lockbit

LockBit

also known as: ABCD Ransomware LockBit Black LockBit 3.0 LockBit Green LockBit Neo Water Selkie

A Russia-based ransomware-as-a-service (RaaS) operation that has been among the world's most prolific ransomware groups since 2019. LockBit has targeted over 2,500 victims across 120+ countries, extracted more than $500 million in ransom payments, and caused billions of dollars in additional losses spanning healthcare, finance, government, and critical infrastructure sectors worldwide.

attributed origin Russia

suspected sponsor Criminal Organization (Russia-harbored)

first observed September 2019

primary motivation Financial / Extortion

primary targets Healthcare, Finance, Manufacturing, Government, Education

confirmed victims 2,500+ across 120+ countries

mitre att&ck software S1202 (LockBit 3.0)

target regions North America, Europe, Asia-Pacific, Latin America

threat level Critical

Overview

LockBit is a cybercriminal group that operates one of the longest-running and most impactful ransomware-as-a-service (RaaS) platforms in the threat landscape. First observed in September 2019 under the name "ABCD ransomware" (named for the file extension it appended to encrypted files), the operation quickly scaled through an affiliate model where core developers maintain the malware, payment infrastructure, and data leak sites while recruited affiliates handle intrusions, lateral movement, and data exfiltration.

Between June 2022 and February 2024 alone, over 7,000 attacks were built using LockBit's services, according to data obtained by law enforcement during Operation Cronos. The FBI identified LockBit as the top ransomware variant targeting U.S. critical infrastructure in its 2024 Internet Crime Report, and the group accounted for roughly 16% of all ransomware attacks globally by volume. In 2022, LockBit was the single most deployed ransomware variant worldwide.

The group's administrator, operating under the alias LockBitSupp, was identified in May 2024 by an international law enforcement coalition as Russian national Dmitry Yuryevich Khoroshev. He was subsequently sanctioned by the U.S., U.K., and Australia, and indicted on 26 criminal counts including extortion, wire fraud, and conspiracy. U.S. authorities allege Khoroshev personally extracted over $100 million from victims. A $10 million reward remains active for information leading to his arrest. At least six individuals affiliated with the LockBit conspiracy have been charged, including developer Rostislav Panev, who was extradited to the United States in 2025.

critical

Despite Operation Cronos disrupting LockBit's infrastructure in February 2024 and a subsequent hack of its systems in May 2025, the group resurfaced with LockBit 5.0 in September 2025. By December 2025, the group claimed 112 victims in a single month, marking a significant operational rebound. LockBit remains an active and evolving threat.

Version History

LockBit has evolved through multiple major iterations, each introducing enhanced capabilities:

LockBit 1.0 (2019-2021): Initial variant using ".abcd" file extension. Written in C. Gained traction through Russian-language cybercrime forums.
LockBit 2.0 / Red (June 2021): Introduced StealBit, an automated data exfiltration tool. Dramatically increased attack volume following aggressive affiliate recruitment.
LockBit Linux-ESXi Locker 1.0 (October 2021): Extended targeting to Linux systems and VMware ESXi virtualization environments.
LockBit 3.0 / Black (March 2022): Major overhaul sharing similarities with BlackMatter and ALPHV ransomware. Builder tools were leaked in September 2022, enabling unaffiliated threat actors to deploy LockBit variants independently.
LockBit Green (January 2023): Incorporated source code from the defunct Conti ransomware operation.
LockBit-NG-Dev (2024): In-development version written in .NET discovered during Operation Cronos, representing a shift toward platform-agnostic design.
LockBit 4.0 (February 2025): Announced but failed to gain significant traction among affiliates.
LockBit 5.0 / ChuongDong (September 2025): Complete redevelopment with dedicated payloads for Windows, Linux, and VMware ESXi. Features XChaCha20 and Curve25519 encryption, enhanced anti-analysis techniques including ETW patching and extensive obfuscation, and randomized 16-character file extensions.

Target Profile

LockBit targets organizations of all sizes across a broad range of critical infrastructure sectors. The group has explicitly stated its goal is to attack one million companies. Affiliates have targeted entities in over 120 countries, with the United States, United Kingdom, France, Germany, and China constituting the five hardest-hit nations.

Healthcare: Attacks have targeted over 100 hospitals and healthcare organizations, including a December 2022 attack on Toronto's Hospital for Sick Children. The group claimed to penalize the responsible affiliate but law enforcement found that affiliate remained active. In 2024, a Croatian hospital was attacked and reportedly set back to paper-based operations.
Financial Services: The November 2023 attack on the U.S. broker-dealer arm of the Industrial and Commercial Bank of China (ICBC) disrupted U.S. Treasury market operations. The banking, financial services, and insurance (BFSI) sector was LockBit's top target category through 2025.
Manufacturing & Construction: Consistently among the top targeted industries. The Boeing attack in late 2023 demonstrated the group's willingness to target major aerospace and defense contractors.
Government & Education: State, local, tribal, and territorial government entities accounted for 16% of U.S. LockBit incidents in 2022. Schools and universities have been targeted repeatedly, including the U.K.'s Royal Mail in early 2023.
Technology & Professional Services: The 2021 Accenture attack, reportedly facilitated by an insider, placed LockBit in the spotlight. Electronics firm Thales was targeted in January 2022.

