RansomwareEDP  /  Threat Actor Library
Developed by Reno  •  Analytical profiles compiled from open-source intelligence
Threat Actor Profile — Last updated May 2026
LockBit
Ransomware-as-a-Service  •  Multi-Version Lineage (1.0 through 5.0)  •  Operation Cronos Survivor
Critical Threat Post-Disruption RaaS Multi-Platform
First Observed
Late 2019
As ABCD ransomware; renamed Jan 2020
Confirmed Victims LIVE
2,500+
2,000+ per DOJ (Feb 2024); more since
Countries Targeted LIVE
40+
Via ransomware.live
Confirmed Revenue
$120M+
Through Feb 2024 per DOJ / FBI
Peak Market Share
~44%
Global ransomware incidents, 2022-2023
Active Versions
6
1.0/ABCD, 2.0/Red, 3.0/Black, Green, 4.0, 5.0
LE Disruptions
2
Op Cronos (Feb 2024); admin panel breach (May 2025)
01

Executive Summary and Group Overview

LockBit is the most prolific ransomware-as-a-service (RaaS) ecosystem on record. First appearing in late 2019 as "ABCD ransomware," it evolved through six major code branches and maintained global dominance from 2021 through 2023, peaking at roughly 44% of all identified ransomware incidents and generating more than $120 million in confirmed ransom receipts. The U.S. Department of Justice attributed more than 2,000 confirmed victims across all critical infrastructure sectors and all major geographic regions except the CIS. A 10-country law enforcement coalition (Operation Cronos, February 2024) achieved an unprecedented disruption, seizing 34+ servers, 200+ cryptocurrency wallets, and more than 7,000 decryption keys. Despite this, LockBit rebuilt, releasing versions 4.0 (February 2025) and 5.0 (September 2025). A second blow arrived in May 2025 when an unknown actor hacked and defaced the LockBit admin panel, leaking an affiliate database covering December 2024 through April 2025. As of May 2026, LockBit remains a functioning RaaS with continuing technical development but a materially degraded brand, reduced affiliate confidence, and a market share well below its 2022 peak.

AttributeDetail
CrowdStrike designationBITWISE SPIDER (developer of LockBit ransomware and StealBit exfiltration tool; not a parent-organization designator)
Secureworks designationGOLD MYSTIC (operator of the LockBit RaaS scheme since mid-2019)
Trend Micro designationWater Selkie
Mandiant / Google designationNo formal APT/FIN designation for the LockBit core; Mandiant tracks Evil Corp affiliates using LockBit as UNC2165 (a distinct cluster, not the LockBit operator group)
CISA / IC3 designation"LockBit" and "LockBit 3.0" in StopRansomware advisories; no specific threat-cluster name
LineageIndependent origin; no Conti parent-child relationship. LockBit Green (2023) incorporates leaked Conti source code but was developed as a variant, not a succession
Operational modelRaaS; 80/20 revenue split (80% affiliate, 20% operator) per Chainalysis and TRM Labs on-chain analysis
Extortion mechanicDouble extortion (encryption + data publication) from v2.0; triple extortion (adding DDoS/harassment) from v3.0
Assessed jurisdictionRussia (CONFIRMED: CIS avoidance code, Russian-language forums, identified operator Khoroshev from Voronezh, no domestic prosecution)
LE disruption statusOperation Cronos (Feb 2024) and anonymous admin panel breach (May 2025); operative but degraded as of May 2026
Data Leak Site & Branding
02

Lineage and Organizational Heritage

Version Timeline
VersionAlso Known AsPeriodKey Developments
LockBit 1.0 (ABCD)ABCD RansomwareLate 2019 – mid-2021Initial Windows encryptor; ".abcd" extension in earliest form; rebranded to "LockBit" Jan 2020; Linux/ESXi variant added Oct 2021
LockBit 2.0LockBit RedJune 2021 – early 2022Mature RaaS model; integrated StealBit data-exfiltration tool; double extortion formalized; automated domain controller discovery; advertised as world's fastest encryptor
LockBit 3.0LockBit BlackMarch 2022 – 2024Major refactor; modular architecture; anti-analysis protections; code similarities with BlackMatter and ALPHV/BlackCat; triple extortion (DDoS/harassment); bug-bounty program; selective encryption
LockBit GreenJan 2023+Hybrid variant incorporating leaked Conti source code (BCryptGenRandom for faster encryption); observed by vx-underground; distinct code branch, not a successor to 3.0
LockBit 4.0Announced Dec 2024; released Feb 2025Post-Cronos rebuild; enhanced evasion; re-architected affiliate portal with new onion domains and access keys; announced from existing LockBit 3.0 site per Deep Instinct
LockBit 5.0Announced and released Sep 2025Sixth-anniversary release; Windows/Linux/ESXi variants confirmed by Trend Micro; randomized 16-character file extensions; faster encryption; removal of infection markers; better affiliate UI; enhanced obfuscation and anti-analysis
Four-Pillar Evidence Assessment for Operator Continuity

The following pillars address the contested question of whether post-Cronos LockBit (4.0/5.0) represents the same operator cluster or a partial splinter. Code continuity is not contested; human continuity is the open question.

Pillar 1 — Confirmed
Code Overlap and Algorithmic Continuity
Trend Micro confirmed identical hashing algorithms and API resolution methods between versions 4.0 and 5.0. Akamai and others trace reuse of LockBit 2.0/3.0 cryptographic routines and configuration structures across all subsequent variants. The LockBit Green branch is separately confirmed to incorporate Conti source code via BCryptGenRandom. Multiple independent vendors corroborate these code-level linkages.
Pillar 2 — Confirmed
TTP Continuity
Consistent RaaS model, double/triple extortion, CIS language exclusion, StealBit exfiltration tool deployment, automated domain controller discovery, and similar victim-handling workflows are documented across versions 2.0 through 5.0 in CISA advisories, Trend Micro reporting, and DOJ indictments. The operational pattern is distinct and persistent.
Pillar 3 — Credible
Infrastructure and Brand Continuity
LockBit 4.0 was announced from the existing LockBit 3.0 leak site per Deep Instinct reporting. Successive DLS iterations retained similar design motifs and affiliate portal mechanics. Onion domain recycling and consistent persona (LockBitSupp as public face) across years further support continuity of at least the brand management layer.
Pillar 4 — Analyst Inference
Post-Cronos Operator Continuity
Whether the core developers behind 4.0/5.0 are the same individuals as pre-Cronos operators remains contested. Some vendors assess direct continuation; others argue partial takeover by former affiliates using the leaked/reused codebase. The LockBit 3.0 builder was publicly leaked in September 2022, enabling any motivated actor to build LockBit-family ransomware. This complicates human-continuity claims. The most defensible current line: code lineage is confirmed; operator identity post-Cronos is credible but not confirmed.
Vendor designation rule: BITWISE SPIDER (CrowdStrike) and GOLD MYSTIC (Secureworks) designate the LockBit RaaS operation itself, not a parent-organization cluster. Neither is analogous to Wizard Spider or Gold Ulrick (which designate the parent Conti organization). LockBit has no documented Conti parent lineage. LockBit Green's incorporation of Conti source code reflects code acquisition from the 2022 Conti leak, not organizational succession.
Code Similarities With Other Ransomware Families

LockBit 3.0 / Black shares documented technical similarities with BlackMatter and ALPHV/BlackCat in configuration structures and specific routines. Multiple vendors confirm these similarities but the interpretation remains contested: some assess code borrowing or licensing, others assess convergent design by developers familiar with the same code base. There is no confirmed evidence of a unified actor behind all three families. Confidence: CREDIBLE for the technical similarity; ANALYST INFERENCE for any shared authorship or collaboration.

03

Operational Model

RaaS Structure
Confirmed — DOJ indictment, Chainalysis on-chain analysis, TRM Labs

LockBit operates a pure RaaS model. A core developer team maintains encryptors, infrastructure, and affiliate portals while independent affiliates supply initial access, deploy the malware, and manage victim negotiations. Revenue is split 80% to affiliates and 20% to the LockBit operator tier, per Chainalysis on-chain analysis confirmed by TRM Labs. DOJ reporting confirmed that 114 affiliates paid to join the LockBit program as of February 2024. The operator tier collects fees passively; affiliate wallets receive victim payments first, with the operator share extracted via the built-in split mechanism.

