:: Deepquest ::

Lockbit version 3.0 ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, in this case “RstrtMgr.dll”, execute our own code, and terminate the malware pre-encryption. The exploit DLL checks if the current directory is “C:WindowsSystem32” and if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.