LockBit
LockBit is a ransomware-as-a-service (RaaS) operation, a cybercriminal enterprise that develops and distributes ransomware malware to affiliates who deploy it against targets to encrypt data and demand payments, often in cryptocurrency, for decryption keys and withheld exfiltrated information.[1][2]
Emerging in September 2019 with its initial variant, LockBit has evolved through successive iterations, including LockBit 2.0 in 2021, LockBit 3.0 in 2022, and more recent versions such as 4.0 and 5.0 released in 2025, which extend compatibility to Windows, Linux, and VMware ESXi hypervisors while incorporating evasion techniques like polymorphic code to hinder detection.[3][4][5]
In 2022, LockBit led global ransomware activity by volume of claimed victims on its dark web leak site, executing thousands of attacks across sectors including healthcare, critical infrastructure, and government entities.[1][6]
The group, linked to Russian nationals and operating from Russia, employs double-extortion strategies—combining data encryption with threats of public data dumps—and maintains a profit-sharing model with affiliates, but faced significant setbacks from a multinational law enforcement operation in February 2024 that seized infrastructure and source code, alongside U.S. sanctions on key affiliates.[7][8][9]
Despite these disruptions, LockBit demonstrated operational resilience, resuming activities and suffering its own internal data breach in May 2025 that exposed affiliate details, chat logs, and cryptocurrency wallets, providing rare empirical insights into RaaS economics and internal dynamics.[10][11]
Overview
Ransomware-as-a-Service Model
LockBit employs a Ransomware-as-a-Service (RaaS) model, wherein central developers provide the ransomware executable, encryption algorithms, builder tools, and supporting infrastructure—such as leak sites and payment processors—to independent affiliates who handle target selection, initial access, deployment, and ransom negotiations.[1] [12] This division allows developers to focus on technical evolution and maintenance, while affiliates leverage their expertise in exploitation, often using commercial tools like Cobalt Strike or Metasploit for entry via phishing, VPN vulnerabilities, or supply chain compromises.[12] Affiliates access a dedicated control panel to customize payloads for platforms including Windows, Linux, and VMware ESXi, generate unique encryption keys, and monitor operations through victim profiles, chat logs with read receipts, and commission trackers.[13] The model incorporates double extortion, where stolen data is published on dedicated leak sites if ransoms go unpaid, pressuring victims across sectors like professional services and manufacturing.[1] [12] Revenue distribution favors affiliates, who receive 80% of ransoms with operators taking 20%, and payments to affiliates precede operator cuts to foster loyalty amid competitive RaaS ecosystems.[13] Onboarding requires prospective affiliates to pay $700–$810 in Bitcoin or Monero following invitations distributed via underground forums, with over 3,600 such invitations issued in documented leaks; successful entrants begin as "newbies" with full panel privileges after verification.[13] This structure has driven scalability, evidenced by 1,653 victims listed on leak sites by Q1 2023 and approximately $91 million in U.S.-targeted ransoms since January 2020.[1]Core Features and Distinguishing Traits
LockBit operates under a Ransomware-as-a-Service (RaaS) framework, where central developers provide affiliates with customizable malware builders, encryption tools, and operational infrastructure, allowing affiliates to deploy attacks independently while retaining up to 80% of ransom payments.[1][14] This model facilitates broad affiliate recruitment via dark web forums and includes a management panel for tracking victims and generating decryptors, setting it apart from more rigid hierarchies in groups like REvil by prioritizing affiliate autonomy and upfront payouts to developers only after affiliate compensation.[12] The ransomware's core functionality centers on double extortion, exfiltrating sensitive data using dedicated modules like StealBit—introduced in June 2021—or utilities such as Rclone and FileZilla before encrypting files with AES-256 and elliptic curve cryptography (ECC) algorithms.[1][12] Encryption is designed for speed, with self-propagating mechanisms enabling automated lateral movement via SMB and WMI, log deletion, and persistence through valid account exploitation or autostart entries; post-encryption actions include altering desktop backgrounds, printing ransom notes on network printers, and appending extensions like .lockbit or .abcd to affected files.