LockBit

Also known as: LockBit 2.0, LockBit 3.0, LockBit Black, LockBit Green, ABCD Ransomware, Water Selkie, LockBit 4.0, LockBit Neo, LockBit 5.0, ChuongDong, LockBit-NG-Dev, SuperBlack

ActiveExpertRussia

0Campaigns

44Techniques

11IOCs

19Tools

0Matches

4Infrastructure

Overview

LockBit is a highly resilient ransomware-as-a-service (RaaS) operation that has survived multiple law enforcement disruptions including Operation Cronos (February 2024) and a May 2025 infrastructure breach that exposed affiliate data. The group released LockBit 5.0 in September 2025 with enhanced cross-platform capabilities targeting Windows, Linux, and ESXi environments. Built on .NET Core, the new variant features improved obfuscation, ETW patching, invisible mode encryption, and randomized 16-character file extensions. Despite setbacks, LockBit recorded over 200 victims on its data leak site from December 2025 into early 2026, primarily targeting U.S., India, and Brazil across manufacturing, healthcare, and government sectors.

Motivations

Financial GainExtortion

Target Sectors

HealthcareGovernmentEducationFinancial ServicesManufacturingLegalConstructionTechnologyCritical InfrastructureBanking/Financial Services/Insurance (BFSI)South America RegionVMware ESXi InfrastructureVirtualization PlatformsRetailLegal ServicesTransportationFinanceProfessional Services

Activity Timeline

First Seen

Sep 2019

Last Seen

Jan 2026

Quick Facts

OriginRussia

Sophisticationexpert

StatusActive

MITRE ATT&CK Techniques

(44)

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Other

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1055

Process Injection

Inject code into running processes to evade defenses and elevate privileges.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

T1140

Deobfuscate/Decode Files or Information

Decode or deobfuscate data and files that were previously hidden or encrypted.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

Credential Access

T1003.001

LSASS Memory

Access LSASS process memory to extract credential material.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

Persistence

T1136

Create Account

Create new accounts to maintain access to victim systems.

Reconnaissance

T1592

Gather Victim Host Information

Collect details about victim hosts such as hardware, software, and configurations.

Tools & Malware

(19)

LockBit Ransomware

malwareMalicious

Core RaaS ransomware supporting Windows, Linux, and VMware ESXi. Known for fast encryption using AES-256 + RSA-2048 and automatic propagation via SMB and Group Policy.

StealBit

malwareMalicious

Custom data exfiltration tool developed by LockBit operators. Rapidly extracts files to attacker infrastructure before encryption for double-extortion leverage.

Cobalt Strike

frameworkLegitimate

Most commonly used post-exploitation framework by LockBit affiliates. Deployed via initial access vectors for reconnaissance, lateral movement, and pre-encryption staging.

Brute Ratel

frameworkLegitimate

Alternative C2 framework used by some LockBit affiliates to evade EDR detections that commonly flag Cobalt Strike. Supports syscall-level evasion.

Mimikatz

frameworkLegitimate

Standard credential harvesting tool for extracting passwords, NTLM hashes, and Kerberos tickets to gain domain admin access before deploying ransomware.

AnyDesk

legitimate toolLegitimate

Deployed widely by affiliates for persistent remote access. Installed on multiple endpoints to maintain access even if C2 beacons are detected and killed.

TeamViewer

legitimate toolLegitimate

Alternative remote desktop tool used alongside AnyDesk for redundant persistent access to compromised networks.

Splashtop

legitimate toolLegitimate

Remote access tool deployed by some LockBit affiliates as additional persistent access mechanism, especially in managed service provider environments.

Advanced IP Scanner

legitimate toolLegitimate

Network scanning tool used to map internal networks, identify domain controllers, backup servers, and high-value targets before ransomware deployment.

SoftPerfect Network Scanner

legitimate toolLegitimate

Network discovery tool used by affiliates to enumerate network shares, identify live hosts, and map infrastructure for maximum encryption coverage.