LockBit has exhibited opportunistic targeting behavior, leveraging data privacy regulations like GDPR as additional extortion leverage against European victims. The group explicitly avoids targeting systems with language settings for CIS nations, consistent with the tacit operating norms for Russia-harbored cybercriminal groups.

Tactics, Techniques & Procedures

LockBit affiliates employ a wide variety of TTPs, making consistent detection challenging. The following table reflects the primary techniques documented across CISA advisories, FBI flash reports, and threat intelligence from observed campaigns.

mitre id	technique	description
T1566	Phishing	Affiliates use spearphishing emails with malicious attachments or links. Multiple trust-building emails may precede payload delivery.
T1190	Exploit Public-Facing Application	Exploitation of known vulnerabilities including CVE-2018-13379 (Fortinet VPN), CVE-2021-22986 (F5 iControl REST), CVE-2023-4966 (Citrix Bleed), and ProxyShell vulnerabilities.
T1078	Valid Accounts	Compromised credentials purchased from initial access brokers or obtained through brute-forcing RDP and VPN passwords.
T1133	External Remote Services	Affiliates target exposed RDP servers and VPN concentrators for initial access, often using brute-force attacks.
T1059	Command and Scripting Interpreter	PowerShell scripts, batch files, and PowerShell Empire are used for execution, reconnaissance, credential harvesting, and privilege escalation.
T1021.001	Remote Desktop Protocol	RDP is used for lateral movement across compromised networks after initial access is obtained.
T1003	OS Credential Dumping	Mimikatz and other tools are used to extract credentials from LSASS memory and registry for privilege escalation and lateral movement.
T1562.001	Disable or Modify Tools	Security products are disabled using tools like GMER and Process Hacker. LockBit 5.0 introduced EDR unhooking by reloading clean copies of hooked Windows libraries.
T1048	Exfiltration Over Alternative Protocol	Data exfiltrated using StealBit (custom tool), Rclone, FreeFileSync, MEGA, and FileZilla to cloud storage prior to encryption.
T1486	Data Encrypted for Impact	Files encrypted using AES+RSA (earlier versions) or XChaCha20+Curve25519 (LockBit 5.0). Only the first few kilobytes of each file are encrypted for speed. Shadow copies are deleted to prevent recovery.
T1491.001	Internal Defacement	Desktop wallpaper replaced with ransom note. Ransom notes also printed to connected printers for maximum visibility.
T1070	Indicator Removal	LockBit deletes itself from disk after execution, clears log files, and patches Event Tracing for Windows (ETW) to hinder forensic analysis.

Known Campaigns

Confirmed or highly attributed operations linked to LockBit and its affiliates.

ICBC U.S. Broker-Dealer Attack NOV 2023

LockBit affiliates compromised the U.S. arm of the Industrial and Commercial Bank of China, disrupting U.S. Treasury market operations and forcing the bank to settle trades via USB drives. One of the highest-profile ransomware incidents to date.

Royal Mail Attack JAN 2023

The United Kingdom's national postal service was targeted by LockBit, severely disrupting international mail and parcel operations for weeks. Demanded $80 million in ransom. Exposed the vulnerability of national logistics infrastructure to ransomware.

Boeing Data Breach OCT 2023

LockBit claimed to have stolen 43GB of data from Boeing's parts and distribution services. After Boeing did not meet ransom demands, the group published the stolen data on its leak site.

Accenture Breach AUG 2021

LockBit 2.0 used to target the global consulting firm, reportedly facilitated by insider access. The group published a portion of the stolen data after ransom negotiations.

Evolve Bank & Trust Breach JUN 2024

LockBit claimed a major breach of Evolve Bank & Trust, a partner bank for fintech companies including Stripe, Mercury, Affirm, and Airwallex. The group initially threatened to leak U.S. Federal Reserve data but the leaked files came from Evolve.

LockBit 5.0 Resurgence SEP 2025 – PRESENT

After months of near-silence following Operation Cronos and a May 2025 infrastructure breach, LockBit launched version 5.0 targeting organizations across Europe, the Americas, and Asia. By December 2025, the group claimed 112 victims in a single month, with manufacturing, technology, and construction as primary targets.

Tools & Malware

Known custom and commodity tools associated with LockBit and its affiliates.

