{ "id": "90778dbe-7976-4c51-8cf1-dee70ca54f05", "created_at": "2026-04-06T00:21:38.0257Z", "updated_at": "2026-04-10T03:32:24.810521Z", "deleted_at": null, "sha1_hash": "af47f382755d25996541f7562f280705eb3f9944", "title": "The Prolificacy of LockBit Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 753914, "plain_text": "The Prolificacy of LockBit Ransomware\r\nBy The Hacker News\r\nPublished: 2023-03-14 · Archived: 2026-04-05 22:31:03 UTC\r\nToday, the LockBit ransomware is the most active and successful cybercrime organization in the world. Attributed\r\nto a Russian Threat Actor, LockBit has stepped out from the shadows of the Conti ransomware group, who were\r\ndisbanded in early 2022.\r\nLockBit ransomware was first discovered in September 2019 and was previously known as ABCD ransomware\r\nbecause of the \".abcd virus\" extension first observed. LockBit operates as a Ransomware-as-a-service (RaaS)\r\nmodel. In short, this means that affiliates make a deposit to use the tool, then split the ransom payment with the\r\nLockBit group. It has been reported that some affiliates are receiving a share as high of 75%. LockBit's operators\r\nhave posted advertisements for their affiliate program on Russian-language criminal forums stating they will not\r\noperate in Russia or any CIS countries, nor will they work with English-speaking developers unless a Russian-speaking \"guarantor\" vouches for them. \r\nInitial attack vectors of LockBit include social engineering, such as phishing, spear phishing, and business email\r\ncompromise (BEC), exploiting public-facing applications, hiring initial access brokers\" (IABs), and using stolen\r\ncredentials to access valid accounts, such as remote desktop protocol (RDP), as well as brute-force cracking\r\nattacks.\r\nDuring last year's Global Threat Forecast webinar, hosted by SecurityHQ, we identified LockBit as a significant\r\nthreat and highlighted them as a Threat Actor to pay close attention to during 2022. \r\nhttps://thehackernews.com/2023/03/the-prolificacy-of-lockbit-ransomware.html\r\nPage 1 of 4\n\nLockBit Targets\r\nLockBit has typically focused attacks on government entities and enterprises in a variety of sectors, such as\r\nhealthcare, financial services, and industrial goods and services. The ransomware has been observed targeting\r\ncountries globally, including the US, China, India, Indonesia, Ukraine, France, the UK, and Germany. \r\nAnother interesting feature of LockBit is that it is programmed in a way that it cannot be used in attacks against\r\nRussia or CIS countries (Commonwealth of Independent States). This is likely a precautionary measure taken by\r\nthe group to avoid any potential backlash from the Russian government.\r\nThe map below shows the locations targeted by LockBit. \r\nFigure 1 - SecurityHQ Analysis of LockBit Victims Per Geography\r\nA Busy Year for LockBit\r\nThrough analysis of leak site data, we were able to get a true picture of how many successful attacks LockBit had\r\nmade. In 2022, the group published more successful attacks than any other ransomware group. We have mapped\r\nthe activity of LockBit throughout the year against other well-known ransomware groups. You can see the decline\r\nof Conti as the group started to shut down operations. It is now reported however, that members of the once\r\nprolific Conti ransomware group are now operating within the BlackBasta, BlackByte and Karakurt ransomware\r\ngroups.\r\nhttps://thehackernews.com/2023/03/the-prolificacy-of-lockbit-ransomware.html\r\nPage 2 of 4\n\nThe graph below demonstrates how active LockBit were during 2022, compared to other ransomware groups. \r\nOne of the unique features of LockBit is their bug bounty program for their ransomware builders and compilers.\r\nThe group offers a $1 million reward for anyone who can dox (publicly reveal the identities of) their owners. This\r\nis a significant sum, and it shows how serious LockBit is about maintaining their anonymity.\r\nRecently, the group has been linked to an attack on Royal Mail in the UK. However, LockBit has denied any\r\ninvolvement in the attack, stating that it was carried out by an affiliate. This is not uncommon for ransomware\r\ngroups, as they often use affiliates to carry out attacks in order to distance themselves from the consequences.\r\nOverall, the LockBit ransomware group is a formidable and sophisticated cybercrime organization that poses a\r\nsignificant threat to businesses and organizations around the world. With a well-established ransomware-as-a-service model, a bug bounty program, and a willingness to reward those who reveal their identities, LockBit is a\r\nforce to be reckoned with in the threat landscape.\r\nWhat is RaaS?\r\nhttps://thehackernews.com/2023/03/the-prolificacy-of-lockbit-ransomware.html\r\nPage 3 of 4\n\nRansomware-as-a-service (RaaS) has gained popularity in recent years. RaaS refers to a type of business model\r\nwhere ransomware operators provide the malware and tools to other individuals or organised crime groups to\r\ncarry out ransomware attacks, in exchange for a share of the ransom payment. This allows even less technically\r\nskilled individuals to participate in ransomware attacks, increasing the number of attacks and making it more\r\ndifficult to track and apprehend the attackers. \r\nWhat to Do Next\r\nTo enhance your security posture, it is recommended that businesses do the following steps: \r\n1. Ensure Managed Detection and Response (MDR) is used to understand malicious or anomalous activity,\r\nanalyse, prioritise, and respond to threats in rapid time, and safeguard your data, people and processes.\r\n2. Ensure that employees are trained and educated on the latest cyber security threats, so that they know how\r\nto spot an attack, and respond to it in the right way. \r\nTo listen to SecurityHQ experts discuss some of the greatest threats seen throughout 2022, discuss the\r\nconsequences of a breach, with predictions for 2023, and how to mitigate against upcoming cyber security threats,\r\ndownload this webinar recording' Global Threat Landscape 2023 Forecast', to know more. \r\nNote: This article is by Aaron Hambleton, Director for Middle East \u0026 Africa at SecurityHQ. With over 11 years of\r\nexperience across various sectors like Financial Services, Retail, Insurance, Government, and\r\nTelecommunications, Aaron is a certified GCDA and has expertise in incident response, threat hunting,\r\nvulnerability management, cyber security operations, threat intelligence, and consultancy.\r\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on\r\nGoogle News, Twitter and LinkedIn to read more exclusive content we post.\r\nSource: https://thehackernews.com/2023/03/the-prolificacy-of-lockbit-ransomware.html\r\nhttps://thehackernews.com/2023/03/the-prolificacy-of-lockbit-ransomware.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2023/03/the-prolificacy-of-lockbit-ransomware.html" ], "report_names": [ "the-prolificacy-of-lockbit-ransomware.html" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434898, "ts_updated_at": 1775791944, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/af47f382755d25996541f7562f280705eb3f9944.pdf", "text": "https://archive.orkl.eu/af47f382755d25996541f7562f280705eb3f9944.txt", "img": "https://archive.orkl.eu/af47f382755d25996541f7562f280705eb3f9944.jpg" } }