{ "id": "88d60013-7457-4640-8faa-3422b0eb63bc", "created_at": "2026-04-06T01:29:45.621387Z", "updated_at": "2026-04-10T03:33:15.624732Z", "deleted_at": null, "sha1_hash": "c488c73e4cce4cd37dfbb0cf325d23e979ecd997", "title": "LockBit explained: How it has become the most popular ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58778, "plain_text": "LockBit explained: How it has become the most popular\r\nransomware\r\nBy Lucian Constantin\r\nPublished: 2022-07-05 · Archived: 2026-04-06 00:40:55 UTC\r\nLockBit is one of the most prominent ransomware-as-a-service (RaaS) operations that has targeted organizations\r\nover the past several years. Since its launch in 2019, LockBit has constantly evolved, seeing unprecedented\r\ngrowth recently driven by other ransomware gangs disbanding.\r\nThe LockBit creators sell access to the ransomware program and its infrastructure to third-party cybercriminals\r\nknown as affiliates who break into networks and deploy it on systems for a cut of up to 75% of the money paid by\r\nvictims in ransoms. Like most similar RaaS gangs, LockBit engages in double extortion tactics where its affiliates\r\nalso exfiltrate data out of victim organizations and threaten to publish it online.\r\nAccording to a report by ransomware incident response firm Coveware, LockBit accounted for 15% of\r\nransomware attacks the company saw during the first quarter of 2022, second only to Conti with 16%. In a more\r\nrecent report, cybersecurity firm NCC Group reported that LockBit was responsible for 40% of the ransomware\r\nattacks the company saw in May, followed by Conti.\r\nWhile the number of ransomware incidents has been decreasing overall in recent months, the percent that LockBit\r\naccounts for is likely to increase, partly because the Conti operation is believed to have shut down or splintered\r\ninto smaller groups and because LockBit is trying to attract more affiliates claiming to offer better conditions than\r\ncompetitors.\r\nHow LockBit has evolved\r\nThis ransomware threat was originally known as ABCD after the file extension .abcd that it left on encrypted files.\r\nThe RaaS affiliate program was launched in early 2020 and the data leak site and addition of data leak extortion\r\nwas announced later that year.\r\nLockBit remained a relatively small player during its first year of operation with other high-profile gangs being\r\nmore successful and in the spotlight—Ryuk, REvil, Maze and others. The LockBit ransomware started to gain\r\nmore traction in the second half of 2021 with the launch of LockBit 2.0 and after some of the other gangs shut\r\ndown their operations after attracting too much heat.\r\nLockBit 2.0 was “the most impactful and widely deployed ransomware variant we have observed in all\r\nransomware breaches during the first quarter of 2022, considering both leak site data and data from cases handled\r\nby Unit 42 incident responders,” researchers from Palo Alto Networks’ Unit 42 said in a report. The LockBit 2.0\r\nsite that the gang uses to publish data from organizations whose networks they breached lists 850 victims, but the\r\ngang claims it has ransomed over 12,125 organizations so far.\r\nhttps://www.csoonline.com/article/3665871/lockbit-explained-how-it-has-become-the-most-popular-ransomware.html\r\nPage 1 of 4\n\nThe group also claims that the LockBit 2.0 ransomware has the fastest encryption routine, which is only partially\r\ntrue according to tests by researchers from Splunk. LockBit 1.0 and a ransomware program known as\r\nPwndLocker seem to be faster than LockBit 2.0, but the encryption routine is still very fast partly because these\r\nthreats perform partial encryption. LockBit 2.0, for example, encrypts only the first 4KB of each file, which is\r\nenough to render them unreadable and unusable while also allowing the attack to complete very fast before\r\nincident responders have time to shut down systems and isolate them from the network.\r\nHow does LockBit select and target victims?\r\nSince many affiliates distribute LockBit, the access vectors they use are varied: from spear-phishing emails with\r\nmalicious attachments to exploiting vulnerabilities in publicly facing applications and using stolen VPN and RDP\r\ncredentials. The LockBit affiliates are known to also buy access from other parties.\r\nAccording to a 2021 public interview with an alleged LockBit gang member, the group has a policy against\r\ntargeting organizations operating in the healthcare, education, charity and social services sectors. However,\r\nLockBit affiliates haven’t followed these guidelines in some cases and attacked organizations from healthcare and\r\neducation, the Palo Alto researchers warned.\r\nBased on data from LockBit’s data leak site, almost half of the victim organizations were from the U.S., followed\r\nby Italy, Germany, Canada, France and the UK. The focus on North American and European organizations is due\r\nto higher prevalence of cyber insurance in these regions as well as higher revenues, the LockBit gang member said\r\nin the old interview. The most impacted industry verticals have been professional and legal services, construction,\r\nfederal government, real estate, retail, high tech, and manufacturing. The malware also contains code that prevents\r\nits execution on systems with Eastern European language settings.\r\nIt’s also worth noting that the LockBit gang has developed a separate malware program called StealBit that can be\r\nused to automate the exfiltration of data. This tool uploads the data directly to LockBit’s servers instead of using\r\npublic file hosting services that could delete the data following complaints from victims. The gang has also\r\ndeveloped a tool called the LockBit Linux-ESXi Locker to encrypt Linux servers and VMware ESXi virtual\r\nmachines.