LockBit
What is LockBit?
LockBitA Russian-speaking ransomware-as-a-service operation that became the most prolific ransomware brand globally between 2022 and 2024 before being heavily disrupted by Operation Cronos.
LockBit first appeared in September 2019 as ABCD ransomware before rebranding as LockBit, then LockBit 2.0 (2021), LockBit 3.0 / Black (2022) and the Linux/ESXi variants. It operated as a ransomware-as-a-service: a core team (often associated with Russian-speaking actors and a public persona known as LockBitSupp) developed the encryptors, leak site and affiliate panel, while affiliates kept roughly 70-80 percent of ransoms. Notable victims include Accenture, the UK Royal Mail, Continental, Boeing, ICBC's US broker-dealer, and the Industrial and Commercial Bank of China through 2023. In February 2024, a UK NCA-led international action (Operation Cronos) seized infrastructure and indicted Russian national Dmitry Khoroshev as LockBitSupp. Activity has continued at much lower volume since.
● Examples
- 01
The November 2023 LockBit attack on ICBC's US broker-dealer disrupted US Treasury market settlement temporarily.
- 02
Operation Cronos in February 2024 took down LockBit's leak site and replaced it with law-enforcement notices.
● Frequently asked questions
What is LockBit?
A Russian-speaking ransomware-as-a-service operation that became the most prolific ransomware brand globally between 2022 and 2024 before being heavily disrupted by Operation Cronos. It belongs to the Defense & Operations category of cybersecurity.
What does LockBit mean?
A Russian-speaking ransomware-as-a-service operation that became the most prolific ransomware brand globally between 2022 and 2024 before being heavily disrupted by Operation Cronos.
How does LockBit work?
LockBit first appeared in September 2019 as ABCD ransomware before rebranding as LockBit, then LockBit 2.0 (2021), LockBit 3.0 / Black (2022) and the Linux/ESXi variants. It operated as a ransomware-as-a-service: a core team (often associated with Russian-speaking actors and a public persona known as LockBitSupp) developed the encryptors, leak site and affiliate panel, while affiliates kept roughly 70-80 percent of ransoms. Notable victims include Accenture, the UK Royal Mail, Continental, Boeing, ICBC's US broker-dealer, and the Industrial and Commercial Bank of China through 2023. In February 2024, a UK NCA-led international action (Operation Cronos) seized infrastructure and indicted Russian national Dmitry Khoroshev as LockBitSupp. Activity has continued at much lower volume since.
How do you defend against LockBit?
Defences for LockBit typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for LockBit?
Common alternative names include: LockBit RaaS, LockBit 3.0, LockBit Black.
● Related terms
- defense-ops№ 901
Ransomware Gang
A financially motivated cybercriminal group that develops, operates, or distributes ransomware to extort organisations through file encryption and data leak threats.
- malware№ 902
Ransomware-as-a-Service (RaaS)
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.
- defense-ops№ 215
Conti Ransomware
A Russian-speaking ransomware operation active 2020-2022 that ran one of the highest-volume double-extortion programmes before disbanding after major internal leaks.
- defense-ops№ 099
BlackCat / ALPHV
A Rust-based ransomware-as-a-service operation active from late 2021 to 2024, notable for cross-platform encryptors and aggressive multi-stage extortion.
- defense-ops№ 928
REvil / Sodinokibi
A Russian-speaking ransomware-as-a-service operation active 2019-2021, known for double extortion and the high-impact Kaseya VSA supply-chain attack.
- defense-ops№ 536
Initial Access Broker (IAB)
A cybercrime specialist who obtains unauthorised access to corporate networks and sells that access to other criminals, especially ransomware affiliates.