{
	"id": "c950f211-85dd-4d57-be77-28f29d621e9a",
	"created_at": "2026-04-06T00:22:23.548154Z",
	"updated_at": "2026-04-10T03:26:47.060058Z",
	"deleted_at": null,
	"sha1_hash": "3a63f899fb2b7f7e9ca2df3b69f9f36eb600ece2",
	"title": "The Rising Threat from LockBit Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 609326,
	"plain_text": "The Rising Threat from LockBit Ransomware\r\nBy Tony Bradley\r\nArchived: 2026-04-05 12:52:59 UTC\r\nLockBit ransomware is the latest threat posing an increased risk for organizations. The ransomware gang has been\r\nmaking headlines recently. LockBit has also reportedly compromised Accenture.\r\nThe group reportedly revealed the attack on their site on the DarkWeb, noting: “These people are beyond privacy\r\nand security. I really hope that their services are better than what I saw as an insider. If you are interested in\r\nbuying some databases, reach us.”\r\nScreenshot from Lockbit\r\nsite\r\nWhat Is LockBit?\r\nLockBit is a cybercriminal gang that operates using a ransomware-as-a-service (RaaS) model—similar to\r\nDarkSide and REvil. LockBit offers its ransomware platform for other entities or individuals to use based on an\r\nhttps://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware\r\nPage 1 of 5\n\naffiliate model. Any ransom payments received from using LockBit are divided between the customer directing\r\nthe attack and the LockBit gang.\r\nLockBit is believed to be related to the LockerGoga and MegaCortex malware families. It shares common tactics,\r\ntechniques, and procedures (TTPs) with these malicious attacks—particularly the ability to propagate\r\nautomatically to new targets, being used in targeted attacks rather than just spamming or attacking organizations\r\nindiscriminately, and the underlying tools it relies on, such as Windows PowerShell and Server Message Block\r\n(SMB).\r\nScreenshot from Lockbit site\r\nOnce a single host is compromised, LockBit can scan the network to locate and infect other accessible devices. It\r\nuses tools and protocols that are native to Windows systems—making it more difficult for endpoint security tools\r\nto detect or identify the activity as malicious.\r\nThe LockBit ransomware continues to adapt and evolve. More recent variants have adopted the double extortion\r\nmodel—locating and exfiltrating valuable data before encrypting systems. The stolen data provides additional\r\nincentive for victims to pay the ransom. Even if they can restore data from backups, refusing to pay the ransom\r\nmay result in sensitive data being published publicly or sold to competitors.\r\nRising Threat\r\nThe LockBit gang has been making headlines recently. In the wake of DarkSide and REvil both shutting down\r\noperations, it seems like LockBit may be working to fill the void.\r\nLawrence Abrams recently reported that the LockBit ransomware gang is actively recruiting insiders to help them\r\nbreach and encrypt networks. According to Abrams, this may be a shift from the standard ransomware-as-a-service model to cut out the middleman and keep more of the ransom profit for themselves.\r\nhttps://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware\r\nPage 2 of 5\n\nThe wallpaper displayed on compromised systems now includes text inviting insiders to help compromise systems\r\n—promising payouts of millions of dollars.\r\nProtecting against LockBit Ransomware\r\nThere is no good option for an organization once a ransomware attack has compromised systems and encrypted\r\ndata. That is especially true in the case of a double extortion attack. Refusing to pay the ransom means going\r\nthrough a painful process of restoring data from backups and trying to regain control and functionality of your\r\nsystems while also accepting that your data will likely be exposed.\r\nPaying the ransom may allow the victim to be operational quicker and prevent having data published or sold, but\r\nresearch shows that 80% of companies that pay a ransom end up getting attacked again.\r\nIt is important to have effective protection in place to prevent the ransomware attack from getting that far in the\r\nfirst place. Organizations need to have an operation-centric view of the attack. The ability to view the entire\r\nmalicious operation—or MalOp—and recognize indicators of behavior enables Cybereason to detect and block\r\nransomware attacks and protect against threats like LockBit.