\r\nThe amount of time that LockBit attackers spend inside a network before deploying the ransomware has decreased\r\nover time from around 70 days in Q4 2021 to 35 days in Q1 2022 and less than 20 days in Q2 2022. This means\r\norganizations have less time to detect the network intrusions in their early stages and stop the ransomware from\r\nbeing deployed. The willingness of the attackers to negotiate and lower the ransom amount has also decreased\r\naccording to Palo Alto Networks. Last year, the attackers were willing to drop the ransom amount by over 80\r\npercent, while now victims can only expect a 30 percent price drop on average.\r\nHow does LockBit perform lateral movement and payload execution?\r\nAfter obtaining initial access to networks, LockBit affiliates deploy various tools to expand their access to other\r\nsystems. These tools involve credential dumpers like Mimikatz; privilege escalation tools like ProxyShell, tools\r\nused to disable security products and various processes such as GMER, PC Hunter and Process Hacker; network\r\nand port scanners to identify active directory domain controllers, remote execution tools like PsExec or Cobalt\r\nhttps://www.csoonline.com/article/3665871/lockbit-explained-how-it-has-become-the-most-popular-ransomware.html\r\nPage 2 of 4\n\nStrike for lateral movement. The activity also involves the use of obfuscated PowerShell and batch scripts and\r\nrogue scheduled tasks for persistence.\r\nOnce deployed, the LockBit ransomware can also spread to other systems via SMB connections using collected\r\ncredentials as well as by using Active Directory group policies. When executed, the ransomware will disable\r\nWindows volume shadow copies and will delete various system and security logs.\r\nThe malware then collects system information such as hostname, domain information, local drive configuration,\r\nremote shares and mounted storage devices then will start encrypting all data on the local and remote devices it\r\ncan access. However, it skips files that would prevent the system from functioning. At the end it drops a ransom\r\nnote by changing the user’s desktop wallpaper with information on how to contact the attackers.\r\nThe file encryption routine uses AES and with a locally generated key that’s further encrypted using an RSA\r\npublic key. The malware only encrypts the first 4KB of each file and appends the “.lockbit” extension to them.\r\nThe FBI issued a public alert about LockBit in February that contains indicators of compromise taken from\r\nincidents investigated in the field, as well as recommendations for organizations.\r\nLockBit 3.0 and its bug bounty program\r\nIn June, the LockBit creators announced version 3.0 of their affiliate program and malware after reportedly having\r\nit in beta testing for two months. The gang also launched a bug bounty program that offers between $1,000 and $1\r\nmillion for vulnerabilities in both the ransomware program and the gang’s infrastructure, such as its Tor-hosted\r\nwebsite, secure messenger and more.\r\nThe gang even went as far as to launch a $1 million challenge to anyone who manages to find out the identity of\r\nthe person running its affiliate program, essentially asking for its highest-ranking member to be doxxed. This is\r\nnot the first time LockBit has engaged in unusual practices. Its ransom notes include financial offers to insiders\r\nwho can provide access to networks and organizations and its bug bounty program also offers rewards for ideas on\r\nhow to improve the ransomware operation, software and infrastructure that the gang hasn’t yet considered.\r\nWhile the technical changes to the LockBit 3,0 itself, the screenshots shared by LockBit suggest that the Zcash\r\ncryptocurrency will be accepted for ransom payments along with Bitcoin and Monero in the new version. The\r\naddition of Zcash could be an attempt to make payments harder to trace.\r\nAccording to the Palo Alto researchers, the addition of the bug bounty program might have been driven by\r\nresearchers finding a bug in LockBit 2.0 that allowed reversion of the encryption process on MSSQL databases.\r\nIn early June, cybersecurity firm Mandiant released a report connecting some LockBit intrusions to a threat actor\r\ntracked as UNC2165 that used the Hades ransomware in the past and has significant activity overlaps with Evil\r\nCorp, a notorious cybercriminal group that’s on the Treasury Department’s list of sanctioned entities. Evil Corp is\r\nresponsible for the creation of the Dridex botnet, the WastedLocker ransomware and other threats in the past and\r\nsending ransom payments to cybercriminals associated with it is in violation of the sanctions.\r\n“The adoption of an existing ransomware is a natural evolution for UNC2165 to attempt to obscure their\r\naffiliation with Evil Corp,” the Mandiant researchers said. “Both the prominence of LockBit in recent years and its\r\nhttps://www.csoonline.com/article/3665871/lockbit-explained-how-it-has-become-the-most-popular-ransomware.html\r\nPage 3 of 4\n\nsuccessful use by several different threat clusters likely made the ransomware an attractive choice. Using this\r\nRaaS would allow UNC2165 to blend in with other affiliates, requiring visibility into earlier stages of the attack\r\nlifecycle to properly attribute the activity, compared to prior operations that may have been attributable based on\r\nthe use of an exclusive ransomware.”\r\nThe LockBit gang later dismissed these connections as false and released a statement saying it has nothing to do\r\nwith Evil Corp and its alleged leader Maxim Yakubets, who is on the FBI’s Cyber’s Most Wanted list.\r\nSource: https://www.csoonline.com/article/3665871/lockbit-explained-how-it-has-become-the-most-popular-ransomware.html\r\nhttps://www.csoonline.com/article/3665871/lockbit-explained-how-it-has-become-the-most-popular-ransomware.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.csoonline.com/article/3665871/lockbit-explained-how-it-has-become-the-most-popular-ransomware.html" ], "report_names": [ "lockbit-explained-how-it-has-become-the-most-popular-ransomware.html" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775438985, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c488c73e4cce4cd37dfbb0cf325d23e979ecd997.pdf", "text": "https://archive.orkl.eu/c488c73e4cce4cd37dfbb0cf325d23e979ecd997.txt", "img": "https://archive.orkl.eu/c488c73e4cce4cd37dfbb0cf325d23e979ecd997.jpg" } }