LockBit

LockBit is a transnational organized crime ransomware-as-a-service (RaaS) operation active since around January 2020. It has also been referred to as LockBit 2.0, LockBit 3.0, LockBit Black, LockBit Green, LockBitSupp, and related variants including LockBit 4.0 and 5.0 in the provided content. U.S. government reporting states that LockBit has conducted more than 2,000 attacks worldwide since January 2020; DOJ reporting says it attacked more than 2,500 victims in at least 120 countries, including about 1,800 in the United States. Victims have included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies. Reported ransom proceeds range from at least $144 million in bitcoin to approximately $500 million, with billions of dollars in additional victim losses. LockBit operates through affiliates. According to DOJ reporting, the operation was designed as a RaaS model in which the administrator typically received 20% of each ransom payment and affiliates received the remaining 80%. The group used a control panel for affiliates, maintained public leak infrastructure for extortion, and used the StealBit tool for data exfiltration. The content describes LockBit as using double extortion: affiliates unlawfully accessed vulnerable systems, stole data, encrypted victim data, and threatened to publish stolen information if victims did not pay. Reporting in the content also notes use of standard encryption routines, lateral movement with stolen credentials, and exploitation of compromised Microsoft Exchange servers by affiliates. Cisco Talos reporting cited in the content says LockBit used custom exfiltration tooling and that BlackBasta, LockBit, and Rhysida encrypted data and defaced victim systems to maximize impact. The content links LockBit to Russian-speaking cybercrime. Multiple references state that LockBit operators expressly prohibit affiliates from targeting Russian and other CIS organizations. Separate reporting in the content describes LockBit 2.0/3.0 as among ransomware groups based in Russia. U.S. government reward material describes the actors’ nationality and citizenship as various and unknown, while DOJ indictments identify alleged key members as Russian nationals or dual Russian nationals. Named LockBit-linked individuals in the content include alleged administrator Dmitry Yuryevich Khoroshev, also known as LockBitSupp, LockBit, and putinkrab, whom DOJ alleges was the creator, developer, administrator, and public spokesperson from September 2019 through 2024; developer Rostislav Panev, a dual Russian and Israeli national; affiliates Ruslan Magomedovich Astamirov, who used the aliases BETTERPAY, offtitan, and Eastfarmer; Mikhail Vasiliev, who used the aliases Ghostrider, Free, Digitalocean90, Digitalocean99, Digitalwaters99, and Newwave110; and Mikhail Pavlovich Matveev, also known as Wazawaka, m1x, Boriselcin, Uhodiransomwar, Orange, Biba99, and TetyaSluha, who is described as an affiliate associated with LockBit and other ransomware groups. The content states that LockBit was at times the most active and destructive ransomware group in the world and describes it as the leading ransomware operation. It also notes that the group continued operating after the February 2024 international law enforcement disruption led by the U.K. National Crime Agency with DOJ, FBI, and partners, although that action significantly damaged its reputation and capabilities. Authorities seized websites and servers, developed decryption capabilities, and later charged multiple members. The content further states that seized infrastructure showed stolen victim data had been retained even after ransom payments and promises of deletion. Despite the disruption, LockBit restarted operations, stood up new leak sites, and used updated encryptors and ransom notes.