Affiliate Management and Vetting

LockBit has recruited on Russian-language underground forums, emphasizing speed, automation, and affiliate-friendly terms. Vetting is described in open sources as moderate, with preference for affiliates who can demonstrate prior access capabilities and ability to deliver large enterprise victims. Some leak data suggests blacklisting of unreliable partners. Confidence: CREDIBLE (single-source / limited open corroboration on vetting specifics).

The bug-bounty program launched with LockBit 3.0 offered financial rewards for identification of vulnerabilities in the ransomware and its infrastructure, reflecting an unusual professionalization effort and likely an attempt to address leaks and security failures.

Negotiation Behavior
  • Initial demands: Hundreds of thousands to multiple millions USD; IBM reported an average payment of approximately $1.5 million for LockBit 3.0 in 2022
  • Time-limited discounts: Affiliates commonly offer 20-50% reductions if paid within days of initial demand
  • Escalation ladder: Countdown timers, data sampling, threat to contact customers or regulators, DDoS attacks (3.0+), and full publication
  • Multi-extortion from 3.0: Triple extortion adds DDoS or targeted harassment of victims alongside encryption and data publication threats
  • Communication channel: TOR-hosted chat portal linked from ransom note via unique victim ID; some affiliates also used email and secure messaging
May 2025 breach data: The leaked admin panel database covering December 2024 through April 2025 reveals that LockBit 4.0 affiliates collectively generated approximately $2.3 million USD in that five-month window. The operator 20% cut totaled approximately $456,000. This figure implies a sharp revenue contraction versus the pre-Cronos peak and supports the assessment that affiliate recruitment and victim volume have declined materially since Operation Cronos.
Extortion Model by Version
VersionEncryptionData Leak ThreatDDoS/HarassmentNotes
LockBit 1.0YesLimitedNoEarly variant; single extortion primary
LockBit 2.0YesYes (StealBit)NoDouble extortion systematized; StealBit introduced
LockBit 3.0 / BlackYesYesYesTriple extortion; bug bounty; DDoS add-on service
LockBit GreenYesYesYesConti-derived; cloud service targeting
LockBit 4.0YesYesYesPost-Cronos rebuild; quiet-mode operation added
LockBit 5.0YesYesYesRefreshed affiliate incentive model; enhanced evasion
04

Technical Capabilities

Exploited CVEs: Confirmed and Credible
CVEAffected ProductTypeConfidenceSource
CVE-2023-4966Citrix NetScaler ADC / NetScaler GatewaySession hijack / MFA bypass ("Citrix Bleed")ConfirmedCISA AA23-325A; joint advisory FBI, MS-ISAC, ASD's ACSC
CVE-2021-44228Apache Log4j2Remote code execution (Log4Shell)ConfirmedCISA advisory AA23-165A
CVE-2020-1472Microsoft NetlogonPrivilege escalation (Zerologon)ConfirmedCISA advisory AA23-165A
CVE-2018-13379Fortinet FortiOS SSL VPNPath traversal / credential accessConfirmedCISA advisory AA23-165A
CVE-2021-34473 / 34523 / 31207Microsoft Exchange ServerRemote code execution (ProxyShell chain)CredibleCISA advisory; multiple TI vendor reports
CVE-2021-36942Windows LSAForced authentication spoofingCredibleQualys Threat Research Unit; CISA advisory
CVE-2023-27350 / 27351PaperCut MF/NGUnauthenticated RCE / information disclosureCredibleMultiple vendor reports; CISA KEV
CVE-2019-0708Windows Remote Desktop ServicesRemote code execution (BlueKeep)CredibleQualys Threat Research Unit

Note: LockBit is a RaaS, so CVE exploitation reflects affiliate tradecraft, not a single actor. Not all CVEs above are used in every LockBit campaign. Attribution of a specific CVE to "LockBit" means it has been documented in campaigns by LockBit affiliates.

