{ "id": "3a6abd40-bf30-419d-8ff6-e0b898a4d4f1", "created_at": "2026-04-06T00:12:47.184258Z", "updated_at": "2026-04-10T13:11:28.534224Z", "deleted_at": null, "sha1_hash": "2ca5bfcec3b3bad0899f1867f723a30b5f953f08", "title": "LockBit Gang - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 195929, "plain_text": "LockBit Gang - Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:59:01 UTC\n APT group: LockBit Gang\nNames\nLockBit Gang (?)\nBitwise Spider (CrowdStrike)\nCountry [Unknown]\nMotivation Financial gain\nFirst seen 2019\nDescription\n(Bleeping Computer) LockBit ransomware takes as little as five minutes to deploy the\nencryption routine on target systems once it lands on the victim network.\nJoining the ransomware-as-a-service (RaaS) business in September 2019, LockBit is\natypical in that it’s driven by automated processes for quick spreading across the victim\nnetwork, identifying valuable systems and locking them up.\nLockBit attacks leave few traces for forensic analysis as the malware loads into the system\nmemory, with logs and supporting files removed upon execution.\nObserved\nSectors: Aviation, Defense, Energy, Financial, Healthcare, Transportation.\nCountries: Worlwide.\nTools used 3AM, CrackMapExec, EmpireProject, LockBit, Mimikatz, PsExec.\nOperations performed\nMay 2020\nLockBit ransomware self-spreads to quickly encrypt 225 systems\nAug 2020\nInterpol: Lockbit ransomware attacks affecting American SMBs\nSep 2020\nLockBit ransomware launches data leak site to double-extort victims\nDec 2020\nRansomware hits helicopter maker Kopter\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf\nPage 1 of 14\n\nApr 2021\nUK rail network Merseyrail likely hit by Lockbit ransomware\nJun 2021\nLockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy,\nTaiwan, UK\nAug 2021\nEnergy group ERG reports minor disruptions after ransomware attack\nAug 2021\nLockBit ransomware recruiting insiders to breach corporate networks\nAug 2021\nLockBit 2.0 ransomware incidents in Australia\nAug 2021\nAccenture confirms hack after LockBit ransomware data leak threats\nAug 2021\nLockBit Ransomware Wants to Hire Your Employees\nAug 2021\nBangkok Air confirms passenger PII leak after ransomware attack\nSep 2021\nLockBit 2.0: Ransomware Attacks Surge After Successful Affiliate\nRecruitment\nOct 2021\nLockBit 2.0 ransomware hit Israeli defense firm E.M.I.T. Aviation\nConsulting\nNov 2021\nBlackMatter ransomware moves victims to LockBit after shutdown\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf\nPage 2 of 14\n\nJan 2022\nInfamous ransomware group claims it hacked France’s Justice Ministry\nJan 2022\nLockBit ransomware gang claims PayBito crypto exchange as new victim\nFeb 2022\nBridgestone Americas confirms ransomware attack, LockBit leaks data\nFeb 2022\nRussia-Linked LockBit Gang Attacks an MSP and Two Manufacturers Using\nthe Targets' RMM Tools to Infect Downstream Customers and Employees\nwith Ransomware\nMar 2022\nRail giant Wabtec discloses data breach after Lockbit ransomware attack\nApr 2022\nRio de Janeiro finance department hit with LockBit ransomware\nApr 2022\nLockbit, Hive, and BlackCat attack automotive supplier in triple ransomware\nattack\nMay 2022\nLockBit 2.0 posted a notice to the dark web portal it uses to identify and\nextort its victims saying it had files from the Bulgarian State Agency for\nRefugees under the Council of Ministers.\nMay 2022\nCanadian fighter jet training company investigating ransomware attack\nMay 2022\nFoxconn confirms ransomware attack disrupted production in Mexico\nJun 2022 Mandiant: “No evidence” we were hacked by LockBit ransomware\n\nwe-were-hacked-by-lockbit-ransomware/\u003e\nJun 2022\nLockBit Ransomware Disguised as Copyright Claim E-mail Being\nDistributed\nJun 2022\nLockBit claims ransomware attack on security giant Entrust, leaks data\nJun 2022\nLockBit 3.0 introduces the first ransomware bug bounty program\nJul 2022\nFrench telecom company La Poste Mobile struggling to recover from\nransomware attack\nJul 2022\nRansomware gang now lets you search their stolen data\nJul 2022\nLockBit claims ransomware attack on Italian tax agency\nJul 2022\nThe prolific Lockbit ransomware gang appears to have claimed another two\nscalps in recent days: the Canadian town of St Marys and the Italian tax\nagency.