THREAT ACTOR

LockBit

5
THREAT LEVEL
EMERGENCE DATE
Mar 2022
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Operates independently, with similarities to BlackMatter and Conti

DEscription

LockBit ransomware emerged in March 2022, building upon the original version launched in September 2019. As a Ransomware-as-a-Service (RaaS) platform, LockBit 3.0, also branded as LockBit Black, introduced modular capabilities, enhanced encryption, and Safe Mode exploitation features. This innovation allowed affiliates to customize attacks and focus on high-value industries, such as healthcare, finance, and manufacturing. Rapid encryption and user-friendly interface positioned it as one of the most versatile ransomware variants in the threat landscape.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware, Ransomware-as-a-Service (RaaS)

Operating independently within the ransomware ecosystem, the group shared tactical similarities with BlackMatter and Conti. These parallels suggest developers adapted successful features from other major ransomware operators while maintaining operational independence. Its affiliate program, modular design, and adaptability made it a standout in the RaaS landscape, cementing its reputation for flexibility and innovation.

Current Status: Activity declined substantially following Operation Cronos and the May 2025 infrastructure breach, though technical capabilities progressed with LockBit 4.0. Revenue collapsed from peak of $120 million to minimal earnings by April 2025. (Threat levels reflect the group's current activity level.)

Threat Level:
5

Origins and Methodology

The group's design and methodology demonstrate years of refined development. Following Operation Cronos and the seizure of tools like StealBit, law enforcement gained crucial insights into operations, revealing the complexity of multi-threaded encryption architecture and extensive affiliate infrastructure.

What is the Evolution of LockBit Ransomware?
0.1
Formation

Originally launched in September 2019 under the alias ABCD ransomware, the operation established the foundation for what would become one of the most prolific RaaS operations. The initial version encrypted files with .abcd extensions and pioneered the group's affiliate-driven model, setting the stage for rapid expansion across the ransomware landscape.

0.2
EVOLUTION

LockBit's evolution showcases its developers' ability to innovate continuously, adapting to the changing cybersecurity landscape:

  • LockBit 1.0 (2019) - Operated under the alias ABCD ransomware, encrypting files with .abcd extensions and launching the RaaS model
  • LockBit 2.0 (2021) - Enhanced with "StealBit" malware for data exfiltration, faster encryption, and automated network spread using tools like Wake-on-LAN
  • LockBit 3.0 (2022) - Introduced password-protected executables, Safe Mode bypass, and modular configurations, allowing affiliates to tailor attacks
  • LockBit 4.0 (February 2025) - Transitioned to .NET framework with CoreRT 64 compilation, proxy DLL loading, and ETW telemetry bypassç

The infrastructure takedown during Operation Cronos revealed the extent of the group's methodology. Seizure of StealBit exposed reliance on custom-built tools for data exfiltration, meticulously configured for high-value targets. Law enforcement also uncovered use of interconnected servers to manage affiliate activities and ransom negotiations.

0.3
Lineage/Connections

Analysis reveals 70.8% functional similarity with BlackMatter ransomware, suggesting shared development resources or code reuse. StealBit exfiltration tools show architectural parallels with data theft components used by Conti affiliates, indicating possible talent migration within the ransomware ecosystem. Technical markers including encryption routines and C2 infrastructure patterns connect the operation to broader RaaS landscape evolution.

Which Unique Techniques Does LockBit Use?

The group integrated several new techniques to ensure success, evade detection, and increase affiliate efficiency. These features made LockBit 3.0 one of the most technically mature ransomware families, allowing affiliates to deploy tools with devastating effect until infrastructure dismantlement.

TECHNIQUE

DETAILS

Infection Vectors

Primary access occurs through phishing campaigns with malicious links or attachments, exploiting known vulnerabilities including CVE-2023-4966 (Citrix Bleed), and brute-force attacks on Remote Desktop Protocol (RDP) endpoints. The group actively leverages insider threats recruited to provide valid credentials and utilizes Initial Access Brokers for purchasing pre-compromised access to high-value networks. Affiliates employ living-off-the-land techniques and LOLBins to maintain stealth during initial compromise phases.