StealBit: Custom data exfiltration tool introduced with LockBit 2.0. Automates the transfer of targeted files to attacker-controlled infrastructure prior to encryption.
LockBit Ransomware (v1-5.0): The core ransomware payload. Earlier versions written in C/C++, with the in-development NG-Dev version shifting to .NET. LockBit 5.0 uses XChaCha20 and Curve25519 encryption with dedicated payloads for Windows, Linux, and ESXi.
Cobalt Strike: Commercial adversary simulation framework commonly used by affiliates for post-exploitation, lateral movement, and command and control.
Mimikatz: Open-source credential dumping tool used to extract plaintext passwords, hashes, and Kerberos tickets from LSASS memory.
GMER / Process Hacker: Anti-rootkit and system monitoring tools repurposed to identify and disable endpoint security products.
Rclone / MEGA / FreeFileSync: Legitimate cloud synchronization and file transfer tools abused for large-scale data exfiltration to attacker-controlled cloud storage.
Advanced Port Scanner: Network reconnaissance tool used to enumerate network connections and identify high-value targets such as domain controllers.
PowerShell Empire: Post-exploitation framework used for execution of payloads, privilege escalation, and credential harvesting via PowerShell.

Indicators of Compromise

Publicly available IOCs from CISA and FBI advisories. Verify currency before operational use.

warning

IOCs for LockBit change frequently due to the affiliate model and the LockBit 3.0 builder leak (September 2022). Many legacy IOCs are shared across unrelated threat actors who independently use leaked LockBit tooling. Cross-reference with live threat intel feeds and the latest CISA advisories before blocking.

known cves exploited

cve CVE-2018-13379 — Fortinet FortiOS SSL VPN Path Traversal

cve CVE-2021-22986 — F5 BIG-IP iControl REST Unauthenticated RCE

cve CVE-2023-4966 — Citrix NetScaler ADC/Gateway Buffer Overflow (Citrix Bleed)

cve CVE-2021-34473 — Microsoft Exchange Server RCE (ProxyShell)

cve CVE-2021-34523 — Microsoft Exchange Server Privilege Escalation (ProxyShell)

cve CVE-2021-31207 — Microsoft Exchange Server Security Feature Bypass (ProxyShell)

file indicators

extension .lockbit / .abcd / .Lock / randomized 16-char extensions (v5.0)

ransom note Restore-My-Files.txt (v1-2.0) / [random_id].README.txt (v3.0+)

behavior Desktop wallpaper change to ransom note; ransom notes printed to attached printers

Mitigation & Defense

Recommended defensive measures based on CISA, FBI, and MS-ISAC joint advisories for organizations in LockBit's target profile.

Patch known exploited vulnerabilities immediately: Prioritize patching of Fortinet, Citrix, F5, and Microsoft Exchange vulnerabilities commonly exploited by LockBit affiliates. Maintain a rigorous vulnerability management program aligned with CISA's Known Exploited Vulnerabilities catalog.
Enforce phishing-resistant MFA: Deploy FIDO2/WebAuthn-based multi-factor authentication across all external-facing services, VPN concentrators, and privileged accounts. Traditional SMS or app-based MFA is insufficient against credential theft techniques used by affiliates.
Harden Remote Desktop Protocol: Disable RDP where not required. Where RDP is necessary, enforce network-level authentication, restrict access through allowlisting, and monitor for anomalous login patterns and brute-force attempts.
Implement network segmentation: Isolate critical systems and limit lateral movement paths. Segment domain controllers, backup infrastructure, and high-value databases from general user networks.
Maintain offline, tested backups: Store backups offline and air-gapped from production networks. Test restoration procedures regularly. LockBit specifically targets backup servers and deletes shadow copies to maximize impact.
Deploy endpoint detection and response (EDR): Monitor for indicators of LockBit activity including LSASS credential access, shadow copy deletion (vssadmin.exe, wmic.exe), security product tampering, and abnormal PowerShell execution. LockBit 5.0 employs EDR unhooking, requiring behavioral detection capabilities.
Monitor for data exfiltration tools: Detect and block unauthorized use of Rclone, MEGA, FreeFileSync, and similar cloud sync tools. Monitor for anomalous outbound data transfers to cloud storage services.
Validate security controls against MITRE ATT&CK: Continuously test defensive capabilities against the specific techniques documented in this profile. Use frameworks like CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) as a baseline.

note

The September 2022 leak of LockBit 3.0 builder tools means that LockBit-branded ransomware incidents may not originate from the LockBit organization itself. Unaffiliated threat actors have been observed deploying LockBit variants independently. Attribution should consider operational context beyond malware identification alone. The SuperBlack ransomware variant (March 2025, attributed to Mora_001) is one confirmed example of third-party reuse of LockBit 3.0 code.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile