LockBit

LockBit is a cybercriminal ransomware group operating a Ransomware-as-a-Service model since around 2019–2020. It is described as a highly organized and prolific double-extortion operation that encrypts victim data and exfiltrates it for additional leverage. Known aliases in the provided content include abcd_ransomware, lockbit_20, lockbit30, lockbit_30, lockbit_40, lockbit_50, lockbit_black, lockbit_gang, lockbit_green, lockbit_group, and lockbitsupp. The content states that LockBit has been among the most active ransomware groups, including being identified as the most prolific overall and in 2024, with LockBit 3.0 recorded as the most active group in September 2023 with 78 attacks. LockBit infrastructure was seized on 19 February 2024 as part of Operation Cronos by U.S. and U.K. authorities; the operation reportedly took down 34 servers, retrieved more than 1,000 decryption keys, froze 200 cryptocurrency accounts, and resulted in two arrests. The content also notes that LockBit’s affiliate panel was compromised on 7 May 2025, leaking bitcoin addresses, build data, configuration data, negotiation chats, and user information. The group is associated with multiple ransomware versions and sub-variants mentioned in the content, including LockBit 3.0, LockBit Black, LockBit 4 / LockBit 4 Green, and references to LockBit 5.0 as an ecosystem/IOC feed. LockBit announced LockBit 4 in December 2024. The analyzed LockBit 4 Green variant is described as using importless execution with dynamic API hashing, XOR-based string decryption, proxy DLL loading via RtlQueueWorkItem, ETW patching, DLL notification removal, module unhooking, vectored exception handler clearing, Russian language checks, service disabling, file/path exclusions, ransom note deployment, and partial encryption. The content attributes to LockBit and its affiliates the exploitation of public-facing vulnerabilities for initial access, including Citrix Bleed (CVE-2023-4966) against Citrix NetScaler ADC and Gateway appliances, and references campaigns involving SonicWall SMA100 exploitation to deploy LockBit ransomware. LockBit affiliates are also described as using living-off-the-land techniques, staging payloads in password-protected archives, and abusing tools and services such as PsExec, FileZilla, Ngrok, TeamViewer, and AnyDesk. Reported affiliate tradecraft includes remote management tools, WMI, scheduled tasks, SMB, RDP, WinRM, and data exfiltration over FTP tunneled via TLS. Targeting in the provided content spans multiple sectors and geographies. Specific examples include the June 2023 TSMC incident, where LockBit claimed responsibility, posted TSMC on its leak site, and demanded $70 million. The content also describes a Q3 2023 LockBit extortion incident in which an affiliate used Moscow-based FTP infrastructure and the hostname WIN-LIVFRVQFMKO, with repeated hostname reuse across victim pages suggesting recurring affiliate infrastructure. The content further notes ecosystem relationships and overlap with other ransomware actors. LockBit attempted to recruit affiliates from ALPHV and NoEscape. DragonForce is described as having developed ransomware based on leaked LockBit 3.0 and Conti source code, and public reporting cited in the content notes communication or cooperation attempts between DragonForce, LockBit, and Qilin. Some reporting in the content also links former affiliates of other groups to LockBit, but only at the affiliate level rather than as core LockBit sub-groups. The content does not provide high-confidence attribution of LockBit to a nation state; it is consistently described as a financially motivated cybercriminal ransomware operation.