LockBit (also known as LockBit 3.0, LockBit Black, ABCD Ransomware) is the most prolific Ransomware-as-a-Service operation of the 2022-2024 era, responsible for 1,700+ confirmed victims across critical infrastructure, healthcare, and government sectors worldwide. The operation ran an affiliate bug bounty program and was disrupted by the international law enforcement Operation Cronos in February 2024.
Overview & Attribution
LockBit emerged in 2019 as ABCD ransomware before rebranding and rapidly scaling its affiliate program. By 2022, LockBit had become the dominant ransomware operation globally, accounting for roughly 28% of all known ransomware attacks. The group pioneered an affiliate bug bounty program offering $1M+ for vulnerabilities in their infrastructure, and maintained a sophisticated management panel with automated victim negotiation. LockBit 3.0 (LockBit Black) incorporated anti-analysis features borrowed from the BlackMatter codebase.
LockBit operated from 2019 to 2024, attributed to Russian-speaking cybercriminals led by the persona LockBitSupp (identified as Dmitry Khoroshev). With 1,700+ victims and an estimated $120M+ in ransom payments collected, LockBit was the single most damaging ransomware operation before Operation Cronos disrupted its infrastructure in February 2024.
- Attribution: Cybercriminal (Russian-speaking)
- Active since: 2019
- Primary targets: critical infrastructure, healthcare, financial services, manufacturing, government
- Also known as: LockBit 3.0, LockBitSupp, LockBit Black, ABCD Ransomware
Arsenal & Tools
LockBit employs a diverse arsenal of custom and shared tooling:
- LockBit 3.0 / LockBit Black: Advanced ransomware binary with anti-analysis, self-propagation, and configurable encryption incorporating BlackMatter code
- StealBit: Custom data exfiltration tool integrated into the LockBit ecosystem for automated data theft
- Cobalt Strike: Widely used post-exploitation framework for lateral movement and command-and-control
- LockBit Linux/ESXi: Linux and VMware ESXi variants for encrypting virtualized infrastructure
- Mimikatz / LaZagne: Credential harvesting tools used by affiliates during post-exploitation
Targeting & Operations
LockBit affiliates targeted virtually every sector across critical infrastructure, healthcare, financial services, manufacturing, government, education, and legal. The operation maintained geographic restrictions against CIS countries. Affiliates used a wide range of initial access methods including purchased credentials, vulnerable internet-facing services, and phishing.
LockBit's affiliate model was highly professionalized. Affiliates received 75-80% of ransom payments, with the core team providing encryptors, infrastructure, and a management panel. The group maintained strict operational security and a public-facing blog that was among the most active data leak sites in the ransomware ecosystem.
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Impact | T1486 Data Encrypted for Impact | LockBit 3.0 encryptor with configurable modes and anti-analysis |
| Impact | T1490 Inhibit System Recovery | Automated shadow copy deletion and backup destruction |
| Execution | T1059 Command and Scripting Interpreter | PowerShell, batch, and group policy-based deployment |
| Lateral Movement | T1021 Remote Services | RDP, SMB, and PSExec for lateral propagation |
| Exfiltration | T1048 Exfiltration Over Alternative Protocol | StealBit automated exfiltration tool |
| Defense Evasion | T1562 Impair Defenses | EDR/AV termination via driver exploits and safe mode boot |
Notable Campaigns
LockBit has been linked to multiple significant campaigns:
- ICBC Financial Services (Nov 2023): Attack on the US subsidiary of China's largest bank disrupted US Treasury market settlements, demonstrating LockBit's reach into global financial infrastructure.
- Royal Mail (Jan 2023): Attack on the UK postal service halted international mail exports for weeks, drawing significant government attention and contributing to the Operation Cronos priority.
- Boeing (Oct 2023): Parts and distribution services impacted after LockBit affiliate breach, with 43GB of data leaked after ransom negotiations failed.
Detection & Defense
- Endpoint detection: Deploy behavioral rules for LockBit 3.0 execution patterns, StealBit activity, and GPO-based ransomware deployment
- Patch management: Prioritize patching of internet-facing services including VPN appliances, RDP, and web applications
- Credential security: Enforce MFA universally, monitor dark web for credential leaks, implement privileged access management
- Network monitoring: Detect lateral movement via SMB, RDP, and PSExec with network detection and response tooling
- Backup strategy: Maintain immutable, air-gapped backups tested regularly for restoration integrity
- Threat intelligence: Subscribe to feeds tracking LockBit affiliate IOCs, infrastructure, and evolving TTPs
Defend Against LockBit
Mjolnir Security provides specialized capabilities to detect and respond to LockBit operations.
- Threat Hunting Proactive hunting for LockBit TTPs, tooling artifacts, and infrastructure indicators within your environment.
- Threat Intelligence Continuous monitoring of LockBit campaigns and infrastructure changes with actionable intelligence for your defense team.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts