LockBit
LockBit is a ransomware and ransomware-as-a-service (RaaS) operation active since at least September 2019, with the ransomware variant first appearing around January 2020. It has operated multiple major versions including LockBit 2.0, LockBit 3.0/LockBit Black, and LockBit 5.0. The operation has been described by U.S. authorities as at times the most active and destructive ransomware group in the world. Reported victim counts range from more than 1,400 attacks worldwide to more than 2,500 victims across at least 120 countries, including about 1,800 in the United States. Victims have included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.
LockBit operates through affiliates. According to U.S. indictments and complaints, the scheme was created, developed, and administered by Dmitry Yuryevich Khoroshev, aka LockBitSupp, who allegedly ran the service as a RaaS platform, maintained the control panel and leak site, recruited affiliates, and typically took a 20% share of ransom payments. Other charged or identified participants include affiliates Ruslan Magomedovich Astamirov and Mikhail Vasiliev, and developer Rostislav Panev. GOLD MYSTIC is described as operating the LockBit name-and-shame RaaS scheme since mid-2019. LockBit has also been linked in reporting to affiliates such as Wazawaka/Mikhail Matveev, and Mandiant reported that Evil Corp shifted to using LockBit RaaS in some operations.
The malware is used for double extortion: affiliates gain unauthorized access to victim networks, steal data, encrypt stored data, and threaten to publish stolen information on LockBit-controlled leak infrastructure if payment is not made. Supporting content states that LockBit affiliates unlawfully accessed vulnerable systems, stole data, and encrypted victim environments; one incident involved compromise of an Exchange server via web shell, escalation to Active Directory admin within seven days, theft of roughly 1.3 TB of data, and subsequent deployment of LockBit 3.0. Cisco Talos notes that LockBit uses the custom exfiltration tool StealBit. Court documents in the Panev case state that LockBit builder source code, StealBit source code, and control-panel credentials were recovered, and that the builder allowed affiliates to generate custom builds for particular victims.
Capabilities directly mentioned in the content include disabling firewall rules and anti-malware and monitoring software, including Windows Defender, in LockBit 2.0; Base64-encoding of C2 communication in LockBit 3.0; code to disable antivirus tools; code to spread malware across victim networks; and code to print ransom notes to all printers connected to a victim network. LockBit affiliates and related actors have also been observed using standard ransomware tradecraft such as lateral movement with stolen credentials and double-extortion tactics. Talos further notes that LockBit actors have used StealBit for exfiltration and that LockBit, BlackBasta, and Rhysida have encrypted data and defaced victim systems to maximize impact.
The operation has repeatedly targeted high-impact sectors. Mentioned incidents include attacks against hospitals such as Hôpital de Cannes - Simone Veil in France, where LockBit 3.0 caused severe operational disruption, forced computers offline, and led to rescheduling of non-emergency procedures; attacks against Foxconn-related entities; and broad targeting of healthcare, education, manufacturing, and other sectors. The content also notes that LockBit operators expressly prohibit affiliates from targeting Russia and other CIS countries.
Financial impact attributed to LockBit is substantial. U.S. government reporting cited in the content states that LockBit issued over $100 million in ransom demands and received at least tens of millions of dollars in bitcoin in one account, while later DOJ reporting states the group extracted at least approximately $500 million in ransom payments and caused billions of dollars in additional losses. A U.S. Department of State reward notice states that since January 2020 LockBit executed more than 2,000 attacks and received at least $144 million in bitcoin ransom payments.
LockBit was the subject of major international law-enforcement action in February 2024 under Operation Cronos, led by the U.K. National Crime Agency with DOJ, FBI, and international partners. Authorities seized public-facing websites and servers, obtained decryption keys, developed free decryptors for victims, and stated that the disruption significantly diminished LockBit’s reputation and operational capability. Despite this, the content states that LockBit restarted operations about a week later, stood up new leak sites, used updated encryptors and ransom notes, and remained active through 2024. Reporting also notes a May 2025 compromise of the LockBit affiliate control panel, with an SQL database leak containing affiliate/admin records, plaintext passwords, victim profiles, ransom negotiation chats, custom builds, and tens of thousands of bitcoin addresses.