Target Selection

Demonstrating strategic focus, the group prioritizes critical infrastructure sectors including healthcare, manufacturing, financial services, and government entities. Geographic concentration centers on the United States as the primary target, with significant activity across Europe and emerging campaigns in Asia-Pacific regions. The targeting methodology emphasizes organizations with high operational dependencies and limited tolerance for downtime, maximizing pressure for ransom payment.

Operational Complexity

The group exhibits mature capabilities through multi-threaded encryption algorithms utilizing AES and RSA cryptography, achieving rapid file encryption across network shares. Advanced features include password-protected executables requiring specific arguments for execution, Safe Mode deployment to disable endpoint protection platforms, and language-based avoidance halting operations on systems configured with CIS-associated languages including Russian, Ukrainian, and Belarusian. The modular architecture enables command-line customization for specific industries or environments.

Key Features & Technical Details

LockBit emphasized speed, modularity, and operational effectiveness, making it a leading ransomware variant among affiliates.

FEATURE

DETAILS

Encryption Method

Multi-threaded algorithms using AES (Advanced Encryption Standard) for fast encryption and RSA (Rivest-Shamir-Adleman) for secure key management

File Extension

.lockbit (primary extension), .lockbit3 (variant), .[victim_ID] (custom extensions)

Ransom Note

Victim-ID.README.txt, Restore-My-Files.txt, LockBit_Black_Ransomware.hta

Double Extortion

Combined encryption with StealBit data exfiltration tool, Rclone and MEGA for secure transfer

Communication Channels

TOR negotiation portals on lockbit.onion domains, API callbacks to C2 infrastructure on ports 443, 8443

Deployment Speed

Rapid encryption minimizing detection opportunities through multi-threaded processing

Payment Method

Bitcoin wallets with pattern bc1q* for ransom transactions

Operational Model

RaaS platform where developers claimed 15-20% of ransom payments

Activities

The group maintained dominance as the leading ransomware operation through 2023 and early 2024, until Operation Cronos disrupted operations. The May 2025 infrastructure breach exposed critical failures: sixty thousand Bitcoin addresses, plaintext passwords in victim negotiation databases, and PHP 8.1.2 infrastructure with remote code execution vulnerabilities.

Which Industries Are Most Vulnerable to LockBit?

Healthcare organizations face significant targeting due to critical patient care dependencies and regulatory compliance pressures, representing nearly 20% of attacks. Manufacturing and industrial sectors remain primary targets given their operational technology dependencies and production deadlines. Financial services attract attention for data sensitivity and regulatory requirements, while government entities are pursued for critical infrastructure access. Education and technology companies round out targeting priorities due to budget constraints and intellectual property value respectively.

HAL Most Recent Attacks

Modus Operandi

Attack methodology demonstrates refined tactics across the entire attack chain, leveraging both custom tools and legitimate software for maximum effectiveness.

Details

Affiliates gain entry through phishing campaigns (T1566) with malicious links or attachments, exploiting vulnerabilities like CVE-2023-4966 (Citrix Bleed), conducting brute-force attacks (T1110) on Remote Desktop Protocol (RDP) endpoints, and recruiting insider threats (T1078) to provide valid credentials. Initial Access Brokers supply pre-compromised access to high-value networks.

Details

Reconnaissance employs Advanced Port Scanner to identify open ports, SoftPerfect Network Scanner for network mapping, and manual searches for backup directories, cloud storage locations, and valuable data repositories. Affiliates utilize Windows Management Instrumentation (WMI) queries and PowerShell scripts for automated discovery.

Details

Deployment includes AnyDesk, TeamViewer, and ScreenConnect for persistent access, Cobalt Strike beacons for operations, and custom backdoors integrated with legitimate remote management tools to evade detection.

Details

Evasion techniques incorporate password-protected executables requiring specific arguments, Safe Mode deployment disabling endpoint protection, process injection (T1055) into legitimate processes, and LOLBins usage to blend with normal operations. Registry modifications disable Windows Defender and security services.

Details

Credential theft utilizes Mimikatz (T1003) for password extraction, LSASS memory dumps for credential harvesting, keyloggers for capturing authentication data, and exploitation of stored credentials in browsers and applications.

Details

C2 infrastructure operates through TOR-based channels for anonymity, HTTPS callbacks on ports 443 and 8443, domain fronting techniques for traffic obfuscation, and API-based communication with encrypted payloads.

