LockBit

Background

LockBit emerged in September 2019 as "ABCD ransomware" before rebranding to LockBit in January 2020. It rapidly grew to become the most prolific ransomware-as-a-service (RaaS) operation in the world, responsible for roughly 25-33% of all ransomware attacks globally by 2022-2023. The operation is attributed to a Russian-speaking administrator known by the handle "LockBitSupp," later identified by law enforcement as Dmitry Khoroshev, a Russian national.

LockBit operated a sophisticated affiliate program, recruiting skilled penetration testers and offering them a 75-80% cut of ransom payments. The group pioneered several innovations in the ransomware ecosystem, including a bug bounty program for their malware, an automated affiliate portal, and aggressive marketing on cybercrime forums. LockBit evolved through multiple versions: LockBit 1.0, LockBit 2.0 (Red), LockBit 3.0 (Black), and LockBit Green (incorporating leaked Conti source code).

In February 2024, a multinational law enforcement operation called "Operation Cronos" led by the UK National Crime Agency and the FBI seized LockBit's infrastructure, including 34 servers, decryption keys, and the group's leak site. Despite attempts to resume operations, the disruption severely degraded LockBit's capabilities and credibility. By late 2024, the operation was effectively dismantled, with multiple affiliates arrested across Europe and the U.S.

Notable Campaigns

Royal Mail Attack (January 2023): LockBit affiliate LockBitSupp-affiliated operators compromised the UK's Royal Mail postal service, encrypting systems critical to international mail processing. The attack disrupted international mail services for weeks, and LockBit demanded an $80 million ransom. Royal Mail refused to pay, and operations were gradually restored.

ICBC Financial Services (November 2023): The U.S. subsidiary of the Industrial and Commercial Bank of China, the world's largest bank by assets, was hit by LockBit. The attack disrupted U.S. Treasury market trading, forcing ICBC to route trades through USB drives physically carried to BNY Mellon. A ransom was reportedly paid to restore operations.

Boeing (October 2023): LockBit claimed responsibility for compromising Boeing, threatening to release stolen data. Boeing confirmed a cyber incident affecting its parts and distribution business. Approximately 43GB of data was eventually published on LockBit's leak site when negotiations apparently broke down.

Continental AG (November 2022): German automotive manufacturer Continental was hit by a LockBit attack that resulted in the theft of approximately 40TB of data. LockBit demanded $50 million in ransom. When Continental refused, portions of the data were published on the leak site.

Hospital for Sick Children (December 2022): LockBit affiliates attacked SickKids, a major Canadian children's hospital in Toronto, causing system outages that affected clinical operations and lab results for weeks. LockBit leadership issued a rare apology and provided a free decryptor, claiming the affiliate violated their rules against targeting hospitals.

Tactics, Techniques & Procedures

LockBit affiliates gain initial access primarily through exploiting public-facing applications (VPN appliances, RDP services), purchasing stolen credentials from initial access brokers, and spear-phishing campaigns. Commonly exploited vulnerabilities include Fortinet FortiOS (CVE-2018-13379), Citrix Netscaler (CVE-2019-19781), and various Microsoft Exchange vulnerabilities.

Post-compromise, affiliates follow a standard playbook: they escalate privileges using Mimikatz or other credential harvesting tools, conduct Active Directory reconnaissance with tools like AdFind and BloodHound, disable security products using LockBit's built-in security evasion capabilities, and move laterally via SMB, PsExec, and RDP. Data exfiltration typically uses the custom StealBit tool or cloud storage services like MEGA.

LockBit 3.0 (Black) incorporated anti-analysis features including requiring a decryption key to execute the payload, making sandboxing and reverse engineering more difficult. The ransomware uses multi-threaded encryption with a combination of AES-256 and RSA-2048, making it exceptionally fast. LockBit claimed benchmark speeds of 373MB/s for encryption, the fastest among major ransomware families.

Tools & Malware

• LockBit Ransomware (1.0/2.0/3.0/Green): The core ransomware payload, notable for its encryption speed and cross-platform capabilities including Windows, Linux, and VMware ESXi variants.
• StealBit: A custom data exfiltration tool that automatically uploads stolen data to LockBit's servers. Designed for speed and stealth.
• Cobalt Strike: Used extensively by affiliates for command and control, lateral movement, and payload delivery.
• Mimikatz: Credential harvesting from Windows memory, particularly LSASS process dumps.
• PsExec / WMIC: Microsoft Sysinternals and WMI tools used for lateral movement and remote execution across domain-joined systems.
• AdFind / BloodHound: Active Directory enumeration tools used to map the domain and identify paths to domain admin.
• Plink (PuTTY Link): Used to create SSH tunnels for maintaining persistent access and evading network monitoring.
• MEGA Client: Legitimate cloud storage client abused for large-scale data exfiltration.

Indicators & Detection

Detecting LockBit activity requires monitoring at multiple stages of the kill chain. For initial access, ensure VPN and remote access logs are monitored for brute-force attempts and credential stuffing, particularly against Fortinet, Citrix, and Microsoft Exchange servers. Patch high-severity vulnerabilities in internet-facing infrastructure within 24-48 hours.

On the endpoint, monitor for: execution of Group Policy modifications that disable Windows Defender and other security tools; creation of scheduled tasks named with random strings; use of vssadmin delete shadows /all /quiet to delete Volume Shadow Copies; and attempts to clear Windows Event Logs. LockBit's encryption leaves files with .lockbit or randomized extensions and drops ransom notes named with the pattern [random-id].README.txt.

Network monitoring should focus on large outbound data transfers to cloud storage services (especially MEGA), Cobalt Strike beacon traffic patterns, and unusual SMB and RDP lateral movement. Implement network segmentation to limit ransomware propagation. Maintain offline, immutable backups and regularly test restoration procedures. Organizations should also monitor dark web forums and LockBit's leak site (now seized) for mentions of their brand or data.