High-confidence indicators and artifacts mentioned in the content include the StealBit exfiltration tool; LockBit builder and control panel; dark web leak/data extortion sites; custom ransomware builds; ransom negotiation chats; and the defacement message used during the 2025 panel compromise: "Don’t do crime CRIME is BAD xoxo from Prague."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
21 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
PaperCut servers have been previously breached by ransomware gangs in 2023 by exploiting a critical, unauthenticated remote code execution (RCE) vulnerability (CVE–2023–27350)... One month later, CISA and the FBI issued a joint advisory warning that the Bl00dy Ransomware gang had also begun exploiting the CVE-2023–27350 RCE vulnerability to gain initial access to the networks of educational organizations.
PaperCut servers have been previously breached by ransomware gangs in 2023 by exploiting a critical, unauthenticated remote code execution (RCE) vulnerability (CVE–2023–27350) and a high-severity information disclosure flaw (CVE–2023–27351).
Initial Access and Persistence CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain super_admin privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces... Another common exploitation method we observed involved the threat actor using the fortigate-firewall account to exploit CVE-2025-24472 rather than CVE-2024-55591.
Initial Access and Persistence CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain super_admin privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces. A proof-of-concept (PoC) exploit was publicly released on January 27, and within 96 hours, we observed active exploitation in the wild using two distinct methods: jsconsole ... HTTPS ...
The experts argued that the attackers likely did not exploit recently disclosed CVE-2022-41040 and CVE-2022-41082 vulnerabilities. | In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware. Threat actors initially deployed web shell on a compromised Exchange server, then it took just 7 days to escalate privileges to Active Directory admin and stole roughly 1.3 TB of data before encrypting systems hosted in the network.
The experts argued that the attackers likely did not exploit recently disclosed CVE-2022-41040 and CVE-2022-41082 vulnerabilities. | In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware. Threat actors initially deployed web shell on a compromised Exchange server, then it took just 7 days to escalate privileges to Active Directory admin and stole roughly 1.3 TB of data before encrypting systems hosted in the network.
Looking at the Microsoft Exchange Server vulnerability history, the remote code execution vulnerability was disclosed on December 16, 2021 (CVE-2022-21969) | In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware. Threat actors initially deployed web shell on a compromised Exchange server, then it took just 7 days to escalate privileges to Active Directory admin and stole roughly 1.3 TB of data before encrypting systems hosted in the network.
According to malware research group vx-underground citing LockBitSupp, the alleged leader of the LockBit operation, law enforcement hacked into the ransomware operation’s servers using a known vulnerability in the popular web coding language PHP. The vulnerability used to compromise its servers is tracked as CVE-2023-3824, a remote execution flaw patched in August 2023, giving LockBit months to fix the bug. | A sweeping law enforcement operation led by the U.K.’s National Crime Agency (NCA) this week took down LockBit, the notorious Russia-linked ransomware gang... It has long been known that LockBit, which first entered the competitive cybercrime scene in 2019, is one of, if not the most prolific ransomware gangs.
The GOLD MYSTIC threat group has operated the LockBit name-and-shame ransomware-as-a-service (RaaS) scheme since mid-2019, exploiting unauthorized access to thousands of organizations to deploy ransomware and steal data to facilitate the extortion of victims.
Researchers at Huntress Security Operations Center (SOC) observed what they call "a sharp uptick" in exploitation activity targeting Bomgar Remote Support (now part of BeyondTrust), with attackers reaching systems through a critical unauthenticated remote code execution (RCE) flaw, CVE-2026-1731.
CVE‑2025‑6264 — Rapid7 Velociraptor Remote Code Execution... Exploitation Status: Actively exploited in ransomware campaigns.
Storm-2603... observed stealing MachineKeys and deploying Warlock and Lockbit ransomware... They conduct lateral movement using PsExec and Impacket, deploying Warlock and LockBit ransomware to encrypt systems. | Exploited vulnerabilities include CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, collectively known as ToolShell. CVE-2025-49704: A remote code execution vulnerability allowing attackers to run arbitrary code without authentication.