Initial Access Vectors
  • Compromised credentials / RDP exploitation: Brute-forcing or purchasing credentials for RDP and VPN; the most consistent vector across all affiliate-tier operators
  • Vulnerability exploitation: Edge device and appliance CVEs (see table above); Citrix Bleed (CVE-2023-4966) associated with multiple high-profile 2023 victims including Boeing and ICBC
  • Phishing: Email-borne malware or credential-harvesting campaigns; used by certain affiliates as a preferred entry method
  • MSP and supply-chain compromise: Documented cases of abusing trusted remote management tools operated by managed service providers
Persistence and Lateral Movement
  • Domain admin credential leverage to push payloads via PsExec, SMB shares, and Group Policy Objects
  • Disabling security tools and services via PowerShell, Group Policy, and registry edits prior to deployment
  • Living-off-the-land (LOTL) techniques using built-in Windows tools
  • Automated network share and domain controller discovery (introduced with v2.0); accelerates spread across Windows domains
  • StealBit exfiltration tool (v2.0+): custom-built tool for high-speed data theft prior to encryption; all StealBit servers seized in Operation Cronos
  • rclone used as supplementary exfiltration mechanism for cloud storage staging
Encryption Implementation

All LockBit versions use a hybrid encryption scheme: symmetric encryption (typically AES) for file content combined with asymmetric encryption (RSA or ECC) for key protection. Per-file or per-session keys are managed via embedded public keys, with private keys held by the operator tier.

  • v1.0 / v2.0: Multi-threaded encryption for speed; v2.0 marketed as the fastest available at release; Volume Shadow Copy deletion
  • v3.0 / Black: Selective encryption (partial file encryption to prioritize critical data while maximizing speed); packed binaries; control-flow obfuscation; anti-debugging checks
  • Green variant: BCryptGenRandom for faster key generation, derived from Conti source code
  • v5.0: Randomized 16-character file extensions; further removal of infection markers; enhanced cross-platform obfuscation per Trend Micro analysis
Decryptor availability: Following Operation Cronos, law enforcement obtained more than 7,000 decryption keys from seized LockBit infrastructure. A free LockBit 3.0 Black decryptor was developed by the Japanese Police (supported by Europol) and is available via the No More Ransom Project. Keys for additional victims are available through the FBI IC3 portal at lockbitvictims.ic3.gov. No universal decryptor exists across all versions; key availability is incident-specific.
Platform Coverage and CIS Behavior
PlatformFirst VersionCurrent StatusNotes
Windowsv1.0 (2019)Full support, all versionsCore target; extensive domain automation
Linux / VMware ESXiv1.0 (Oct 2021)Full support, v3.0 through v5.0Targets virtual disk files; shuts down VMs before encryption
macOSObserved Apr 2023Limited / experimentalSamples found on VirusTotal; operational use not confirmed at scale
CIS Exclusion (CONFIRMED): LockBit implements logic to avoid encryption of systems using Russian or other CIS language settings, typically by checking keyboard layout and locale. Trend Micro confirmed LockBit 5.0 performs "Russian language system avoidance through geolocation checks." Observed victim geography excludes Russia and most CIS countries, consistent with both the technical implementation and the implicit safe-harbor strategy common among Russian-nexus criminal groups.
05

Financial Infrastructure

Payment Model

LockBit predominantly uses Bitcoin for ransom payments, with Monero available in some affiliate arrangements for added privacy. Victim payments go to affiliate-controlled wallets specified in negotiation chats, with the 20% operator share extracted through the built-in affiliate panel mechanism. TRM Labs confirmed this 80/20 split via on-chain analysis of payment flow clusters. DOJ attributed more than $120 million in confirmed ransom receipts through February 2024; TRM Labs documented at least $44 million in 2022 alone.

