Ransom:Win32/Lockbit.RPA!MTB - Windows Defender Threat Analysis

Ransom:Win32/Lockbit.RPA!MTB is a detection for a variant of the Lockbit ransomware, a sophisticated threat that encrypts files and demands a ransom for their recovery. The "!MTB" suffix signifies that it was identified by a machine learning model based on its malicious behavior, rather than a traditional signature.

No specific strings found for this threat

rule Ransom_Win32_Lockbit_RPA_2147849412_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Ransom:Win32/Lockbit.RPA!MTB"
        threat_id = "2147849412"
        type = "Ransom"
        platform = "Win32: Windows 32-bit platform"
        family = "Lockbit"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "1"
        strings_accuracy = "High"
    strings:
        $x_1_1 = {8a 54 0d 00 02 d3 8a 5c 15 00 8a 54 1d 00 8a 54 15 00 fe c2 8a 44 15 00 30 07 8a 54 1d 00 86 54 0d 00 88 54 1d 00 fe c1 47 4e 85 f6 75 d2}  //weight: 1, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the affected machine from the network to prevent lateral movement. Do not pay the ransom; restore encrypted files from a known-good, offline backup. Re-image the system after ensuring backups are clean and investigate the initial point of compromise.