Credential Theft
- Gosecretsdump
- LaZagne
- LostMyPassword
- Mimikatz
- NirSoft ExtPassword
- PasswordFox
- ProcDump
- Veeam-Get-Creds
LockBit is a prominent ransomware family and ransomware-as-a-service operation that became one of the most prolific extortion threats globally.
Profile source: Mallory opens in a new tabLockBit
LockBit is a prominent ransomware family and ransomware-as-a-service operation that became one of the most prolific extortion threats globally. Multiple major versions have circulated, including LockBit 2.0, LockBit 3.0, and LockBit Black, with activity spanning enterprise environments across many sectors and regions. The operation is associated with large-scale data theft and double-extortion tactics in which victim data is exfiltrated before encryption and later used to pressure organizations into paying ransom.
LockBit intrusions have been linked to common ransomware tradecraft including credential theft, lateral movement, and post-compromise deployment across Windows networks. Reported operator and affiliate behavior includes use of legitimate remote administration and execution utilities such as PsExec for lateral movement, NirSoft credential-recovery tools and Mimikatz for credential access, and remote-access software during hands-on-keyboard operations. LockBit activity has also been associated with exploitation of public-facing systems and with post-compromise use of web shells in attacks against poorly managed Windows web servers. In at least one reported case involving a Windows web server intrusion, a threat actor believed to be UAT-8099 uploaded a web shell and later deployed LockBit 3.0 alongside additional remote-control and proxy tooling.
The malware has repeatedly been tied to high-impact enterprise incidents, including attacks involving substantial data exfiltration and multimillion-dollar ransom demands. LockBit has targeted organizations in diverse industries and has remained influential enough that shared affiliates and overlapping tradecraft have been discussed alongside other major ransomware groups. It is widely regarded as one of the defining ransomware threats of the early-to-mid 2020s.
Ransomware.live
Ransomware.live
f954f24e6eb85ef1b64e315491dad816f828044c91ac00afffcd77b4ce6808578ff61e4156c10b085e0c2233f24e85011319da1523ec2a67bda016c15334c195b86aacec897b8376c23647c4f0e78fba15796971d60f9d71ad162060f0f76a02ba56b0c4a215b40cbe64f8f8b1f166ad7e525ef64a4e27fbb325d7cb4653f0a1d96d2bcf13d55740f3bb64d45d2db94d2b84852065e28974e4081826ff09ddc1150.171.30.1020.101.57.984.201.211.4023.54.127.20964.233.181.94199.232.210.172184.28.89.16720.12.23.50184.30.21.17140.69.42.241Reported operators
In a real-world case, evidence was found that the threat actor, believed to be UAT-8099, used LockBit 3.0 Ransomware; after uploading a web shell, they attempted to gain control and manipulate SEO using Potato, AnyDesk, GotoHTTP, LCX, the NPS client (npc.Exe), BadIIS...
The LockBit ransomware group, active since around 2019... In December 2024, the group announced its newest ransomware version, “Lockbit 4”. Lockbit 4 has two versions, Black and Green, In this article we will analyze the green version.
LockBit 3.0 affiliates are exploiting CVE-2023–4966, known as Citrix Bleed, in Citrix Netscaler web app delivery control (ADC) and Gateway appliances.
We investigated a recent LockBit extortion incident that occurred in Q3 2023... In September 2019, Cybereason found this hostname in old LockBit 2.0 extortions...
CYBLE identified the DragonForce ransomware binary as being based on LockBit 3.0 (Black) ransomware.
The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.
The CyberVolk collective is a prime example of how readily threat actors can access and deploy dangerous ransomware builders such as AzzaSec, Diamond, LockBit, Chaos and others.
Talos IR responded to Warlock, Babuk, and Kraken ransomware variants for the first time, while also responding to previously seen families Qilin and LockBit.
As in previous attacks, they encrypted data using variants of LockBit 3.0 (for Windows systems) and Babuk (for NAS devices).
NullBulge is delivering LockBit ransomware payloads to their Async and Xworm victims as a later-stage infection.