Confirmed Revenue (DOJ)
$120M+
Through February 2024; excludes unpaid demands
2022 Revenue (TRM Labs)
$44M
On-chain analysis; calendar year 2022
Post-Cronos Revenue (5 months)
$2.3M
Dec 2024 to Apr 2025; per leaked database
Operator Cut
20%
Chainalysis / TRM Labs confirmed split
On-Chain Laundering Phases
1
Receipt
Victim pays to an affiliate-controlled Bitcoin address specified in the negotiation chat. Affiliates receive 80% directly; the affiliate panel mechanism holds the 20% operator share until the operator withdraws it.
2
Aggregation and Mixing
Operator-tier funds pass through mixing services. Chainalysis confirmed the NCA used Chainalysis tools to trace LockBit payments; TRM Labs analysis shows use of Wasabi 2.0 (a privacy-focused Bitcoin mixing wallet) by LockBit operators, consistent with 2022-2024 operational period. More than 200 cryptocurrency wallets were frozen by Operation Cronos.
3
Cross-Chain Swap and Exchange
Funds are moved through non-custodial exchanges and centralized VASPs in the United States and Asia for cash-out. On-chain evidence shows some LockBit affiliates depositing at an Iranian exchange. The response to sanctions on earlier mixing services appears to have involved progressive shift toward cross-chain bridges and P2P trades. Confidence: CREDIBLE for general pattern; ANALYST INFERENCE for specific post-sanctions adaptation.
4
Unusual Transfer: Ideological Donation
Chainalysis analysis identified that a LockBit administrator donated cryptocurrency to "Colonel Cassad" (Igor Girkin's associate), a pro-Russia self-proclaimed military journalist based in Sevastopol. This transfer is analytically significant as an indicator of at minimum ideological sympathy with Russian state interests, and potentially informal proximity to state-aligned networks. Confidence: CREDIBLE for the transfer itself; ANALYST INFERENCE for its significance to state-nexus assessment.
Sanctions and Designations

OFAC designated Dmitry Yuryevich Khoroshev ("LockBitSupp") and associated wallets on May 7, 2024, in coordination with the UK National Crime Agency and Australian Federal Police. Additional wallet clusters linked to LockBit affiliates have been designated over time. Analysts should expect ongoing OFAC designations as new wallets are linked via blockchain forensics; however, many affiliate-level wallets will remain undesignated and overlap with unrelated criminal activity.

06

Victim Profile and Targeting

Scale and Market Dominance
Confirmed — DOJ, NCC Group, IBM reporting

LockBit's growth trajectory from market entrant to dominant player spans four years:

  • LockBit 1.0 (2020): Approximately 5% of global ransomware attacks in its first operational year (IBM)
  • LockBit 2.0 (2021): Rose to approximately 10% of global ransomware attacks
  • LockBit 3.0 (2022): Exceeded 20% of global attacks; Akamai research recorded 39% of total ransomware victims in one measured period, triple the next-highest group
  • 2023: NCC Group recorded more than 1,000 LockBit victims, equaling 22% of all identified ransomware victims that year; separately assessed at up to 44% of all global ransomware incidents at peak
  • Post-Cronos (2024-2026): Market share declined; LockBit remained the top actor by victim count in May 2024 (10% of attacks per Infosecurity Magazine) but at substantially reduced absolute and relative volume
Sector and Geographic Coverage
DimensionDetailConfidence
Primary sectorsManufacturing, healthcare, government/public sector, education, financial services, energy, professional services, transportationCONFIRMED (CISA advisory AA23-165A; DOJ)
Target sizeSMBs, mid-market, and large enterprises; focus on organizations with sufficient revenue to pay meaningful ransoms; high-profile cases skew to large enterprises and critical infrastructureCONFIRMED
GeographyNorth America (US primary), Europe, Asia-Pacific, Latin America; CIS countries excluded (code-level and observed victim geography)CONFIRMED
CIS exclusionRussia, Belarus, and most CIS nations are excluded by both technical locale checks and observed victim listsCONFIRMED
Stated targeting rulesLockBit publicly claims to avoid some hospitals and charities; empirical data shows numerous healthcare and public-sector victims, indicating rules are inconsistently enforced by affiliatesCONFIRMED (inconsistency)
Selected High-Profile Victims
VictimSectorDateNotes
Royal Mail (UK)Postal / logisticsJan 2023Major national disruption; LockBit 3.0 affiliate; Royal Mail refused to pay; data published
TSMC (via supplier)SemiconductorJun 2023LockBit claimed breach via third-party supplier; TSMC confirmed supplier incident; $70M demand
BoeingAerospace / defenseNov 2023CVE-2023-4966 (Citrix Bleed) exploitation confirmed; Boeing Distribution Inc. unit; data published after non-payment
ICBC (Industrial and Commercial Bank of China)FinanceNov 2023US clearing operations disrupted; LockBit 3.0 affiliate; CVE-2023-4966 vector
Allen & OveryLegal servicesNov 2023Major international law firm; data publishing threatened
DP WorldLogistics / portsNov 2023Australian ports operator; significant operational disruption
Fulton County, Georgia (US)GovernmentJan 2024US state court system disrupted for weeks during Trump criminal case proceedings
India National Aerospace LaboratoriesAerospace / defenseNov 2023State-owned research organization; LockBit 3.0
07

Law Enforcement and Regulatory Response

Named Individuals: Charges, Arrests, and Sanctions
IndividualAlias(es)NationalityActionStatus (May 2026)
Dmitry Yuryevich KhoroshevLockBitSupp, LockBit, putinkrabRussian (Voronezh)26-count indictment (NJ grand jury), OFAC sanction, $10M State Dept. reward; identified May 7, 2024At large; in Russia; warrant outstanding
Artur SungatovRussianIndicted for deploying LockBit; unsealed February 20, 2024At large
Ivan Gennadievich KondratievBassterlordRussianIndicted for deploying LockBit against US and global businesses; unsealed February 20, 2024At large
Mikhail VasilievRussian / CanadianCharged prior to Cronos; arrested in CanadaCanadian custody; awaiting US extradition
Ruslan Magomedovich AstamirovRussianCharged; arrestedUS custody; awaiting trial
Mikhail Pavlovich MatveevWazawakaRussianIndicted; $10M US bounty; believed in KaliningradAt large; not apprehended
Unnamed developerUnconfirmedArrested by Europol August 2024 while traveling outside RussiaIn custody
Two unnamed membersUnconfirmedArrested by NCA (one money laundering, one LockBit affiliation) 2024In custody
Unnamed BPH administratorUnconfirmedArrested at Madrid airport by Spanish Guardia Civil 2024In custody
Two unnamed affiliatesUnconfirmedArrested in Poland and Ukraine on French judicial request, February 2024In custody
Chronological Action Log
DateActionAgencyImpact
Feb 19-20, 2024Operation Cronos Phase 1: Infrastructure seizureNCA, FBI, Europol, 10-country task force34+ servers seized; 11,000+ domains taken down; 200+ crypto wallets frozen; DLS replaced; 7,000+ decryption keys obtained; StealBit servers offline; all LockBit 3.0 affiliate accounts identified; 2 affiliates arrested (Poland, Ukraine)
Feb 20, 2024DOJ unseals indictmentsUS DOJArtur Sungatov and Ivan Kondratiev (Bassterlord) charged; prior charges against Vasiliev, Astamirov, Matveev confirmed
May 7, 2024Operation Cronos Phase 2: Leadership identification and sanctionDOJ, OFAC, NCA, Australian Federal PoliceDmitry Khoroshev unmasked as LockBitSupp; 26-count indictment; OFAC sanction; $10M State Dept. reward; additional wallets frozen
Aug-Oct 2024Additional arrests (four individuals)Europol, NCA, Spanish Guardia CivilDeveloper arrested while traveling; two NCA arrests; BPH admin arrested in Madrid
Oct 2024Evil Corp sanctionsUK, US, Australia15 Evil Corp members sanctioned; some with documented LockBit affiliate overlap
May 7, 2025Anonymous admin panel breachUnknown actorLockBit TOR site defaced: "Don't do crime CRIME IS BAD xoxo from Prague"; MySQL database dumped (paneldb_dump.zip); negotiation chats, wallet addresses, affiliate credentials, and build configs exposed for Dec 2024 to Apr 2025 period
Decryptors and Victim Assistance
  • Free LockBit 3.0 Black decryptor developed by Japanese Police with Europol support; available at nomoreransom.org
  • 7,000+ decryption keys available to victims through lockbitvictims.ic3.gov (FBI IC3 portal)
  • Keys are incident-specific; not all keys restore all victims; matching requires contact with FBI or NCA
  • No universal decryptor exists for LockBit 4.0 or 5.0 variants as of May 2026
Resilience indicator: Despite two major disruptions (Operation Cronos and the May 2025 breach), LockBit rebuilt and released new versions within months of each event. This pattern demonstrates the structural resilience of RaaS models: infrastructure can be rebuilt, new affiliates can be recruited, and code can be updated faster than law enforcement can sustain operational pressure. The core constraint on LockBit is not technical capacity but affiliate confidence and brand credibility.
08