Storm-2603... observed stealing MachineKeys and deploying Warlock and Lockbit ransomware... They conduct lateral movement using PsExec and Impacket, deploying Warlock and LockBit ransomware to encrypt systems. | CVE-2025-53771: A ToolShell path traversal vulnerability serving as a security bypass for CVE-2025-49706, facilitating directory traversal and file access.
Storm-2603... observed stealing MachineKeys and deploying Warlock and Lockbit ransomware... They conduct lateral movement using PsExec and Impacket, deploying Warlock and LockBit ransomware to encrypt systems. | CVE-2025-49706: A spoofing vulnerability enabling post-authentication remote code execution on affected SharePoint servers.
CVE-2025-53770: A ToolShell authentication bypass and remote code execution flaw related to CVE-2025-49704, permitting unauthorized command execution. | Storm-2603... observed stealing MachineKeys and deploying Warlock and Lockbit ransomware... They conduct lateral movement using PsExec and Impacket, deploying Warlock and LockBit ransomware to encrypt systems.
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
Affiliates of LockBit ransomware have previously targeted vulnerabilities in ConnectWise ScreenConnect (i.e., CVE-2024-1708 and CVE-2024-1709) for initial access.
...threat actors have been observed weaponizing a vulnerable version of Bitrix for initial access, followed by using the Zerologon flaw to escalate privileges.
Affiliates of LockBit ransomware have previously targeted vulnerabilities in ConnectWise ScreenConnect (i.e., CVE-2024-1708 and CVE-2024-1709) for initial access.
Attackers leveraged CVE-2023-46604, a remote code execution flaw in the ActiveMQ messaging broker, to break into an exposed Windows server and ultimately encrypt systems via Remote Desktop Protocol — spanning roughly 19 calendar days from initial access to full encryption.
Reference: https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
Groups observed using it
29 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The GOLD MYSTIC threat group has operated the LockBit name-and-shame ransomware-as-a-service (RaaS) scheme since mid-2019, exploiting unauthorized access to thousands of organizations to deploy ransomware and steal data to facilitate the extortion of victims.
The LockBit ransomware group claimed to have attacked the company’s offices in Tijuana last month... LockBit continues to be one of the most prolific active ransomware groups... operating since September 2019 and was a marginal player before developing a new version of their Ransomware-as-a-Service platform, called LockBit 2.0.
Authorities say Matveev played a major role in the development and deployment of the Hive, LockBit and Babuk ransomware variants...
Impact T1486 Data Encrypted for Impact PhantomCore использовали LockBit 3.0 для шифрования трафика
Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.
Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.
Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.
The LockBit ransomware group, one of the most active ransomware operations in recent years with thousands of attacks to its name, has suffered its own hacking and data leak incident.
CosmicBeetle, an immature ransomware threat actor using its own signature encryptor, ScRansom, and the leaked LockBit 3.0 builder, became an affiliate of RansomHub.
According to their posts on Exploit, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.
Storm-2603 deployed multiple ransomware types in recent attacks, including LockBit Black and a variant using the .x2anylock extension, linked to the Warlock group.
Groups including UAC-0238 exploited exposed RDP services to push ransomware variants such as X2anylock, Warlock, and LockBit 3.0 into compromised environments.
LockBit posted 163 victims in Q1 2026, climbing to fourth place globally.
The vulnerability was attributed to Lace Tempest, a Cl0p ransomware affiliate, in April 2023, used in campaigns delivering Cl0p and LockBit ransomware payloads.
...or generated using the leaked LockBit Black builder.
The Warlock Group (aka Storm-2603) is a ransomware gang attributed to Chinese threat actors who utilize the leaked LockBit Windows and Babuk VMware ESXi encryptors in attacks.
"...deployment of LockBit 3.0 and Babuk ransomware to encrypt victims’ data."
The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.
...delivering various ransomware payloads over the years, including ... LockBit ... ransomware...; ...DragonForce... using a variant of the leaked LockBit3.0 builder...
...delivering various ransomware payloads over the years, including ... LockBit ... ransomware...; ...DragonForce... using a variant of the leaked LockBit3.0 builder...
