LockBit

Also known as: LockBit 2.0, LockBit 3.0, LockBit Black, LockBit Green, ABCD Ransomware, Water Selkie, LockBit 4.0, LockBit Neo, LockBit 5.0, ChuongDong, LockBit-NG-Dev, SuperBlack

ActiveExpertRussia

0Campaigns

32Techniques

7IOCs

18Tools

0Matches

3Infrastructure

Overview

LockBit remains one of the most prolific ransomware-as-a-service (RaaS) operations with 2,757+ lifetime victims. Following February 2024 Operation Cronos disruption by international law enforcement and May 2024 infrastructure breach exposing internal operations, the group continued operations with various iterations including LockBit 5.0 released in September 2024 featuring cross-platform capabilities. Leader Dmitry Khoroshev (LockBitSupp) was sanctioned and indicted in May 2024 with a $10M bounty but remains at large. The leaked LockBit Black builder in 2022 has enabled independent operators to deploy variants. Despite law enforcement actions, LockBit has demonstrated resilience and continues targeting critical infrastructure, financial services, healthcare, and organizations globally with double extortion tactics involving data theft and encryption.

Motivations

Financial GainExtortion

Target Sectors

HealthcareGovernmentEducationFinancial ServicesManufacturingLegalConstructionTechnologyCritical InfrastructureBanking/Financial Services/Insurance (BFSI)South America RegionVMware ESXi InfrastructureVirtualization PlatformsRetailLegal Services

Activity Timeline

First Seen

Sep 2019

Last Seen

Jan 2024

Quick Facts

OriginRussia

Sophisticationexpert

StatusActive

MITRE ATT&CK Techniques

(32)

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Other

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1055

Process Injection

Inject code into running processes to evade defenses and elevate privileges.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

Persistence

T1136

Create Account

Create new accounts to maintain access to victim systems.

Tools & Malware

(18)

LockBit Ransomware

malwareMalicious

Core RaaS ransomware supporting Windows, Linux, and VMware ESXi. Known for fast encryption using AES-256 + RSA-2048 and automatic propagation via SMB and Group Policy.

StealBit

malwareMalicious

Custom data exfiltration tool developed by LockBit operators. Rapidly extracts files to attacker infrastructure before encryption for double-extortion leverage.

Cobalt Strike

frameworkLegitimate

Most commonly used post-exploitation framework by LockBit affiliates. Deployed via initial access vectors for reconnaissance, lateral movement, and pre-encryption staging.

Brute Ratel

frameworkLegitimate

Alternative C2 framework used by some LockBit affiliates to evade EDR detections that commonly flag Cobalt Strike. Supports syscall-level evasion.

Mimikatz

frameworkLegitimate

Standard credential harvesting tool for extracting passwords, NTLM hashes, and Kerberos tickets to gain domain admin access before deploying ransomware.

AnyDesk

legitimate toolLegitimate

Deployed widely by affiliates for persistent remote access. Installed on multiple endpoints to maintain access even if C2 beacons are detected and killed.

TeamViewer

legitimate toolLegitimate

Alternative remote desktop tool used alongside AnyDesk for redundant persistent access to compromised networks.

Splashtop

legitimate toolLegitimate

Remote access tool deployed by some LockBit affiliates as additional persistent access mechanism, especially in managed service provider environments.

Advanced IP Scanner

legitimate toolLegitimate

Network scanning tool used to map internal networks, identify domain controllers, backup servers, and high-value targets before ransomware deployment.

SoftPerfect Network Scanner

legitimate toolLegitimate

Network discovery tool used by affiliates to enumerate network shares, identify live hosts, and map infrastructure for maximum encryption coverage.

BloodHound

frameworkLegitimate

Active Directory reconnaissance tool that maps attack paths to domain admin. Affiliates use it to identify the shortest path from initial access to domain compromise.

AdFind

legitimate toolLegitimate

AD query tool used for enumerating domain structure, group memberships, trust relationships, and identifying high-privilege accounts.