Attribution and State Nexus

Jurisdiction Assessment
Confirmed — Russian nexus based on multiple independent indicators
  • Named operator: Dmitry Yuryevich Khoroshev is a Russian national from Voronezh, Russia; identified by DOJ, OFAC, and NCA via a converging investigation (CONFIRMED)
  • CIS avoidance: Code-level locale and keyboard checks exclude Russian/CIS systems; observed victim geography consistently excludes Russia and most CIS countries (CONFIRMED)
  • Forum presence: LockBit recruitment and operations advertised on Russian-language cybercrime forums (CONFIRMED)
  • No domestic prosecution: No public evidence of Russian authorities charging any LockBit operator despite global impact, consistent with tolerated-cybercrime patterns (CONFIRMED)
  • Named affiliates: Multiple charged individuals are Russian nationals; others assessed as Russian-speaking based on operational communications (CONFIRMED for named; CREDIBLE for broader affiliate pool)
Russian Intelligence Service (RIS) Relationship
Analyst Inference — no confirmed command-and-control nexus; safe-harbor relationship assessed

Open sources and government advisories do not provide conclusive evidence that LockBit is directed by or operating under the control of FSB, SVR, or GRU. The most defensible assessment is that LockBit is a financially motivated, Russian-language cybercriminal ecosystem operating from jurisdictions that provide practical safe harbor, with de-facto tolerance from Russian authorities in exchange for avoiding domestic targeting.

Three indicators suggest proximity to, but not control by, Russian state interests:

  • Colonel Cassad donation: Chainalysis analysis identified a LockBit administrator donating cryptocurrency to "Colonel Cassad," a pro-Russia military journalist in Sevastopol with documented ties to Russian nationalist networks. This is the single most operationally significant indicator of informal state-proximate behavior (CREDIBLE for the transfer; ANALYST INFERENCE for its significance)
  • Evil Corp affiliate overlap: Mandiant tracked UNC2165, a cluster of Evil Corp-affiliated operators, as shifting to LockBit to evade US sanctions. Evil Corp itself has documented direct FSB connections per US government indictments. The overlap does not make LockBit an FSB asset, but it places FSB-connected actors within the LockBit affiliate ecosystem (CONFIRMED overlap; ANALYST INFERENCE for implications)
  • Data intelligence value: The sectors and organizations targeted by LockBit affiliates include defense contractors, aerospace organizations, government systems, and critical infrastructure that would have intelligence value for the Russian state. Whether any stolen data is shared with Russian intelligence is not documented in open sources (ANALYST INFERENCE)
Overall state nexus assessment: LockBit operates as a financially motivated criminal enterprise under Russian safe-harbor protection. There is no confirmed evidence of direct FSB/SVR/GRU tasking, command, or revenue sharing. The group's CIS avoidance, domestic non-prosecution, forum presence, and the Colonel Cassad donation collectively support an assessment of informal proximity to Russian state interests rather than integration or subordination. Confidence: CREDIBLE for safe harbor; ANALYST INFERENCE for any active state cooperation.
09

Trajectory Assessment

Rebranding and Version Signals

LockBit has not undergone a formal rebranding; the core brand has been maintained across all versions. Post-Cronos, versions 4.0 and 5.0 represent version-number escalation as a credibility signal to potential affiliates rather than a substantive identity change. The continued use of the LockBit brand name is operationally significant: it carries recognition that attracts affiliates but also makes the group a persistent high-priority law-enforcement target. The decision to maintain the brand rather than rebrand (as many disrupted groups do) suggests either operator confidence in resilience or recognition that a new brand would not carry the same affiliate recruitment value.

