In a real-world case, evidence was found that the threat actor, believed to be UAT-8099, used LockBit 3.0 Ransomware; after uploading a web shell, they attempted to gain control and manipulate SEO using Potato, AnyDesk, GotoHTTP, LCX, the NPS client (npc.Exe), BadIIS...
LockBit
LockBit is a prominent ransomware family and ransomware-as-a-service operation that became one of the most prolific extortion threats globally.
Profile source: Mallory opens in a new tabLockBit
Family profile
LockBit is a prominent ransomware family and ransomware-as-a-service operation that became one of the most prolific extortion threats globally. Multiple major versions have circulated, including LockBit 2.0, LockBit 3.0, and LockBit Black, with activity spanning enterprise environments across many sectors and regions. The operation is associated with large-scale data theft and double-extortion tactics in which victim data is exfiltrated before encryption and later used to pressure organizations into paying ransom.
LockBit intrusions have been linked to common ransomware tradecraft including credential theft, lateral movement, and post-compromise deployment across Windows networks. Reported operator and affiliate behavior includes use of legitimate remote administration and execution utilities such as PsExec for lateral movement, NirSoft credential-recovery tools and Mimikatz for credential access, and remote-access software during hands-on-keyboard operations. LockBit activity has also been associated with exploitation of public-facing systems and with post-compromise use of web shells in attacks against poorly managed Windows web servers. In at least one reported case involving a Windows web server intrusion, a threat actor believed to be UAT-8099 uploaded a web shell and later deployed LockBit 3.0 alongside additional remote-control and proxy tooling.
The malware has repeatedly been tied to high-impact enterprise incidents, including attacks involving substantial data exfiltration and multimillion-dollar ransom demands. LockBit has targeted organizations in diverse industries and has remained influential enough that shared affiliates and overlapping tradecraft have been discussed alongside other major ransomware groups. It is widely regarded as one of the defining ransomware threats of the early-to-mid 2020s.
Capabilities
- Credential Theft
- Exfiltration
- Lateral Movement
- Post Exploitation
Ransomware.live
Operational record
Reported operators
Threat actors
37 named in public reportingThe LockBit ransomware group, active since around 2019... In December 2024, the group announced its newest ransomware version, “Lockbit 4”. Lockbit 4 has two versions, Black and Green, In this article we will analyze the green version.
LockBit 3.0 affiliates are exploiting CVE-2023–4966, known as Citrix Bleed, in Citrix Netscaler web app delivery control (ADC) and Gateway appliances.
We investigated a recent LockBit extortion incident that occurred in Q3 2023... In September 2019, Cybereason found this hostname in old LockBit 2.0 extortions...
CYBLE identified the DragonForce ransomware binary as being based on LockBit 3.0 (Black) ransomware.
The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.
The CyberVolk collective is a prime example of how readily threat actors can access and deploy dangerous ransomware builders such as AzzaSec, Diamond, LockBit, Chaos and others.
Talos IR responded to Warlock, Babuk, and Kraken ransomware variants for the first time, while also responding to previously seen families Qilin and LockBit.
As in previous attacks, they encrypted data using variants of LockBit 3.0 (for Windows systems) and Babuk (for NAS devices).
NullBulge is delivering LockBit ransomware payloads to their Async and Xworm victims as a later-stage infection.
During a recent investigation, our DFIR team discovered that LockBit Ransomware-as-a-Service (Raas) side-loads Cobalt Strike Beacon through a signed VMware xfer logs command line utility.
As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.
As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.
UNC3753 traces back to the now-defunct Conti ransomware gang, sharing overlaps with UNC2686, which ran BazarCall-style campaigns from 2021. The group deployed LockBit Black in 2022 but dropped ransomware entirely after that, focusing purely on data theft and extortion.
The GOLD MYSTIC threat group has operated the LockBit name-and-shame ransomware-as-a-service (RaaS) scheme since mid-2019, exploiting unauthorized access to thousands of organizations to deploy ransomware and steal data to facilitate the extortion of victims.