\nAug 2022\nLockBit ransomware gang gets aggressive with triple-extortion tactic\nSep 2022\nLockBit updates leak site with post about Sud-Francilien hospital\nSep 2022\nVirginia County Confirms Personal Information Stolen in Ransomware\nAttack\nOct 2022 Microsoft Exchange servers hacked to deploy LockBit ransomware\n\nservers-hacked-to-deploy-lockbit-ransomware/\u003e\nOct 2022\nJapanese tech firm Oomiya hit by LockBit 3.0. Multiple supply chains\npotentially impacted\nOct 2022\nPendragon car dealer refuses $60 million LockBit ransomware demand\nNov 2022\nLockBit ransomware claims attack on Continental automotive giant\nNov 2022\nLockBit 3.0 gang claims to have stolen data from Kearney \u0026 Company\nNov 2022\nLockBit 3.0 Says It's Holding a Canadian City for Ransom\nNov 2022\nLockBit takes credit for November ransomware attack on Sacramento PBS\nstation\nDec 2022\nLockBit claims attack on California's Department of Finance\nDec 2022\nLockBit ransomware used in attack on Ohio town’s court, police department\nand more\nDec 2022\nPort of Lisbon website still down as LockBit gang claims cyberattack\nDec 2022\nLockBit 3.0 gives Sick Kids free decryptor, claims to ban partner who\nattacked them\nDec 2022\nLos Angeles’ Housing Authority hit by LockBit\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf\nPage 5 of 14\n\nJan 2023\nLockBit ransomware gang claims Royal Mail cyberattack\nJan 2023\nLockBit ransomware goes 'Green,' uses new Conti-based encryptor\nFeb 2023\nLockBit gang takes credit for attack on water utility in Portugal\nFeb 2023\nWashington state public bus system confirms ransomware attack\nFeb 2023\nLockBit ransomware gang now also claims City of Oakland breach\nFeb 2023\nLockBit Green and phishing that targets organizations\nMar 2023\nLockBit brags: We'll leak thousands of SpaceX blueprints stolen from\nsupplier\nMar 2023\nLockBit ransomware claims Essendant attack, company says “network\noutage”\nMar 2023\nData stolen from Florida sheriff’s office leaked by LockBit ransomware\ngroup\nMar 2023\nLockBit leaks data stolen from the South Korean National Tax Service\nApr 2023\nDarktrace: Investigation found no evidence of LockBit breach\nApr 2023\nLockBit ransomware encryptors found targeting Mac devices\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf\nPage 6 of 14\n\nApr 2023\nMicrosoft: Clop and LockBit ransomware behind PaperCut server hacks\nApr 2023\nLockBit 3.0 Leaks 600 GBs of Data Stolen From Indian Lender\nApr 2023\nRoyal Dutch Football Association says hackers stole employee data\nMay 2023\nLockBit Leaks 1.5TB of Data Stolen From Indonesia's BSI Bank\nMay 2023\nKyocera AVX says ransomware attack impacted 39,000 individuals\nJun 2023\nZipper giant YKK confirms cyberattack targeted U.S. networks\nJun 2023\nTSMC denies LockBit hack as ransomware gang demands $70 million\nJul 2023\nWisconsin county dealing with ‘catastrophic software failure’; California city\ndeclares ransomware emergency\nJul 2023\nRussia-linked cybercriminals target school for children with learning\ndifficulties\nAug 2023\nThe LockBit ransomware group threatens to leak medical data of cancer\npatients stolen from Varian Medical Systems\nAug 2023\nSensitive Data about UK Military Sites Potentially Leaked by LockBit\nAug 2023 California city investigating data theft after ransomware group’s claims\n\nlockbit\u003e\nAug 2023\nSiemens Healthineers responds to alleged data theft by LockBit ransomware\ngang\nAug 2023\nSpain warns of LockBit Locker ransomware phishing attacks\nAug 2023\nMontreal electricity organization latest victim in LockBit ransomware spree\nAug 2023\nThe LockBit ransomware gang claims to have breached the Commission des\nservices electriques de Montréal (CSEM)\nAug 2023\nUnder Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs\nSep 2023\nCDW data to be leaked next week after negotiations with LockBit break\ndown\nSep 2023\nAlleged LockBit attack shuts down city networks in Seville\nSep 2023\nVirginia school district open despite LockBit ransomware attack\nSep 2023\n3AM: New Ransomware Family Used As Fallback in Failed LockBit Attack\nSep 2023\nUpstate New York nonprofit hospitals still facing issues after LockBit\nransomware attack\nOct 2023\nFreight giant Estes refuses to deliver ransom, says personal data opened and\nstolen\nOct 2023 Boeing confirms cyberattack amid LockBit ransomware claims\n\ncyberattack-amid-lockbit-ransomware-claims/\u003e\nOct 2023\nCalifornia community college Río Hondo dealing with cybersecurity incident\nNov 2023\nIndustrial and Commercial Bank of China dealing with LockBit ransomware\nattack\nNov 2023\nEgyptian E-Payment Vendor Recovering From LockBit Ransomware Attack\nNov 2023\nLockBit ransomware group assemble strike team to breach banks, law firms\nand governments\nNov 2023\nCanadian government discloses data breach after contractor hacks\nNov 2023\nCapital Health attack claimed by LockBit ransomware, risk of data leak\nNov 2023\nInfosys McCamish says LockBit stole