Skip to content
Ransomware group Windows

LockBit

LockBit is a prominent ransomware family and ransomware-as-a-service operation that became one of the most prolific extortion threats globally.

Profile source: Mallory opens in a new tab

LockBit

Family profile

LockBit is a prominent ransomware family and ransomware-as-a-service operation that became one of the most prolific extortion threats globally. Multiple major versions have circulated, including LockBit 2.0, LockBit 3.0, and LockBit Black, with activity spanning enterprise environments across many sectors and regions. The operation is associated with large-scale data theft and double-extortion tactics in which victim data is exfiltrated before encryption and later used to pressure organizations into paying ransom.

LockBit intrusions have been linked to common ransomware tradecraft including credential theft, lateral movement, and post-compromise deployment across Windows networks. Reported operator and affiliate behavior includes use of legitimate remote administration and execution utilities such as PsExec for lateral movement, NirSoft credential-recovery tools and Mimikatz for credential access, and remote-access software during hands-on-keyboard operations. LockBit activity has also been associated with exploitation of public-facing systems and with post-compromise use of web shells in attacks against poorly managed Windows web servers. In at least one reported case involving a Windows web server intrusion, a threat actor believed to be UAT-8099 uploaded a web shell and later deployed LockBit 3.0 alongside additional remote-control and proxy tooling.

The malware has repeatedly been tied to high-impact enterprise incidents, including attacks involving substantial data exfiltration and multimillion-dollar ransom demands. LockBit has targeted organizations in diverse industries and has remained influential enough that shared affiliates and overlapping tradecraft have been discussed alongside other major ransomware groups. It is widely regarded as one of the defining ransomware threats of the early-to-mid 2020s.

Capabilities

  • Credential Theft
  • Exfiltration
  • Lateral Movement
  • Post Exploitation

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Md5

13 total
  • 48b0a4505a96a640300e43e2af712276
  • 8f718979876dd1050ce4f729d69e0072
  • 2513d6678b476a432af2e84fff485b44
  • c462c6b02b35df2910689947c5090fae
  • e47032b3d1b9cbbcf77741d5d260004d
  • 95daa771a28eaed76eb01e1e8f403f7c
  • ca93d47bcc55e2e1bd4a679afc8e2e25
  • a1539b21e5d6849a3e0cf87a4dc70335
  • 5e1f61b9c1c27cad3b7a81c804ac7b86
  • 274e5ff2aa33e7ec980700e617eb2214

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

37 named in public reporting
UAT-8099

In a real-world case, evidence was found that the threat actor, believed to be UAT-8099, used LockBit 3.0 Ransomware; after uploading a web shell, they attempted to gain control and manipulate SEO using Potato, AnyDesk, GotoHTTP, LCX, the NPS client (npc.Exe), BadIIS...

LockBit

The LockBit ransomware group, active since around 2019... In December 2024, the group announced its newest ransomware version, “Lockbit 4”. Lockbit 4 has two versions, Black and Green, In this article we will analyze the green version.

ShadowSyndicate

LockBit 3.0 affiliates are exploiting CVE-2023–4966, known as Citrix Bleed, in Citrix Netscaler web app delivery control (ADC) and Gateway appliances.

WIZARD SPIDER

We investigated a recent LockBit extortion incident that occurred in Q3 2023... In September 2019, Cybereason found this hostname in old LockBit 2.0 extortions...

DragonForce

CYBLE identified the DragonForce ransomware binary as being based on LockBit 3.0 (Black) ransomware.

Twelve

The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.

CyberVolk

The CyberVolk collective is a prime example of how readily threat actors can access and deploy dangerous ransomware builders such as AzzaSec, Diamond, LockBit, Chaos and others.

Storm-2603

Talos IR responded to Warlock, Babuk, and Kraken ransomware variants for the first time, while also responding to previously seen families Qilin and LockBit.

Head Mare

As in previous attacks, they encrypted data using variants of LockBit 3.0 (for Windows systems) and Babuk (for NAS devices).

