Reverse Engineering LockBit Ransomware to Build Protection Method for Post-Compromised Machine

Ahmad Mujahid Malhadi; Ady Wahyudi Paundu

doi:10.5220/0014265700004928

Reverse Engineering LockBit Ransomware to Build Protection Method for Post-Compromised Machine

Ahmad Mujahid Malhadi, Ady Wahyudi Paundu

2025

Abstract

Ransomware-as-a-Service (RaaS) has driven a global surge in ransomware attacks, particularly targeting corporations and government institutions. This research introduces a file protection method against ransomware attacks by leveraging extension exclusion patterns and directory path exceptions commonly used by modern ransomware groups, such as LockBit and Conti, which operate professionally with affiliate-based business models on the anonymous TOR network. Our approach camouflages critical user files by transforming them into extensions typically avoided by ransomware (such as .dll, .exe, and .sys) and relocating them to designated "safe" directories, while maintaining access through .LNK shell links that serve as launchers. Effective testing against nine prominent ransomware variants demonstrated that eight out of nine samples failed to encrypt the protected files, confirming the method's viability. The protection system offers several advantages, including storage efficiency, instant recovery capabilities that are independent of external hardware, and enhanced resistance to data exfiltration attempts. While limitations exist regarding potential future ransomware evolution, the open-source implementation in Rust provides organizations with an accessible tool to enhance cyber-resilience against double extortion techniques and other evolving ransomware threats.

Download

Paper Citation

in Harvard Style

Mujahid Malhadi A. and Wahyudi Paundu A. (2025). Reverse Engineering LockBit Ransomware to Build Protection Method for Post-Compromised Machine. In Proceedings of the 1st International Conference on Research and Innovations in Information and Engineering Technology - Volume 1: RITECH; ISBN 978-989-758-784-9, SciTePress, pages 95-101. DOI: 10.5220/0014265700004928

in Bibtex Style

@conference{ritech25,
author={Ahmad Mujahid Malhadi and Ady Wahyudi Paundu},
title={Reverse Engineering LockBit Ransomware to Build Protection Method for Post-Compromised Machine},
booktitle={Proceedings of the 1st International Conference on Research and Innovations in Information and Engineering Technology - Volume 1: RITECH},
year={2025},
pages={95-101},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0014265700004928},
isbn={978-989-758-784-9},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 1st International Conference on Research and Innovations in Information and Engineering Technology - Volume 1: RITECH
TI - Reverse Engineering LockBit Ransomware to Build Protection Method for Post-Compromised Machine
SN - 978-989-758-784-9
AU - Mujahid Malhadi A.
AU - Wahyudi Paundu A.
PY - 2025
SP - 95
EP - 101
DO - 10.5220/0014265700004928
PB - SciTePress