LockBit Ransomware

Definition

The world's most prolific ransomware-as-a-service (RaaS) operation from 2021 through 2024, responsible for thousands of attacks across 120+ countries before a major international law enforcement disruption in February 2024, followed by an attempted restart by its administrator known as 'LockBitSupp'.

Technical Details

LockBit emerged in 2019 as a self-propagating ransomware and evolved into the most dominant RaaS platform globally. The operation ran through three major versions: LockBit 1.0 (2019), LockBit 2.0 (2021, incorporating the StealBit data exfiltration tool and Babuk's code for ESXi encryption), and LockBit 3.0/LockBit Black (2022, which incorporated code from the leaked BlackMatter/ALPHV source and introduced a bug bounty program for the ransomware itself). The group also released LockBit Green in early 2023, incorporating Conti source code for additional encryption routines. Technically, LockBit was notable for its speed: LockBit 3.0 could encrypt a target environment in as little as 5-7 minutes using multithreaded encryption with AES-256, combined with an intermittent encryption approach that encrypted only portions of large files to maximize speed. The malware used RSA-2048 to protect the symmetric key, making decryption without the private key computationally infeasible. The group operated a sophisticated affiliate program — one of the most professionally run in the ransomware ecosystem — offering affiliates 80% of ransom payments (increasing to 85% for affiliates who earned over $5M). They maintained a dark web leak site (LockBit.onion) where they published stolen data from victims who refused to pay. Operation Cronos, the international law enforcement takedown in February 2024, involved authorities from 11 countries including the FBI, UK's National Crime Agency, Europol, and Eurojust. The operation seized LockBit's infrastructure including its dark web leak site and affiliate panel, obtained decryption keys for 1,000+ victims, and arrested or charged multiple individuals. The FBI obtained LockBit's database of affiliates, providing a roadmap for further enforcement actions. The US indicted Dmitry Khoroshev (LockBitSupp) and offered a $10M reward. Despite the takedown, LockBit reconstituted relatively quickly, with LockBitSupp launching LockBit 4.0 announcements and continuing affiliate recruitment. However, the operation's credibility was significantly damaged — affiliates migrated to competitors, and the public revelation of LockBitSupp's identity undermined trust in the platform's operational security. Ransomware operations that lose affiliate trust rarely recover their previous dominance.

Practical Usage

LockBit's operational history provides security teams with a comprehensive case study in ransomware TTPs. The group's affiliates used a wide variety of initial access methods — purchased access from IABs, phishing, RDP brute force, VPN exploitation — meaning there is no single control that prevents LockBit attacks. Defense requires a layered approach addressing all common initial access vectors simultaneously. CISA has published detailed advisories on LockBit TTPs with specific detection recommendations and IOCs. For incident responders encountering a potential LockBit infection, the group's artifacts are well-documented. LockBit leaves a distinctive ransom note and adds a specific file extension to encrypted files (which changed across versions). StealBit, the group's data exfiltration tool, communicates with specific command and control infrastructure. After a LockBit infection is confirmed, responders should immediately check for StealBit artifacts and network connections to determine whether data exfiltration occurred in addition to encryption — changing the incident classification from ransomware to data breach. The Operation Cronos takedown demonstrated the value of international law enforcement cooperation and the real impact that seizing decryption keys can have for victims. Organizations that suffered LockBit attacks should check the 'No More Ransom' project (nomoreransom.org) and FBI notifications for free decryption keys that may apply to their specific LockBit variant. The case also highlights the importance of ransomware reporting — victim organizations that reported to the FBI contributed intelligence that enabled the takedown.

Examples

• LockBit claimed responsibility for the November 2023 attack on the Industrial and Commercial Bank of China's US broker-dealer (ICBC Financial Services), which disrupted US Treasury bond market settlements for several days.
• The group attacked Boeing in October 2023 and published approximately 43GB of internal data after Boeing refused to pay, including supplier information, technical documents, and IT infrastructure details.
• Operation Cronos in February 2024 seized LockBit's infrastructure, obtained decryption keys for over 1,000 victims, and charged administrator Dmitry Khoroshev — but LockBit relaunched within weeks on new infrastructure.

Related Terms