Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware – The DFIR Report

A LockBit ransomware attack began with the download and execution of a Cobalt Strike beacon disguised as a legitimate Windows utility. The threat actor used various techniques, including scheduled tasks, proxy tools, and process injection, to establish persistence and lateral movement within the network. After nearly 10 days of reconnaissance and data exfiltration, the ransomware was deployed across all Windows hosts, achieving a Time to Ransomware (TTR) of just under 239 hours.