Overview of the LockBit 3.0 Ransomware Attack

In early July 2023, a Sangfor customer in Italy experienced a ransomware attack carried out by the LockBit ransomware group. The education sector customer was using Sangfor’s endpoint detection and response (EDR) product, Endpoint Secure. The attack resulted in the encryption of over 50 computers by the LockBit 3.0 variant, also known as LockBit Black. The victim received a ransom note demanding payment in exchange for their data, as shown below.

LockBit Ransomware Silently Disables EDR Using TDSSKiller 1

Investigation into the LockBit 3.0 Ransomware Attack

The Sangfor Cyber Guardian Incident Response (IR) team was swiftly deployed to investigate the incident and assist the customer in restoring their operations.

During the investigation, it was discovered that the TDSSKiller tool was loaded onto the compromised machines prior to ransomware infection and encryption. TDSSKiller is a free tool developed by the cybersecurity firm Kaspersky for detecting and removing rootkits. It is also capable of disabling stubborn malicious processes via command prompt execution, as shown below.

LockBit Ransomware Silently Disables EDR Using TDSSKiller 2

Source: https://support.kaspersky.com/common/disinfection/5350#block1

During incident response, the Sangfor Cyber Guardian IR team first identifies the ransomware family to understand its common tactics, techniques, and procedures (TTPs). This allows the IR team to determine the root cause and trace the chain of events that led to the ransomware compromise. 

The article "Dark Web Profile: LockBit 3.0 Ransomware" on SoCRadar outlines the tools and propagation techniques used by LockBit 3.0, including TDSSKiller. However, there are currently no resources available that provide a detailed explanation of how TDSSKiller is specifically abused in LockBit attacks. This information was absent to the general public on ANY.RUN (an interactive malware execution virtual platform), Joe Sandbox, and other websites that typically publish such details as of 14 July 2023. The closest mention of LockBit 3.0 leveraging the TDSSKiller tool was found in the above-mentioned SoCRadar article and on the Cybersecurity and Infrastructure Security Agency (CISA) website.

The lack of published detailed information on its misuse prevents security experts and end users from understanding how TDSSKiller is exploited for malicious purposes. This is significant given that TDSSKiller is a legitimate portable scanner used to detect and remove rootkits released by Kaspersky and available on their website.

However, further exploration by Sangfor revealed that the Kaspersky TDSSKiller tool is capable of terminating antivirus and EDR software through a command line script or batch file. The figure below demonstrates the removal of Microsoft Defender by executing the command "tdsskiller.exe -dcsvc windefend".

LockBit Ransomware Silently Disables EDR Using TDSSKiller 3

The "-dcsvc <service_name>" command deletes the specified service, removing the registry keys and executables associated with the service and software, as shown in the test conducted on Windows Defender Antimalware Client Version: 4.18.23050.5.

LockBit Ransomware Silently Disables EDR Using TDSSKiller 4

After rebooting, Windows Defender was no longer working, as shown below by system alerts and service status.

LockBit Ransomware Silently Disables EDR Using TDSSKiller 5

From our incident response investigation, the following screenshot illustrates that TDSSKiller.exe was loaded onto a compromised machine before the LBB.exe LockBit payload file was executed to start the ransomware infection. System logs confirm that the EDR software on this host was disabled prior to the start of the LockBit 3.0 ransomware infection and encryption. This is evidence that TDSSKiller terminated the endpoint security software, enabling the unobstructed deployment of ransomware.

LockBit Ransomware Silently Disables EDR Using TDSSKiller 6

Figure 1 - tdsskiller.exe tool was loaded onto compromised computer first before LBB.exe was later imported to launch the attack.

LockBit Ransomware Silently Disables EDR Using TDSSKiller 7

Figure 2 - LBB.exe associated to LockBit ransomware execution file

The TDSSKiller tool was also tested against third-party endpoint security software, proving to be effective in successfully disabling it, as shown below. The termination of this security software is not feasible using Process Hacker or a simple "end task" or "end process tree" in the Windows Task Manager, which further demonstrates the capabilities of TDSSKiller.

LockBit Ransomware Silently Disables EDR Using TDSSKiller 8

Figure 3 - Failed to terminate a tested third-party security software process through Task Manager

LockBit Ransomware Silently Disables EDR Using TDSSKiller 9

Figure 4 - Successfully removed the third-party security software with TDSSKiller

With LockBit 3.0 actively in the wild on top of other ransomware families still exploiting the MOVEit vulnerability, it is a matter of time before more APT groups and ransomware families adopt TDSSKiller or similar tools to bypass endpoint security.

Remediation Recommendations

The following recommendations are provided as part of immediate remediation or risk reduction measures:

  1. Ensure your endpoint security can detect, identify, and alert you upon finding these files in your network. The file hashes are shared below.
  2. Set up alert notifications in your endpoint security manager to alert when endpoint security agents go offline and/or computers shut down on a random basis.
  3. Use Sangfor Cyber Guardian MDR service, employing industry threat response best practices, to monitor your critical assets and Endpoint Secure agents around the clock.
  4. Employ other security controls in the network such as network detection response (NDR) tools like Sangfor’s Cyber Command for a defense-in-depth approach to detect and respond quickly upon detection of common ransomware TTPs.
  5. Sangfor Endpoint Secure customers should do the following immediately:
    • Enable alerts within the Endpoint Secure Manager to notify if any agent is disabled or disconnected from the network.
    • Set up a policy to auto restart a terminated agent after a computer reboot.
    • Run daily scans for the detection of the malicious files listed below in item #7.
    • Enable auto update on the virus engine program to immediately receive the latest bugfix.
  6. If the malicious files below were found on your systems, immediately request Incident Response (IR) service from the Sangfor Cyber Guardian team to identify the compromised entry point, patient zero, and steps to fix security gaps observed from the attack.
  7. Below are the IOCs for the TDSSKiller tools and LockBit execution file seen in the attack:

LockBit 3.0 IOCs




T1562.001 - Impair Defenses: Disable or Modify Tools

MD5 Hash


SHA256 Hash





T1562.001 - Impair Defenses: Disable or Modify Tools

MD5 Hash


SHA256 Hash





T1027.002 - Obfuscated Files or Information: Software Packing
T1057 - Process Discovery
T1071.001 - Application Layer Protocol: Web Protocols
T1082 - System Information Discovery
T1489 - Service Stop
T1486 - Data Encrypted for Impact
T1562.001 - Impair Defenses: Disable or Modify Tools
T1543 - Create or Modify System Process

MD5 Hash


SHA256 Hash



Reach out to your local Sangfor office and explore how Sangfor Cyber Guardian can protect you from this and other ransomware or APT threats.


Contact Us for Business Inquiry

Listen To This Post


Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

What is Brain Cipher? The Ransomware that Took Down the Indonesian National Data Center

Date : 01 Jul 2024
Read Now

New TellYouThePass Ransomware Variant Discovered In The Wild

Date : 25 Mar 2024
Read Now

New Mallox Ransomware Variant Discovered In The Wild

Date : 12 Mar 2024
Read Now

See Other Product

Sangfor Access Secure
Sangfor SSL VPN
Best Darktrace Cyber Security Competitors and Alternatives in 2024
Sangfor Omni-Command
Cyber Command - NDR Platform