Authorities say Matveev played a major role in the development and deployment of the Hive, LockBit and Babuk ransomware variants...
Impact T1486 Data Encrypted for Impact PhantomCore использовали LockBit 3.0 для шифрования трафика
Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.
Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.
CosmicBeetle, an immature ransomware threat actor using its own signature encryptor, ScRansom, and the leaked LockBit 3.0 builder, became an affiliate of RansomHub.
According to their posts on Exploit, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.
Groups including UAC-0238 exploited exposed RDP services to push ransomware variants such as X2anylock, Warlock, and LockBit 3.0 into compromised environments.
LockBit posted 163 victims in Q1 2026, climbing to fourth place globally.
The vulnerability was attributed to Lace Tempest, a Cl0p ransomware affiliate, in April 2023, used in campaigns delivering Cl0p and LockBit ransomware payloads.
...or generated using the leaked LockBit Black builder.
The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.
...delivering various ransomware payloads over the years, including ... LockBit ... ransomware...; ...DragonForce... using a variant of the leaked LockBit3.0 builder...
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
UNC2465, which used the Darkside and Lockbit ransomware...
Bl00Dy ... used open-source and leaked builders from other operators, including LockBit, Babuk and Conti. From September 2022, the group used the LockBit ransomware builder in its attacks... Similarly, the DragonForce ransomware binary was also revealed to have been likely generated using the LockBit Black builder.
...Bearlyfy that has used ransomware strains like LockBit 3.0 and Babuk...
The LockBit gang began its operation in September 2019 and was first known as “ABCD ransomware.” ... Over the next six months, LockBit worked on a new project, internally referred to as “LockBit Red,” and publicly known as “LockBit 2.0.” ... LockBit officially announced another major release ... LockBit Black (publicly known as LockBit 3.0).
The LockBit gang began its operation in September 2019 and was first known as “ABCD ransomware.” ... Over the next six months, LockBit worked on a new project, internally referred to as “LockBit Red,” and publicly known as “LockBit 2.0.” ... LockBit officially announced another major release ... LockBit Black (publicly known as LockBit 3.0).
Lockers such as Babuk and LockBit.
The ransomware strain observed in these incidents closely resembles LockBit 3.0 (LockBit Black).
Exploited software
Vulnerabilities linked to LockBit
26 CVEsMITRE ATT&CK
LockBit in ATT&CK
113 distinct techniquesTechniques
113 techniquesReporting
Research mentioning LockBit
Brit Scattered Spider duo handed tickets to prison over Transport for London attack
The NCA said the investigation that led to today's sentencing was perhaps even more complicated than Operation Chronos, which crippled the once-dominant LockBit ransomware group.
“Stern” Ransomware Operator Sanctioned by EU
Media Land LLC, a bullet-proof hosting provider that has facilitated ransomware operations including LockBit, EvilCorp, and BlackBasta since 2016...
ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul
Lockbit6
UK Cyber Attacks Climb 34% as Ransomware Leadership Shifts, Check Point Research Reveals - IT Security Guru
LockBit also surged, rising from 1% of published attacks in May to 7% in June, making it the third most prevalent group.
Accenture confirme une violation de données : 35 Go de code source et clés volés | CyberVeille
Accenture had also suffered a LockBit ransomware attack in 2021 with data exfiltration.
Ransomware Gangs Use PsExec + NirSoft to Own Your Network Before You Notice | ThreatAft
The consistent use of PsExec for lateral movement and NirSoft utilities for credential theft across multiple ransomware families — including GodDamn, Qilin, RansomHub, Royal, Akira, LockBit, and Makop — represents a predictable attack pattern.
Accenture Confirms Data Breach - Hacker Claims Theft of Internal Source Code
Separately, Accenture was hit by the LockBit ransomware gang in August 2021, when attackers claimed to have stolen over 6TB of data and demanded a $50 million ransom.
A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach
In 2021, the LockBit ransomware gang hit Accenture and stole data from its systems.