Nullbulge

NullBulge is delivering LockBit ransomware payloads to their Async and Xworm victims as a later-stage infection.

Cinnamon Tempest

During a recent investigation, our DFIR team discovered that LockBit Ransomware-as-a-Service (Raas) side-loads Cobalt Strike Beacon through a signed VMware xfer logs command line utility.

Crypt Ghouls

As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.

MorLock

As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.

Silent Ransom Group

UNC3753 traces back to the now-defunct Conti ransomware gang, sharing overlaps with UNC2686, which ran BazarCall-style campaigns from 2021. The group deployed LockBit Black in 2022 but dropped ransomware entirely after that, focusing purely on data theft and extortion.

GOLD MYSTIC

The GOLD MYSTIC threat group has operated the LockBit name-and-shame ransomware-as-a-service (RaaS) scheme since mid-2019, exploiting unauthorized access to thousands of organizations to deploy ransomware and steal data to facilitate the extortion of victims.

Conti

Authorities say Matveev played a major role in the development and deployment of the Hive, LockBit and Babuk ransomware variants...

PhantomCore

Impact T1486 Data Encrypted for Impact PhantomCore использовали LockBit 3.0 для шифрования трафика

Indrik Spider

Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.

DEV-0216

Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload in their intrusions. ... In a notable shift ... DEV-0401 started deploying LockBit 2.0 ransomware payloads in April 2022.

CosmicBeetle

CosmicBeetle, an immature ransomware threat actor using its own signature encryptor, ScRansom, and the leaked LockBit 3.0 builder, became an affiliate of RansomHub.

Wazawaka

According to their posts on Exploit, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.

UAC-0238

Groups including UAC-0238 exploited exposed RDP services to push ransomware variants such as X2anylock, Warlock, and LockBit 3.0 into compromised environments.

Hastalamuerte

LockBit posted 163 victims in Q1 2026, climbing to fourth place globally.

Lace Tempest

The vulnerability was attributed to Lace Tempest, a Cl0p ransomware affiliate, in April 2023, used in campaigns delivering Cl0p and LockBit ransomware payloads.

Warlock

...or generated using the leaked LockBit Black builder.

BlackJack

The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.

Storm-0501

...delivering various ransomware payloads over the years, including ... LockBit ... ransomware...; ...DragonForce... using a variant of the leaked LockBit3.0 builder...

Storm-1175

"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."

Storm-0506

"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."

Scattered Spider

"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."

UNC2465

UNC2465, which used the Darkside and Lockbit ransomware...

Bl00Dy

Bl00Dy ... used open-source and leaked builders from other operators, including LockBit, Babuk and Conti. From September 2022, the group used the LockBit ransomware builder in its attacks... Similarly, the DragonForce ransomware binary was also revealed to have been likely generated using the LockBit Black builder.

Bearlyfy

...Bearlyfy that has used ransomware strains like LockBit 3.0 and Babuk...

FIN7

The LockBit gang began its operation in September 2019 and was first known as “ABCD ransomware.” ... Over the next six months, LockBit worked on a new project, internally referred to as “LockBit Red,” and publicly known as “LockBit 2.0.” ... LockBit officially announced another major release ... LockBit Black (publicly known as LockBit 3.0).

Twisted Spider

The LockBit gang began its operation in September 2019 and was first known as “ABCD ransomware.” ... Over the next six months, LockBit worked on a new project, internally referred to as “LockBit Red,” and publicly known as “LockBit 2.0.” ... LockBit officially announced another major release ... LockBit Black (publicly known as LockBit 3.0).

Mora_001

The ransomware strain observed in these incidents closely resembles LockBit 3.0 (LockBit Black).

