Lockbit

LockBit traces its origins back to September 2019, when the first known activity of the “ABCD” ransomware—widely regarded as LockBit’s predecessor—was observed. By January 2020, LockBit had begun appearing under its current name on Russian-language cybercrime forums. From that initial foothold, it has rapidly become one of the most prominent ransomware families on the cybercriminal landscape, adopting a Ransomware-as-a-Service (RaaS) model that includes a dedicated leak site (DLS) and a ransom negotiation portal. Affiliates sign on to use LockBit’s ransomware builders, manage new victims via the DLS, and may also employ “StealBit,” an information-stealing tool built into later LockBit versions.

A significant milestone arrived in June 2021 with the debut of LockBit 2.0 (often referred to as LockBit Red). While LockBit’s popularity and impact were already growing, this release dramatically expanded the group’s visibility. In October 2021, LockBit Linux-ESXi Locker version 1.0 appeared, broadening LockBit’s targeting capabilities to Linux and VMware ESXi systems. The ransomware operators continued evolving their product in March 2022 with the emergence of LockBit 3.0, also called LockBit Black—a new variant sharing code similarities with BlackMatter and Alphv (BlackCat) ransomware. Although its first appearance was reported in March 2022, many point to June 2022 as a significant launch date when LockBit 3.0 became widely adopted. LockBit Red (the rebranded LockBit 2.0) remained the default builder for most affiliates, while LockBit Black was reserved for affiliates who had demanded over USD $2.5 million in ransoms. This version also introduced advanced functionality, such as killing specific processes or defining file and device allowlists, and included a bug bounty program offering rewards of up to USD $10 million.

In September 2022, a leak of the LockBit 3.0 builder enabled non-LockBit affiliates to generate LockBit payloads, accelerating its spread. The ransomware’s next iteration, LockBit Green, was unveiled in January 2023, reportedly incorporating leaked Conti version 3 source code. Unlike LockBit Black, LockBit Green required no proof of large ransom demands, making it a more inclusive offering for a broader array of cybercriminal operators. Four months later, in April 2023, a new LockBit macOS variant surfaced on open-source malware repositories, largely mirroring the functionality of LockBit’s Linux/ESXi version and underscoring the group’s continued push to infect as many platforms as possible.

Law enforcement pressure against LockBit intensified in February 2024 when “Operation Cronos”—a coordinated multinational effort—resulted in the temporary seizure of its DLS and affiliate portal. Although LockBit services were restored five days later, further action in May 2024 led to indictments and sanctions targeting several of the group’s key members, including a Russian national identified as a principal developer and administrator. In December 2024, LockBit countered these setbacks by releasing LockBit 4.0, which notably removed the option to generate LockBit Red payloads. Despite ongoing disruptions, LockBit has maintained its position as a formidable ransomware force by regularly updating its offerings and continuing to attract affiliates through its RaaS framework.

Sources: CISA & Crowdstrike

‍