LockBit v2.0
LockBit v2.0 is referenced in the reporting as one of the leaked ransomware codebases used in the construction of Bablock/Rorschach, a ransomware family first seen in 2023. Check Point estimated that Bablock/Rorschach was built from components of leaked Babuk, LockBit v2.0, and DarkSide source code. In the cited incident reporting around the February 2026 cyberattack on Sapienza University of Rome, Bablock/Rorschach was described as a ransomware strain with fast encryption speeds and extensive customization options, and media reporting linked it to a purported pro-Russian actor tracked as Femwar02. The reporting also stated that the malware typically avoids encrypting devices configured for Russian or other post-Soviet languages. In that incident, the attack reportedly caused widespread disruption, data encryption, and reliance on backups for restoration. No direct indicators of compromise specific to LockBit v2.0 itself were provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a ransomware codebase that Bablock/Rorschach is reported to borrow from.
Referenced as a source-code lineage component contributing to Bablock/Rorschach, via leaked source material.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.