[12][14] Cross-platform compatibility extends to Windows, Linux (including VMware ESXi variants since October 2021), and macOS, broadening its target scope beyond Windows-centric rivals.[1] What distinguishes LockBit is its iterative versioning—e.g., LockBit 2.0 launched in June 2021 with enhanced evasion and StealBit integration, followed by 3.0 in March 2022 adding modular plugins and faster builders—enabling quick adaptation to defenses and outpacing static malware in groups like Ryuk.[1][12] Affiliates leverage legitimate tools for initial access, such as Cobalt Strike beacons or Mimikatz for credential dumping, often via RDP brute-force or exploited vulnerabilities like ProxyShell, while the operation's leak site has cataloged over 850 victims by mid-2022, amplifying pressure through data previews and secondary extortion against clients of primary targets.[1][12] This professionalized efficiency contributed to LockBit accounting for 46% of monitored ransomware incidents in Q1 2022, underscoring its operational dominance through scalable, technically robust tooling rather than sheer volume alone.[12]Technical Architecture
Malware Evolution Across Versions
LockBit ransomware originated in September 2019 as a basic encryptor that targeted Windows systems, encrypting files on infected disks using a combination of symmetric and asymmetric cryptography to render data inaccessible and demand ransom payments for decryption keys.[15] It was deployed in human-operated campaigns involving credential theft, lateral movement across networks, and installation on multiple devices, often via email attachments or exploited vulnerabilities in browsers and exposed services.[15] In June 2021, LockBit 2.0 marked a significant advancement with the integration of StealBit for credential and data exfiltration prior to encryption, enabling double-extortion tactics.[1] The malware employed dynamic API resolution via FNV-1a hashing to obfuscate imports, terminated security and monitoring processes (e.g., Process Hacker, Process Monitor), and appended the ".lockbit" extension to encrypted files while associating a custom icon through registry modifications.[16] Persistence was achieved via Windows Run keys under the user's SID, and recovery mechanisms were disabled using commands like "vssadmin delete shadows /all /quiet" and "bcdedit /set {default} recoveryenabled no."[16] An October 2021 variant extended support to Linux and VMware ESXi environments, broadening cross-platform capabilities.[1] LockBit 3.0, released in March 2022 and derived from BlackMatter code, enhanced stealth and disruption by self-deleting post-execution, modifying desktop wallpapers and file icons, deleting volume shadow copies, and terminating antivirus-related processes.[1] It cleared Windows event logs, utilized packers like Blister Loader for obfuscation, and incorporated tools such as Backstab and Defender Control to disable endpoint detection and response (EDR) solutions and antivirus software.[1] Encryption appended randomized extensions (e.g., "HLJkNskOq") and employed environmental keying with password-based decryption, focusing on rapid file locking while evading static analysis.[17] A January 2023 "Green" subvariant incorporated elements from Conti ransomware, further diversifying its codebase.[1] By September 2025, LockBit 5.0 introduced refinements over prior iterations, including heavy binary obfuscation, DLL side-loading via reflection, and anti-analysis measures like ETW (Event Tracing for Windows) patching and termination of security services.[18] The Windows payload shared hashing and API resolution algorithms with LockBit 4.0, while Linux variants added command-line options for targeting specific directories and file types.[18] ESXi encryption was accelerated to compromise entire virtual infrastructures swiftly, appending 16-character randomized extensions and incorporating geolocation checks to skip Russian-language systems.[18] Event log clearing and cross-platform support (Windows, Linux, ESXi) persisted, emphasizing evasion and speed in high-value environments.[18]| Version | Release Date | Key Technical Evolutions |
|---|---|---|
| 1.0 | September 2019 | Basic file encryption; lateral movement and credential theft in human-operated attacks.[15] |
| 2.0 | June 2021 | Obfuscated API resolution; StealBit exfiltration; process termination; recovery disablement; Linux/ESXi extension in October 2021.[16][1] |
| 3.0 | March 2022 | BlackMatter-derived stealth (self-delete, log clearing, EDR disable); variable extensions; wallpaper/icon changes.[1][17] |
| 5.0 | September 2025 | Enhanced obfuscation/DLL reflection; faster ESXi encryption; geolocation evasion; randomized extensions.[18] |