LockBit
LockBit is a ransomware family and ransomware-as-a-service (RaaS) operation active since around 2019–2020. The group is described as using double extortion, encrypting victim data and exfiltrating it for additional leverage. The content references multiple versions and aliases including LockBit 2.0, LockBit 3.0, LockBit Black, LockBit 4, and LockBit 5.0. LockBit has been one of the most prolific ransomware operations, and its infrastructure was seized on 19 February 2024 during Operation Cronos.
The malware targets Windows environments and, in newer reporting, Linux and VMware ESXi as well. LockBit 3.0 is described as broadly similar to LockBit 2.0, commonly delivered through Cobalt Strike, requiring administrator privileges, sometimes using UAC bypass for elevation, installing itself as multiple services for persistence, terminating selected services, changing the desktop wallpaper, and encrypting systems very rapidly, often in under one minute. LockBit 3.0 also uses anti-analysis and anti-debugging techniques including packing, obfuscation, dynamic API resolution, password-gated execution, encrypted code sections, heap flag checks, NtSetInformationThread with ThreadHideFromDebugger, and tampering with DbgUiRemoteBreakin.
The analyzed LockBit 4 Green variant is a packed 64-bit executable with minimal imports that decrypts a second-stage payload from its .data section. It uses importless execution with API hashing, XOR-based string decryption, proxy DLL loading via RtlQueueWorkItem, ETW patching, DLL notification removal, module unhooking via KnownDlls remapping, and vectored exception handler clearing. It checks keyboard layouts and appears to avoid encryption on Russian-language systems, checks system architecture, supports command-line options including --help and -q, decrypts an embedded ransom note, disables the Volume Shadow Copy Service and Windows Search, excludes specific files and paths, writes a ransom note named Restore-My-Files.txt, and uses partial encryption by encrypting full files under 1 MB and about 27% of larger files.
The content also associates LockBit affiliates with exploitation of CVE-2023-4966 (Citrix Bleed) on Citrix NetScaler ADC and Gateway appliances, and references abuse of FileZilla and Ngrok for exfiltration in a Q3 2023 LockBit extortion incident. Additional reporting links LockBit deployment to SonicWall SMA100 exploitation using CVE-2019-7481 and CVE-2021-20028. LockBit 3.0 is also described as increasingly using living-off-the-land techniques, including staging payloads in password-protected ZIP or RAR archives.
Observed delivery chains in the content include XTinyLoader downloading LockBit Black ransomware, including cases where StealC led to XTinyLoader and then to a LockBit Black payload. The content also notes infrastructure and affiliate overlap with other criminal ecosystems and that leaked LockBit 3.0 source code has been reused by other ransomware groups such as DragonForce.
Victim and targeting references in the content include a December ransomware attack on the Semyonishna dairy processing plant in southern Siberia using a LockBit variant. The broader ecosystem reporting cited in the content states that manufacturing was among the most targeted industries by prolific ransomware operators. Mentioned indicators include the LockBit 4 Green sample hash 8ff61e4156c10b085e0c2233f24e8501, the ransom note filename Restore-My-Files.txt, and low-confidence LockBit 5.0-related IOC reporting that includes karma0.xyz, 205.185.116.233, and MD5 e818a9afd55693d556a47002a7b7ef31.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
23 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Some of the most prolific ransomware operators of 2023 were LockBit3.0 with 928 victims... LockBit promotes new version LockBit 2.0 on its data leak site.
LockBit 3.0 affiliates are exploiting CVE-2023–4966, known as Citrix Bleed, in Citrix Netscaler web app delivery control (ADC) and Gateway appliances.
In July 2022, Dark Lab security firm reported the abuse of YDArk within a SonicWall SMA100 exploitation campaign aimed to leverage CVE-2019–7481 and CVE-2021–20028 on internet-exposed appliances to install Lockbit ransomware.
In July 2022, Dark Lab security firm reported the abuse of YDArk within a SonicWall SMA100 exploitation campaign aimed to leverage CVE-2019–7481 and CVE-2021–20028 on internet-exposed appliances to install Lockbit ransomware.