PsExec

legitimate toolLegitimate

Sysinternals remote execution tool used for mass deployment of ransomware across domain-joined systems using compromised admin credentials.

LaZagne

frameworkLegitimate

Open-source credential recovery tool that extracts passwords from browsers, email clients, WiFi configurations, and other local credential stores.

Rclone

legitimate toolLegitimate

Cloud storage syncing tool abused for large-scale data exfiltration to attacker-controlled Mega.nz, Backblaze, or other cloud storage accounts.

PowerShell

os utilityLegitimate

Used for disabling Windows Defender, deleting shadow copies, modifying Group Policy for ransomware deployment, and executing encoded payloads.

ProxyShell/ProxyLogon Exploits

exploit kitMalicious

Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-26855) exploited by affiliates for initial access to enterprise networks.

PowerShell Empire

BackdoorMalicious

Post-exploitation framework used for maintaining access and lateral movement

Indicators of Compromise

(7)

IOC values are defanged for safety

Type	Value	Notes
domain	`lockbitapt[.]uz`	LockBit leak site mirror domain
ip	`185[.]215[.]113[.]39`	LockBit affiliate C2 infrastructure
ip	`193[.]162[.]143[.]218`	StealBit data exfiltration server
hash	`80e8defa5377018b093b5b90de0f2957`	LockBit 3.0 ransomware sample (MD5)
hash	`e3f236e4aeb73f8f8f0b8e0e3f1d5c73`	StealBit data exfiltration tool (MD5)
ip	`166[.]62[.]100[.]62`	Metasploit C2 IP used in Apache ActiveMQ exploitation campaign February 2024
hash	`Randomized 16-character file extensions`	LockBit 5.0 uses randomized extensions instead of .lockbit to evade detection

Infrastructure

(3)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`lockbitapt[.]uz` LockBit leak site mirror domain	domain	offline	Apr 2, 2026
`185[.]215[.]113[.]39` LockBit affiliate C2 infrastructure	ip	offline	Apr 2, 2026
`193[.]162[.]143[.]218` StealBit data exfiltration server	ip	offline	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(14)

CISA - Understanding Ransomware Threat Actors: LockBit

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a

NCA - Operation Cronos: International Disruption of LockBit

https://www.nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group

U.S. DOJ - Lockbit Leader Dmitry Khoroshev Unmasked and Sanctioned

https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant

LockBit 5.0: Ransomware Gang Returns in Force - Check Point Research

https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/

New LockBit 5.0 Targets Windows, Linux, ESXi - Trend Micro

https://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html

LockBit Leak Provides Insight into RaaS Enterprise - TRM Labs

https://www.trmlabs.com/resources/blog/lockbit-leak-provides-insight-into-raas-enterprise

Apache ActiveMQ Exploit Leads to LockBit Ransomware - The DFIR Report

https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/

LockBit Ransomware Hacked, Insider Secrets Exposed - Help Net Security

https://www.helpnetsecurity.com/2025/05/09/lockbit-hacked-data-leaked/

Inside LockBit's Admin Panel Leak - Trellix

https://www.trellix.com/blogs/research/inside-the-lockbits-admin-panel-leak-affiliates-victims-and-millions-in-crypto/

Joint Technical Advisory on LockBit 3.0 and 4.0 - Singapore CSA

https://isomer-user-content.by.gov.sg/36/1f56c162-080e-4e49-a005-abf1fd9bd0e4/Joint%20Technical%20Advisory%20on%20LockBit%203.0%20and%204.0%20(2%20May%202025).pdf

Ransomware TTPs in Shifting Threat Landscape - Google Mandiant

https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/

LockBit 3.0: Inside the Ransomware-as-a-Service

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit

Operation Cronos: International action against LockBit

https://www.europol.europa.eu/media-press/newsroom/news/operation-cronos-law-enforcement-strikes-against-lockbit

U.S. Department of Justice - Russian National Charged in Connection with Lockbit Ransomware Attacks

https://www.justice.gov/opa/pr/russian-national-charged-connection-lockbit-ransomware-attacks