\r\nDefending Against Ransomware Attacks\r\nThe only way forward for organizations is to prevent an infection from occurring in the first place. To do that, they\r\nneed to invest in an anti-ransomware solution that doesn’t rely on Indicators of Compromise (IOCs), as not every\r\nransomware attack chain is known to the security community. They need a multi-layered platform that uses\r\nIndicators of Behavior (IOBs) so that security teams can detect and shut down a ransomware attack chain\r\nregardless of whether anyone’s seen it before.\r\nThe Cybereason Operation-Centric approach means no data filtering and the ability to detect attacks earlier based\r\non rare or advantageous chains of (otherwise normal) behaviors. Cybereason is undefeated in the battle against\r\nransomware thanks to our multi-layered prevention, detection and response, which includes:\r\nAnti ransomware prevention and deception: Cybereason uses a combination of behavioral\r\ndetections and proprietary deception techniques surface the most complex ransomware threats and\r\nend the attack before any critical data can be encrypted.\r\nIntelligence-Based Antivirus: Cybereason blocks known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.\r\nNGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components\r\nin code to block unknown ransomware variants prior to execution.\r\nFileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based\r\nransomware that traditional antivirus tools miss.\r\nEndpoint Controls: Cybereason hardens endpoints against attacks by managing security policies,\r\nmaintaining device controls, implementing personal firewalls and enforcing whole-disk encryption\r\nacross a range of device types, both fixed and mobile.\r\nBehavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most\r\ncommon business document formats, including those that leverage malicious macros and other\r\nhttps://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware\r\nPage 3 of 5\n\nstealthy attack vectors.\r\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo\r\ntoday to learn how your organization can benefit from an operation-centric approach to security.\r\nAbout the Author\r\nTony Bradley\r\n \r\nTony Bradley has a passion for technology and gadgets, and a desire to help others understand how technology\r\ncan affect or improve their lives. In addition to writing and editing for Cybereason’s Malicious Life, Tony is a\r\nregular contributor to Forbes, DevOps.com, and ContainerJournal. He is an experienced information security\r\nprofessional, speaker, author / co-author of 10 books and thousands of web and print articles. He was awarded the\r\nMicrosoft MVP (Most Valuable Professional) award for 11 consecutive years, and I've been a CISSP (Certified\r\nInformation Systems Security Professional) since 2002.\r\nAll Posts by Tony Bradley\r\nhttps://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware\r\nPage 4 of 5\n\nSource: https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware\r\nhttps://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cybereason.com/blog/rising-threat-from-lockbit-ransomware"
	],
	"report_names": [
		"rising-threat-from-lockbit-ransomware"
	],
	"threat_actors": [
		{
			"id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5",
			"created_at": "2022-10-25T16:07:23.797925Z",
			"updated_at": "2026-04-10T02:00:04.752608Z",
			"deleted_at": null,
			"main_name": "LockBit Gang",
			"aliases": [
				"Bitwise Spider",
				"Operation Cronos"
			],
			"source_name": "ETDA:LockBit Gang",
			"tools": [
				"3AM",
				"ABCD Ransomware",
				"CrackMapExec",
				"EmPyre",
				"EmpireProject",
				"LockBit",
				"LockBit Black",
				"Mimikatz",
				"PowerShell Empire",
				"PsExec",
				"Syrphid"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434943,
	"ts_updated_at": 1775791607,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a63f899fb2b7f7e9ca2df3b69f9f36eb600ece2.pdf",
		"text": "https://archive.orkl.eu/3a63f899fb2b7f7e9ca2df3b69f9f36eb600ece2.txt",
		"img": "https://archive.orkl.eu/3a63f899fb2b7f7e9ca2df3b69f9f36eb600ece2.jpg"
	}
}