Starting in mid-July 2025, threat actors began actively exploiting two path traversal vulnerabilities affecting on-premises SharePoint servers: CVE-2025-53770 and CVE-2025-53771. These two vulnerabilities are related to CVE-2025-49704 and CVE-2025-49706... attackers managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution.
The version of Velociraptor observed in this incident was outdated (version 0.73.4.0) and exposed to a privilege escalation vulnerability (CVE-2025-6264), which may have been leveraged for persistence as this vulnerability can lead to arbitrary command execution and endpoint takeover.
Starting in mid-July 2025, threat actors began actively exploiting two path traversal vulnerabilities affecting on-premises SharePoint servers: CVE-2025-53770 and CVE-2025-53771. These two vulnerabilities are related to CVE-2025-49704 and CVE-2025-49706... attackers managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution.
CVE-2018-13379 : A path traversal vulnerability in Fortinet SSL VPNs that was routinely exploited by multiple threat actors, including the LockBit ransomware group, across several years.
PaperCut servers have been previously breached by ransomware gangs in 2023 by exploiting a critical, unauthenticated remote code execution (RCE) vulnerability (CVE–2023–27350)... One month later, CISA and the FBI issued a joint advisory warning that the Bl00dy Ransomware gang had also begun exploiting the CVE-2023–27350 RCE vulnerability to gain initial access to the networks of educational organizations.
PaperCut servers have been previously breached by ransomware gangs in 2023 by exploiting a critical, unauthenticated remote code execution (RCE) vulnerability (CVE–2023–27350) and a high-severity information disclosure flaw (CVE–2023–27351).
Initial Access and Persistence CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain super_admin privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces... Another common exploitation method we observed involved the threat actor using the fortigate-firewall account to exploit CVE-2025-24472 rather than CVE-2024-55591.
Initial Access and Persistence CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain super_admin privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces. A proof-of-concept (PoC) exploit was publicly released on January 27, and within 96 hours, we observed active exploitation in the wild using two distinct methods: jsconsole ... HTTPS ...
The experts argued that the attackers likely did not exploit recently disclosed CVE-2022-41040 and CVE-2022-41082 vulnerabilities. | In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware. Threat actors initially deployed web shell on a compromised Exchange server, then it took just 7 days to escalate privileges to Active Directory admin and stole roughly 1.3 TB of data before encrypting systems hosted in the network.
The experts argued that the attackers likely did not exploit recently disclosed CVE-2022-41040 and CVE-2022-41082 vulnerabilities. | In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware. Threat actors initially deployed web shell on a compromised Exchange server, then it took just 7 days to escalate privileges to Active Directory admin and stole roughly 1.3 TB of data before encrypting systems hosted in the network.
Looking at the Microsoft Exchange Server vulnerability history, the remote code execution vulnerability was disclosed on December 16, 2021 (CVE-2022-21969) | In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware. Threat actors initially deployed web shell on a compromised Exchange server, then it took just 7 days to escalate privileges to Active Directory admin and stole roughly 1.3 TB of data before encrypting systems hosted in the network.
According to malware research group vx-underground citing LockBitSupp, the alleged leader of the LockBit operation, law enforcement hacked into the ransomware operation’s servers using a known vulnerability in the popular web coding language PHP. The vulnerability used to compromise its servers is tracked as CVE-2023-3824, a remote execution flaw patched in August 2023, giving LockBit months to fix the bug. | A sweeping law enforcement operation led by the U.K.’s National Crime Agency (NCA) this week took down LockBit, the notorious Russia-linked ransomware gang... It has long been known that LockBit, which first entered the competitive cybercrime scene in 2019, is one of, if not the most prolific ransomware gangs.
Researchers at Huntress Security Operations Center (SOC) observed what they call "a sharp uptick" in exploitation activity targeting Bomgar Remote Support (now part of BeyondTrust), with attackers reaching systems through a critical unauthenticated remote code execution (RCE) flaw, CVE-2026-1731.