May 2025 breach as trajectory inflection point: The anonymous compromise of the LockBit admin panel on May 7, 2025, is analytically distinct from Operation Cronos. Where Cronos was a law-enforcement action with a clear counter-messaging strategy, the May 2025 breach was conducted by an unknown actor whose defacement message ("Don't do crime CRIME IS BAD xoxo from Prague") mirrored a breach of the Everest ransomware group, suggesting a possible vigilante or rival-actor campaign targeting ransomware infrastructure. The exposure of affiliate credentials, negotiation logs, and wallet addresses in the leaked MySQL database represents a different type of damage: operational security rather than infrastructure. Affiliates whose identities were exposed face heightened law enforcement risk regardless of LockBit's continued operation.
Connected Group Cluster
Connected GroupRelationship TypeConfidenceNotes
Conti (via LockBit Green)Code acquisition: LockBit Green incorporates leaked Conti source codeCONFIRMEDNot a parent-child relationship; reflects code availability post-2022 Conti leak. Mandiant and others corroborate
Evil Corp / UNC2165Affiliate overlap: Evil Corp-linked operators used LockBit to evade sanctionsCONFIRMEDMandiant tracked UNC2165 as Evil Corp cluster shifting to LockBit 3.0; Evil Corp has documented FSB connections per US DOJ indictments
BlackMatter / ALPHV-BlackCatCode similarities: shared configuration structures and routines with LockBit 3.0 / BlackCREDIBLEMultiple vendors confirm technical overlap; interpretation (code borrowing vs. shared authorship) remains contested; no confirmed unified actor
Qilin / DragonForcePossible affiliate overlap and infrastructure sharing post-CronosLOW CONFIDENCELimited open-source evidence; primarily forum-based and infrastructure overlap observations. Mandiant and Recorded Future have not published formal assessments as of May 2026
Trajectory Indicators
  • Continued development: LockBit 5.0 (September 2025) demonstrates ongoing technical investment and operator capability; cross-platform support and anti-analysis improvements indicate the developer tier remains active
  • Revenue contraction: $2.3M total in five post-Cronos months (Dec 2024 to Apr 2025) versus $44M in 2022 alone represents an approximate 80-90% revenue decline from peak; this is the sharpest measurable indicator of ecosystem degradation
  • Market share erosion: Competitor RaaS operations (Akira, Qilin, DragonForce, others) have gained affiliates following Cronos; LockBit no longer dominates the ransomware landscape as it did in 2022-2023
  • Brand risk: Two major public compromises in fourteen months create structural affiliate confidence problems; the May 2025 breach exposed not just infrastructure but the security of the affiliate relationship itself
  • Cumulative law enforcement pressure: No other ransomware group has faced simultaneous infrastructure seizure, leadership identification/sanction, decryptor release, and a secondary anonymous breach within a 15-month period; the combined effect on LockBit's ability to recruit credible affiliates is assessed as significant
Overall Trajectory Assessment
Assessment (CREDIBLE): LockBit will continue to operate as a functioning RaaS through at least mid-2026 based on continued technical development and the absence of operator apprehension. However, its operational effectiveness is assessed as substantially below its 2022-2023 peak. The dual disruptions of Operation Cronos and the May 2025 breach have created compounding damage to the brand, the affiliate relationship, and the operator's OPSEC credibility. Without a significant technical, reputational, or operational reset, LockBit's trajectory is assessed as continued decline in market share and absolute victim volume, constrained primarily by the enduring technical quality of its encryptors and the continued availability of the RaaS infrastructure.
Intelligence gaps (ANALYST INFERENCE required): (1) Whether post-Cronos LockBit 4.0/5.0 is operated by the original Khoroshev-linked team or partially by successor actors; (2) the extent of any informal relationship between LockBit operators and Russian state intelligence beyond documented indicators; (3) the identity and motivation of the May 2025 breach actor and whether additional infrastructure compromises are planned; (4) whether the revenue contraction is reversible through LockBit 5.0 affiliate recruitment efforts.

Recent Reporting LIVE

Open-source reporting from monitored threat intelligence sources. Refreshed automatically every 8 hours via ransomware.live and major TI blog feeds. Authored analysis above is unaffected by this feed.

Loading recent reporting…

Sources

Government and Law Enforcement
[4]IC3/FBI Joint Advisory (2023): LockBit 3.0 Ransomware (PDF)
Vendor Threat Intelligence
[7]Trend Micro (Water Selkie): Ransomware Spotlight: LockBit
Blockchain and Financial Analysis
May 2025 Breach Analysis
News and General Reporting
[22]Perplexity AI Deep Research: LockBit (all versions) primary research document [Internal]