UAT-8099 ↗ In a real-world case, evidence was found that the threat actor, believed to be UAT-8099, used LockBit 3.0 Ransomware; after uploading a web shell, they attempted to gain control and manipulate SEO using Potato, AnyDesk, GotoHTTP, LCX, the NPS client (npc.Exe), BadIIS...
LockBit ↗ The LockBit ransomware group, active since around 2019... In December 2024, the group announced its newest ransomware version, “Lockbit 4”. Lockbit 4 has two versions, Black and Green, In this article we will analyze the green version.
ShadowSyndicate ↗ LockBit 3.0 affiliates are exploiting CVE-2023–4966, known as Citrix Bleed, in Citrix Netscaler web app delivery control (ADC) and Gateway appliances.
WIZARD SPIDER ↗ We investigated a recent LockBit extortion incident that occurred in Q3 2023... In September 2019, Cybereason found this hostname in old LockBit 2.0 extortions...
DragonForce ↗ CYBLE identified the DragonForce ransomware binary as being based on LockBit 3.0 (Black) ransomware.
Twelve ↗ The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.
CyberVolk ↗ The CyberVolk collective is a prime example of how readily threat actors can access and deploy dangerous ransomware builders such as AzzaSec, Diamond, LockBit, Chaos and others.
Storm-2603 ↗ Talos IR responded to Warlock, Babuk, and Kraken ransomware variants for the first time, while also responding to previously seen families Qilin and LockBit.
Head Mare ↗ As in previous attacks, they encrypted data using variants of LockBit 3.0 (for Windows systems) and Babuk (for NAS devices).
Nullbulge ↗ NullBulge is delivering LockBit ransomware payloads to their Async and Xworm victims as a later-stage infection.
Cinnamon Tempest ↗ During a recent investigation, our DFIR team discovered that LockBit Ransomware-as-a-Service (Raas) side-loads Cobalt Strike Beacon through a signed VMware xfer logs command line utility.
Crypt Ghouls ↗ As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.
MorLock ↗ As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.
Silent Ransom Group ↗ UNC3753 traces back to the now-defunct Conti ransomware gang, sharing overlaps with UNC2686, which ran BazarCall-style campaigns from 2021. The group deployed LockBit Black in 2022 but dropped ransomware entirely after that, focusing purely on data theft and extortion.
GOLD MYSTIC ↗ The GOLD MYSTIC threat group has operated the LockBit name-and-shame ransomware-as-a-service (RaaS) scheme since mid-2019, exploiting unauthorized access to thousands of organizations to deploy ransomware and steal data to facilitate the extortion of victims.
Conti ↗ Authorities say Matveev played a major role in the development and deployment of the Hive, LockBit and Babuk ransomware variants...
PhantomCore ↗ Impact T1486 Data Encrypted for Impact PhantomCore использовали LockBit 3.0 для шифрования трафика
Indrik Spider ↗ Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.
DEV-0216 ↗ Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.
CosmicBeetle ↗ CosmicBeetle, an immature ransomware threat actor using its own signature encryptor, ScRansom, and the leaked LockBit 3.0 builder, became an affiliate of RansomHub.
Wazawaka ↗ According to their posts on Exploit, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.
UAC-0238 ↗ Groups including UAC-0238 exploited exposed RDP services to push ransomware variants such as X2anylock, Warlock, and LockBit 3.0 into compromised environments.
Hastalamuerte ↗ LockBit posted 163 victims in Q1 2026, climbing to fourth place globally.
Lace Tempest ↗ The vulnerability was attributed to Lace Tempest, a Cl0p ransomware affiliate, in April 2023, used in campaigns delivering Cl0p and LockBit ransomware payloads.
Warlock ↗ ...or generated using the leaked LockBit Black builder.
BlackJack ↗ The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.
Storm-0501 ↗ ...delivering various ransomware payloads over the years, including ... LockBit ... ransomware...; ...DragonForce... using a variant of the leaked LockBit3.0 builder...
Storm-1175 ↗ "...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
Storm-0506 ↗ "...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
Scattered Spider ↗ "...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
UNC2465 ↗ UNC2465, which used the Darkside and Lockbit ransomware...
Bl00Dy ↗ Bl00Dy ... used open-source and leaked builders from other operators, including LockBit, Babuk and Conti. From September 2022, the group used the LockBit ransomware builder in its attacks... Similarly, the DragonForce ransomware binary was also revealed to have been likely generated using the LockBit Black builder.
Bearlyfy ↗ ...Bearlyfy that has used ransomware strains like LockBit 3.0 and Babuk...
FIN7 ↗ The LockBit gang began its operation in September 2019 and was first known as “ABCD ransomware.” ... Over the next six months, LockBit worked on a new project, internally referred to as “LockBit Red,” and publicly known as “LockBit 2.0.” ... LockBit officially announced another major release ... LockBit Black (publicly known as LockBit 3.0).
Twisted Spider ↗ The LockBit gang began its operation in September 2019 and was first known as “ABCD ransomware.” ... Over the next six months, LockBit worked on a new project, internally referred to as “LockBit Red,” and publicly known as “LockBit 2.0.” ... LockBit officially announced another major release ... LockBit Black (publicly known as LockBit 3.0).
ExCobalt ↗ Lockers such as Babuk and LockBit.
Mora_001 ↗ The ransomware strain observed in these incidents closely resembles LockBit 3.0 (LockBit Black).