During a recent investigation, our DFIR team discovered that LockBit Ransomware-as-a-Service (Raas) side-loads Cobalt Strike Beacon through a signed VMware xfer logs command line utility.
As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.
As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.
UNC3753 traces back to the now-defunct Conti ransomware gang, sharing overlaps with UNC2686, which ran BazarCall-style campaigns from 2021. The group deployed LockBit Black in 2022 but dropped ransomware entirely after that, focusing purely on data theft and extortion.
The GOLD MYSTIC threat group has operated the LockBit name-and-shame ransomware-as-a-service (RaaS) scheme since mid-2019, exploiting unauthorized access to thousands of organizations to deploy ransomware and steal data to facilitate the extortion of victims.
Authorities say Matveev played a major role in the development and deployment of the Hive, LockBit and Babuk ransomware variants...
Impact T1486 Data Encrypted for Impact PhantomCore использовали LockBit 3.0 для шифрования трафика
Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.
Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.
CosmicBeetle, an immature ransomware threat actor using its own signature encryptor, ScRansom, and the leaked LockBit 3.0 builder, became an affiliate of RansomHub.
According to their posts on Exploit, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.
Groups including UAC-0238 exploited exposed RDP services to push ransomware variants such as X2anylock, Warlock, and LockBit 3.0 into compromised environments.
LockBit posted 163 victims in Q1 2026, climbing to fourth place globally.
The vulnerability was attributed to Lace Tempest, a Cl0p ransomware affiliate, in April 2023, used in campaigns delivering Cl0p and LockBit ransomware payloads.
...or generated using the leaked LockBit Black builder.
The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.
...delivering various ransomware payloads over the years, including ... LockBit ... ransomware...; ...DragonForce... using a variant of the leaked LockBit3.0 builder...
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
UNC2465, which used the Darkside and Lockbit ransomware...
Bl00Dy ... used open-source and leaked builders from other operators, including LockBit, Babuk and Conti. From September 2022, the group used the LockBit ransomware builder in its attacks... Similarly, the DragonForce ransomware binary was also revealed to have been likely generated using the LockBit Black builder.
...Bearlyfy that has used ransomware strains like LockBit 3.0 and Babuk...
The LockBit gang began its operation in September 2019 and was first known as “ABCD ransomware.” ... Over the next six months, LockBit worked on a new project, internally referred to as “LockBit Red,” and publicly known as “LockBit 2.0.” ... LockBit officially announced another major release ... LockBit Black (publicly known as LockBit 3.0).
The LockBit gang began its operation in September 2019 and was first known as “ABCD ransomware.” ... Over the next six months, LockBit worked on a new project, internally referred to as “LockBit Red,” and publicly known as “LockBit 2.0.” ... LockBit officially announced another major release ... LockBit Black (publicly known as LockBit 3.0).
Lockers such as Babuk and LockBit.
The ransomware strain observed in these incidents closely resembles LockBit 3.0 (LockBit Black).
Exploited software
MITRE ATT&CK
Reporting
The NCA said the investigation that led to today's sentencing was perhaps even more complicated than Operation Chronos, which crippled the once-dominant LockBit ransomware group.
Media Land LLC, a bullet-proof hosting provider that has facilitated ransomware operations including LockBit, EvilCorp, and BlackBasta since 2016...
Lockbit6
LockBit also surged, rising from 1% of published attacks in May to 7% in June, making it the third most prevalent group.
Accenture had also suffered a LockBit ransomware attack in 2021 with data exfiltration.
The consistent use of PsExec for lateral movement and NirSoft utilities for credential theft across multiple ransomware families — including GodDamn, Qilin, RansomHub, Royal, Akira, LockBit, and Makop — represents a predictable attack pattern.
Separately, Accenture was hit by the LockBit ransomware gang in August 2021, when attackers claimed to have stolen over 6TB of data and demanded a $50 million ransom.
In 2021, the LockBit ransomware gang hit Accenture and stole data from its systems.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.