The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
Bl00Dy ... used open-source and leaked builders from other operators, including LockBit, Babuk and Conti. From September 2022, the group used the LockBit ransomware builder in its attacks... Similarly, the DragonForce ransomware binary was also revealed to have been likely generated using the LockBit Black builder.
...Bearlyfy that has used ransomware strains like LockBit 3.0 and Babuk...
The LockBit gang began its operation in September 2019 and was first known as “ABCD ransomware.” ... Over the next six months, LockBit worked on a new project, internally referred to as “LockBit Red,” and publicly known as “LockBit 2.0.” ... LockBit officially announced another major release ... LockBit Black (publicly known as LockBit 3.0).
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueauthorities disrupted LockBit by seizing numerous public-facing websites used by LockBit to connect to the organization’s infrastructure and by seizing control of servers used by LockBit administrators
Initial Access
1 techniqueLockBit’s “affiliate” members, including Vasiliev and Astamirov, first identified and unlawfully accessed vulnerable computer systems, and then deployed LockBit ransomware on those systems to both steal and encrypt stored data.
Execution
2 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
4 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.
Threat actors initially deployed web shell on a compromised Exchange server, then it took just 7 days to escalate privileges to Active Directory admin and stole roughly 1.3 TB of data before encrypting systems hosted in the network.
Privilege Escalation
3 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
The execution of LockBit was successful, as the following initial automated functions began to execute. However, no files were encrypted... Establish persistence via the registry Run key
Avaddon modifies several registry keys for persistence and UAC bypass. LockBit 2.0 can create Registry keys to bypass UAC and for persistence. Lokibot has modified the Registry as part of its UAC bypass process.
Stealth
4 techniquesThe content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
The ransomware binary used also clears key Windows event log files including Application, System and Security.
The content repeatedly describes adversaries and malware deleting files, directories, droppers, scripts, logs, archives, staged data, and other artifacts from compromised systems, e.g., 'APT29 has used SDelete to remove artifacts from victim networks' and 'Lazarus Group malware has deleted files in various ways, including "suicide scripts" to delete malware binaries from the victim.'
Defense Impairment
1 techniqueDiscovery
3 techniquesThe content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Collection
1 techniqueThey threatened to leak the data stolen during the attack by June 11.
Command and Control
1 techniqueC2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
Exfiltration
3 techniquesdisrupting the ability of LockBit actors to attack and encrypt networks and extort victims by threatening to publish stolen data
When LockBit attacks were successful, LockBit’s affiliate members then demanded ransoms from their victims in exchange for decrypting the victims’ data and then claiming to delete the affiliates’ copies of the data.
LockBit ransomware operation claimed the attack on May 31 by publishing a threat to leak data stolen from Foxconn unless a ransom is paid by June 11.
Impact
4 techniquesAccording to the investigation, he developed malware in January of this year to obtain illegal profits. The accused intended to use it to encrypt commercial organizations' data and demand a ransom for decryption, Russian prosecutors said.
Apostle retrieves a list of all running processes on a victim host, and stops all services containing the string "sql," likely to propagate ransomware activity to database files. LockBit 3.0 can identify and terminate specific services. RansomHub can stop processes associated with files currently in use to maximize the impact of encryption.
Prevent restoration of the host from backups and recovery states: vssadmin delete shadows /all /quiet wmic shadowcopy delete ... bcdedit /set {default} recoveryenabled no wbadmin delete catalog -quiet
When victims did not pay the demanded ransoms, LockBit’s affiliates often left the victim’s data permanently encrypted and publish the stolen data, including highly sensitive information, on a publicly accessible internet site under LockBit’s control.
Other
1 techniqueIOCs tracked for this family
140 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Well-known ransomware operation mentioned as one that forbids attacks on Russian and CIS targets.
Ransomware family/group referenced as previously claiming breaches against Foxconn-affiliated entities, including Foxsemicon Integrated Technology and a Foxconn unit in Mexico.
Ransomware deployed into compromised environments after exposed RDP services were exploited.
Named ransomware family mentioned as previously associated with attacks involving the same computer name observed in related malicious activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.