Storm-2603... observed stealing MachineKeys and deploying Warlock and Lockbit ransomware... They conduct lateral movement using PsExec and Impacket, deploying Warlock and LockBit ransomware to encrypt systems. | Exploited vulnerabilities include CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, collectively known as ToolShell. CVE-2025-49704: A remote code execution vulnerability allowing attackers to run arbitrary code without authentication.
Storm-2603... observed stealing MachineKeys and deploying Warlock and Lockbit ransomware... They conduct lateral movement using PsExec and Impacket, deploying Warlock and LockBit ransomware to encrypt systems. | CVE-2025-49706: A spoofing vulnerability enabling post-authentication remote code execution on affected SharePoint servers.
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
Affiliates of LockBit ransomware have previously targeted vulnerabilities in ConnectWise ScreenConnect (i.e., CVE-2024-1708 and CVE-2024-1709) for initial access.
...threat actors have been observed weaponizing a vulnerable version of Bitrix for initial access, followed by using the Zerologon flaw to escalate privileges.
Affiliates of LockBit ransomware have previously targeted vulnerabilities in ConnectWise ScreenConnect (i.e., CVE-2024-1708 and CVE-2024-1709) for initial access.
Groups observed using it
40 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The LockBit ransomware group, active since around 2019... In December 2024, the group announced its newest ransomware version, “Lockbit 4”. Lockbit 4 has two versions, Black and Green, In this article we will analyze the green version.
LockBit 3.0 affiliates are exploiting CVE-2023–4966, known as Citrix Bleed, in Citrix Netscaler web app delivery control (ADC) and Gateway appliances.
We investigated a recent LockBit extortion incident that occurred in Q3 2023... In September 2019, Cybereason found this hostname in old LockBit 2.0 extortions...
CYBLE identified the DragonForce ransomware binary as being based on LockBit 3.0 (Black) ransomware.
The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.
The CyberVolk collective is a prime example of how readily threat actors can access and deploy dangerous ransomware builders such as AzzaSec, Diamond, LockBit, Chaos and others.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
4 techniques
Stealth
Discovery
3 techniques
Discovery
title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE ... Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE ... tags: - attack.discovery - attack.t1087.001 - attack.t1087.002
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
selection_domain_http: url.domain|endswith: - 'karma0.xyz' - 'random-strings.xyz' - 'decrypt-support.xyz' - 'supportpanel.xyz' - 'data-leaks.xyz' ... selection_url_paths: url.path|contains: - '/gate.php' - '/index.php?id='
selection_url_paths: url.path|contains: - '/gate.php' - '/index.php?id=' ... selection_hash_md5: hash.md5: - e818a9afd55693d556a47002a7b7ef31 # -- Hash IOC’leri (Smokeloader MD5)
This collection of Threat Hunt Packages gives analysts visibility into a number of Remote Monitoring and Management tools that can be abused by malicious actors and malware variants in order to gain initial access, gain remote access and/or maintain persistence in an environment.
Exfiltration
4 techniques
Exfiltration
...demanding a $10 million ransom under the threat to publish 700 gigabytes of confidential information hackers allegedly exfiltrated from the company's computer networks.
the ransomware affiliate conducted the data exfiltration phase through an FTP channel tunneled over a TLS connection.
Impact
4 techniques
Impact
In December, the Semyonishna dairy processing plant in southern Siberia was hit by a ransomware attack that encrypted its systems with a variant of LockBit ransomware. | In December, the Semyonishna dairy processing plant in southern Siberia was hit by a ransomware attack... Earlier, in September 2024, ransomware operators targeted Kabosh, one of Russia's largest cheese producers, leaving the company's production facilities unable to operate for nearly a month.
IOCs tracked for this family
762 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware family whose behavior overlaps with Hive due to encryption-heavy file operations.
A ransomware payload downloaded by XTinyLoader in one observed case.
Ransomware used to encrypt victim systems.
LockBit Black, also known as LockBit 3.0, is identified as a ransomware payload delivered in one StealC-linked case.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.