critical"
        info = "ibt: an internal category used to refer to some threats"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "2"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {8d 40 10 64 8b 00 8b 40 0c 8d 48 0c 89 4d f8 8b 48 0c 8b 59 18 33 c0 40 c1 e0 05 8d 40 1d 8b 44 03 ff 8d 04 03 8b 50 78 85 d2}  //weight: 1, accuracy: High
        $x_1_2 = {6a 00 6a 00 6a 00 6a 00 6a 00 68 02 10 04 00 ff d0 8b f0 85 f6 0f 84 7c 01 00 00 8b 40 40 c1 e8 1c}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the affected system from the network to prevent lateral movement. Use your security software to remove the detected threat. Restore any encrypted files from a known-good, offline backup and do not pay the ransom.