data of 6 million people\nDec 2023\nShoe retailer Aldo says LockBit posting is related to system at franchise\npartner\nDec 2023\nLockBit ransomware now poaching BlackCat, NoEscape affiliates\nDec 2023\nThe ransomware attack on Westpole is disrupting digital services for Italian\npublic administration\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf\nPage 9 of 14\n\nDec 2023\nLockBit ransomware gang claims to have breached accountancy firm\nXeinadin\nDec 2023\nLockbit ransomware disrupts emergency care at German hospitals\nDec 2023\nDecember cyberattack on Chicago community hospital claimed by LockBit\ngang\nJan 2024\nTaiwanese semiconductor company hit by ransomware attack\nJan 2024\nLockBit Ransomware Distributed via Word Files Disguised as Resumes\nJan 2024\nSubway Puts a LockBit Investigation on the Menu\nJan 2024\nCalifornia union confirms ransomware attack following LockBit claims\nJan 2024\nLockBit Attempts to Stay Afloat With a New Version\nFeb 2024\nLockBit claims ransomware attack on Fulton County, Georgia\nFeb 2024\nJacksonville Beach and other US municipalities report data breaches\nfollowing cyberattacks\nFeb 2024\nLockBit takes credit for February shutdown of South African pension fund\nFeb 2024 LockBit ransomware returns, restores servers after police disruption\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf\nPage 10 of 14\n\nMar 2024\nRansomware Talent Surges to Akira After LockBit's Demise\nMar 2024\nPharmaceutical development company investigating cyberattack after\nLockBit posting\nApr 2024\nDC city agency says LockBit claims tied to third-party attack\nApr 2024\nFrench hospital CHC-SV refuses to pay LockBit extortion demand\nApr 2024\nLockBit says they stole data in London Drugs ransomware attack\nMay 2024\nCity of Wichita breach claimed by LockBit ransomware gang\nMay 2024\nNew LockBit Black Campaign Observed\nJun 2024\nLockBit lied: Stolen data is from a bank, not US Federal Reserve\nJun 2024\nToronto school board confirms students’ info stolen as LockBit claims breach\nJul 2024\nLockBit group claims the hack of the Fairfield Memorial Hospital in the US\nDec 2024\nSiberia's largest dairy plant reportedly disrupted with LockBit variant\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf\nPage 11 of 14\n\nFeb 2025\nLockBit taunts FBI Director Kash Patel with alleged “Classified” leak threat\nApr 2025\nPhysicians’ billing and revenue management firm hit by LockBit\nCounter operations\nAug 2022\nLockBit ransomware blames Entrust for DDoS attacks on leak sites\nSep 2022\nLockBit ransomware builder leaked online by “angry developer”\nNov 2022\nMan Charged for Participation in LockBit Global Ransomware Campaign\nJun 2023\nSuspected LockBit ransomware affiliate arrested, charged in US\nAug 2023\nLockbit leak, research opportunities on tools leaked from TAs\nDec 2023\nAlleged LockBit operator to face new cybercrime charges in Canada\nFeb 2024\nOperation “Cronos”\nLaw enforcement disrupt world’s biggest ransomware operation\nFeb 2024\nUS offers $15 million bounty for info on LockBit ransomware gang\nMar 2024\nLockBit ransomware affiliate gets four years in jail, to pay $860k\nMay 2024\nLockBit's seized darknet site resurrected by police, teasing new revelations\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf\nPage 12 of 14\n\nMay 2024\nLockBit leader unmasked and sanctioned\nJun 2024\nPolice arrest Conti and LockBit ransomware crypter specialist\nJul 2024\nTwo Foreign Nationals Plead Guilty to Participation in LockBit Ransomware\nGroup\nOct 2024\nLockBit power cut: four new arrests and financial sanctions against affiliates\nDec 2024\nUS seeks extradition of alleged LockBit ransomware developer from Israel\nMay 2025\nLockBit ransomware gang hacked, victim negotiations exposed\nInformation https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf\nPage 13 of 14\n\nLast change to this card: 30 June 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf" ], "report_names": [ "showcard.cgi?u=1c9dfb2e-ae8a-43f1-8b60-bcf36d669edf" ], "threat_actors": [ { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "3940f08b-39aa-492c-8699-86bfe515fa70", "created_at": "2023-01-06T13:46:39.470535Z", "updated_at": "2026-04-10T02:00:03.339964Z", "deleted_at": null, "main_name": "BITWISE SPIDER", "aliases": [], "source_name": "MISPGALAXY:BITWISE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434367, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2ca5bfcec3b3bad0899f1867f723a30b5f953f08.pdf", "text": "https://archive.orkl.eu/2ca5bfcec3b3bad0899f1867f723a30b5f953f08.txt", "img": "https://archive.orkl.eu/2ca5bfcec3b3bad0899f1867f723a30b5f953f08.jpg" } }