Details

Movement techniques leverage PsExec and SMB (T1021) for command execution, WMI for remote execution, Wake-on-LAN to activate dormant devices, and exploitation of trust relationships between systems.

Details

Data theft employs StealBit, a proprietary tool for targeted exfiltration, Rclone and cloud platforms like MEGA for data transfer, TOR-based channels for encrypted transmission, and multi-threaded operations optimizing transfer speeds.

Details

Persistence mechanisms include scheduled tasks (T1053) and unauthorized service creation, registry modifications (T1547) for startup execution, DLL hijacking for process manipulation, and installation of remote access tools maintaining long-term access.

Details

Attack consequences encompass complete file system encryption rendering data inaccessible, potential data exposure through double extortion tactics, operational disruption lasting days to weeks, and reputational damage from public data leaks. Recovery costs often exceed initial ransom demands.

Details

Encryption deployment uses AES-256 for rapid file encryption, RSA-2048 for key management, multi-threading to maximize speed, and Safe Mode operation bypassing security controls. Partial encryption options enable faster operations on large files.

Details

Extortion tactics feature custom ransom notes named VictimID.README.txt, TOR negotiation portals for anonymous communication, dark web data leak sites for publishing stolen information, and countdown timers pressuring victims with escalating demands.

Details

Anti-forensics activities include event log deletion with wevtutil cl System commands, shadow copy deletion (vssadmin delete shadows /all /quiet) preventing recovery, self-deletion of ransomware executables after encryption, and prefetch and USN journal clearing.

Indicators of Compromise (IOCs)

Key indicators help identify operations within networks, particularly specific file hashes, network infrastructure, and behavioral patterns associated with attacks.

INDICATOR

DETAILS

File Hashes

SHA256: d21d6f469e87fff24f15c3abfbc2524e606e7f648b7d2fd4b600dd858ed75063 for installer component
SHA256: dda32ec3f09841e99b93f7c92ee4378b516c9399475f70d39ebd38066ac257d1 for primary payload
SHA256: 770cba5f9761fcbd3ecde42d843e62db9cdd964e35ecae94cdb164464853e0eb for authentication token

File Extensions

.lockbit (primary extension appended to encrypted files)
.lockbit3 (variant used in specific campaigns)
.[victim_ID] (custom extensions based on victim identification)

Registry Modifications

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels (event log configuration)
HKLM\System\CurrentControlSet\Services\SecurityHealthService\Start (disable Windows Defender)
HKLM\System\CurrentControlSet\Services\WinDefend\Start (security service modifications)
HKCU\Control Panel\Desktop\WallPaper (desktop wallpaper changes)

File Paths

%SystemRoot%\Temp\[random].exe
%ProgramData%\[random]\lockbit.exe
ADMIN$\Temp\[victim_id].exe

Command Artifacts

vssadmin delete shadows /all /quiet (shadow copy deletion)
bcdedit /set {default} safeboot network (Safe Mode configuration)
wevtutil cl System (event log clearing)
wevtutil cl Security (security log deletion)

Exploits and Vulnerabilities

Affiliates exploit a comprehensive range of vulnerabilities to gain initial access and maintain persistence within target networks.

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Citrix Bleed

CVE-2023-4966

9.4

Arbitrary data exposure due to a flaw in Citrix Gateway and ADC, exploited for initial access to sensitive systems in enterprise environments

Log4Shell

CVE-2021-44228

10.0

Remote Code Execution (RCE) vulnerability in Apache Log4j (< 2.15.0), used to deploy ransomware by sending malicious payloads

ConnectWise ScreenConnect

CVE-2024-1708

10.0

Authentication bypass vulnerability enabling mass exploitation campaigns in February-March 2024

Fortinet FortiOS

CVE-2024-55591

9.8

Command injection vulnerability in SSL VPN component exploited in 2025

VMware Workspace ONE RCE

CVE-2022-22954

9.8

Server-side template injection leading to RCE in VMware Workspace ONE Access and Identity Manager (vIDM)

Netlogon Elevation of Privilege (Zerologon)

CVE-2020-1472

10.0

Cryptographic flaw in Microsoft's Netlogon protocol, enabling privilege escalation