Exploited software

Vulnerabilities linked to LockBit

26 CVEs
CVE-2021-44228 Log4Shell CVE-2024-55591 Authentication Bypass in FortiOS and FortiProxy Node.js WebSocket Module CVE-2023-4966 CitrixBleed CVE-2023-3519 Unauthenticated RCE in Citrix NetScaler ADC and Gateway CVE-2019-7481 SQL Injection in SonicWall SMA100 CVE-2021-20028 SQL Injection in SonicWall Secure Remote Access (SRA) CVE-2025-53770 ToolShell RCE in on-premises Microsoft SharePoint Server CVE-2025-6264 Privilege Escalation in Rapid7 Velociraptor Admin.Client.UpdateClientConfig Artifact CVE-2025-53771 Path Traversal Authentication Bypass in Microsoft SharePoint CVE-2018-13379 Fortinet FortiOS SSL VPN Path Traversal Credential Exposure CVE-2023-27350 Unauthenticated RCE in PaperCut MF/NG SetupCompleted CVE-2023-27351 Authentication Bypass in PaperCut NG/MF SecurityRequestFilter CVE-2025-24472 FortiOS/FortiProxy Security Fabric CSF Proxy Authentication Bypass CVE-2022-41082 ProxyNotShell RCE in Microsoft Exchange Server CVE-2022-41040 ProxyNotShell SSRF in Microsoft Exchange Server CVE-2022-21969 RCE in Microsoft Exchange Server (CVE-2022-21969) CVE-2023-3824 PHP PHAR directory entry parsing stack buffer overflow CVE-2026-1731 Pre-auth OS Command Injection RCE in BeyondTrust Remote Support and Privileged Remote Access CVE-2025-49704 Microsoft SharePoint Code Injection Remote Code Execution CVE-2025-49706 Microsoft SharePoint Improper Authentication Spoofing Vulnerability CVE-2024-37085 VMware ESXi Active Directory Integration Authentication Bypass CVE-2024-1708 ConnectWise ScreenConnect Path Traversal Vulnerability CVE-2020-1472 ZeroLogon CVE-2024-1709 Authentication Bypass in ConnectWise ScreenConnect CVE-2023-46604 Apache ActiveMQ OpenWire Remote Code Execution CVE-2026-27446 Authentication bypass in Apache Artemis Core downstream federation

MITRE ATT&CK

LockBit in ATT&CK

113 distinct techniques

Techniques

113 techniques
T1486 Data Encrypted for Impact T1204.002 Malicious File T1560 Archive Collected Data T1219 Remote Access Tools T1491.001 Internal Defacement T1059.003 Windows Command Shell T1027 Obfuscated Files or Information T1036 Masquerading T1218.007 Msiexec T1021.002 SMB/Windows Admin Shares T1070.004 File Deletion T1070 Indicator Removal T1027.007 Dynamic API Resolution T1071 Application Layer Protocol T1562 Impair Defenses T1489 Service Stop T1560.001 Archive via Utility T1622 Debugger Evasion T1105 Ingress Tool Transfer T1572 Protocol Tunneling T1543.003 Windows Service T1657 Financial Theft T1059 Command and Scripting Interpreter T1567.002 Exfiltration to Cloud Storage T1048 Exfiltration Over Alternative Protocol T1548.002 Bypass User Account Control T1204 User Execution T1189 Drive-by Compromise T1041 Exfiltration Over C2 Channel T1567 Exfiltration Over Web Service T1087.001 Local Account T1087.002 Domain Account T1053.005 Scheduled Task T1484.001 Group Policy Modification T1003.001 LSASS Memory T1135 Network Share Discovery T1047 Windows Management Instrumentation T1078.002 Domain Accounts T1218.003 CMSTP T1070.001 Clear Windows Event Logs T1490 Inhibit System Recovery T1195 Supply Chain Compromise T1078.001 Default Accounts T1119 Automated Collection T1055 Process Injection T1485 Data Destruction T1190 Exploit Public-Facing Application T1608.001 Upload Malware T1106 Native API T1566.004 Spearphishing Voice T1547.001 Registry Run Keys / Startup Folder T1132 Data Encoding T1562.001 Disable or Modify Tools T1583 Acquire Infrastructure T1537 Transfer Data to Cloud Account T1112 Modify Registry T1505.003 Web Shell T1057 Process Discovery T1074 Data Staged T1497 Virtualization/Sandbox Evasion T1082 System Information Discovery T1027.013 Encrypted/Encoded File T1140 Deobfuscate/Decode Files or Information T1071.001 Web Protocols T1021.001 Remote Desktop Protocol T1497.001 System Checks T1020 Automated Exfiltration T1620 Reflective Code Loading T1133 External Remote Services T1083 File and Directory Discovery T1561 Disk Wipe T1059.004 Unix Shell T1055.012 Process Hollowing T1614.001 System Language Discovery T1614 System Location Discovery T1562.004 Disable or Modify System Firewall T1078 Valid Accounts T1203 Exploitation for Client Execution T1570 Lateral Tool Transfer T1566 Phishing T1016 System Network Configuration Discovery T1110 Brute Force T1573 Encrypted Channel T1027.002 Software Packing T1654 Log Enumeration T1053 Scheduled Task/Job T1564.003 Hidden Window T1018 Remote System Discovery T1562.002 Disable Windows Event Logging T1559.001 Component Object Model T1134.001 Token Impersonation/Theft T1546.015 Component Object Model Hijacking T1548 Abuse Elevation Control Mechanism T1562.009 Safe Mode Boot T1120 Peripheral Device Discovery T1574 Hijack Execution Flow T1007 System Service Discovery T1059.001 PowerShell T1592 Gather Victim Host Information T1222.001 Windows File and Directory Permissions Modification T1491 Defacement T1547 Boot or Logon Autostart Execution T1480 Execution Guardrails T1132.001 Standard Encoding T1078.003 Local Accounts T1136 Create Account T1573.001 Symmetric Cryptography T1569.002 Service Execution T1680 Local Storage Discovery T1480.002 Mutual Exclusion T1547.004 Winlogon Helper DLL T1134 Access Token Manipulation T1561.001 Disk Content Wipe

Reporting

Research mentioning LockBit

Jul 16
Register Security

Brit Scattered Spider duo handed tickets to prison over Transport for London attack

The NCA said the investigation that led to today's sentencing was perhaps even more complicated than Operation Chronos, which crippled the once-dominant LockBit ransomware group.

Jul 14
Chainalysis

“Stern” Ransomware Operator Sanctioned by EU

Media Land LLC, a bullet-proof hosting provider that has facilitated ransomware operations including LockBit, EvilCorp, and BlackBasta since 2016...

Jul 14
Gurucul Threat Research

ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul

Lockbit6

Jul 13
Itsecurityguru

UK Cyber Attacks Climb 34% as Ransomware Leadership Shifts, Check Point Research Reveals - IT Security Guru

LockBit also surged, rising from 1% of published attacks in May to 7% in June, making it the third most prevalent group.

Jul 11
Cyberveille

Accenture confirme une violation de données : 35 Go de code source et clés volés | CyberVeille

Accenture had also suffered a LockBit ransomware attack in 2021 with data exfiltration.

Jul 10
Threataft

Ransomware Gangs Use PsExec + NirSoft to Own Your Network Before You Notice | ThreatAft

The consistent use of PsExec for lateral movement and NirSoft utilities for credential theft across multiple ransomware families — including GodDamn, Qilin, RansomHub, Royal, Akira, LockBit, and Makop — represents a predictable attack pattern.

Jul 9
Cyber Security News

Accenture Confirms Data Breach - Hacker Claims Theft of Internal Source Code

Separately, Accenture was hit by the LockBit ransomware gang in August 2021, when attackers claimed to have stolen over 6TB of data and demanded a $50 million ransom.

Jul 8
Security Affairs

A Hacker Claims 35 GB of Accenture Source Code. The Company discloses the data breach

In 2021, the LockBit ransomware gang hit Accenture and stole data from its systems.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.