BloodHound

frameworkLegitimate

Active Directory reconnaissance tool that maps attack paths to domain admin. Affiliates use it to identify the shortest path from initial access to domain compromise.

AdFind

legitimate toolLegitimate

AD query tool used for enumerating domain structure, group memberships, trust relationships, and identifying high-privilege accounts.

PsExec

legitimate toolLegitimate

Sysinternals remote execution tool used for mass deployment of ransomware across domain-joined systems using compromised admin credentials.

LaZagne

frameworkLegitimate

Open-source credential recovery tool that extracts passwords from browsers, email clients, WiFi configurations, and other local credential stores.

Rclone

legitimate toolLegitimate

Cloud storage syncing tool abused for large-scale data exfiltration to attacker-controlled Mega.nz, Backblaze, or other cloud storage accounts.

PowerShell

os utilityLegitimate

Used for disabling Windows Defender, deleting shadow copies, modifying Group Policy for ransomware deployment, and executing encoded payloads.

ProxyShell/ProxyLogon Exploits

exploit kitMalicious

Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-26855) exploited by affiliates for initial access to enterprise networks.

PowerShell Empire

BackdoorMalicious

Post-exploitation framework used for maintaining access and lateral movement

Metasploit

ExploitLegitimate

Exploitation framework used by affiliates for initial access and privilege escalation

Indicators of Compromise

(11)

IOC values are defanged for safety

Type	Value	Notes
domain	`lockbitapt[.]uz`	LockBit leak site mirror domain
ip	`185[.]215[.]113[.]39`	LockBit affiliate C2 infrastructure
ip	`193[.]162[.]143[.]218`	StealBit data exfiltration server
hash	`80e8defa5377018b093b5b90de0f2957`	LockBit 3.0 ransomware sample (MD5)
hash	`e3f236e4aeb73f8f8f0b8e0e3f1d5c73`	StealBit data exfiltration tool (MD5)
ip	`166[.]62[.]100[.]62`	Metasploit C2 IP used in Apache ActiveMQ exploitation campaign February 2024
hash	`Randomized 16-character file extensions`	LockBit 5.0 uses randomized extensions instead of .lockbit to evade detection
ip	`205[.]185[.]116[.]233`	LockBit 5.0 leak site server hosted under AS53667 (PONYNET/FranTech Solutions), exposed December 2025
domain	`karma0[.]xyz`	LockBit 5.0 leak site domain registered April 12, 2025, using Cloudflare nameservers
domain	`lockbitapt6vx4d2hqqlufkqizwqa5zvxsfvht3st5ccpzfqnk2u2sxid[.]onion`	LockBit 3.0 data leak site onion domain
hash	`e7e9824d0c248bde73e521d023e94b7e`	MD5 hash of LockBit 3.0 ransomware sample

Infrastructure

(4)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`lockbitapt[.]uz` LockBit leak site mirror domain	domain	offline	Apr 2, 2026
`185[.]215[.]113[.]39` LockBit affiliate C2 infrastructure	ip	offline	Apr 2, 2026
`193[.]162[.]143[.]218` StealBit data exfiltration server	ip	offline	Apr 2, 2026
`karma0[.]xyz`	domain	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(36)

CISA - Understanding Ransomware Threat Actors: LockBit

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a

NCA - Operation Cronos: International Disruption of LockBit

https://www.nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group

U.S. DOJ - Lockbit Leader Dmitry Khoroshev Unmasked and Sanctioned

https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant

LockBit 5.0: Ransomware Gang Returns in Force - Check Point Research

https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/

New LockBit 5.0 Targets Windows, Linux, ESXi - Trend Micro

https://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html

LockBit Leak Provides Insight into RaaS Enterprise - TRM Labs

https://www.trmlabs.com/resources/blog/lockbit-leak-provides-insight-into-raas-enterprise

Apache ActiveMQ Exploit Leads to LockBit Ransomware - The DFIR Report

https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/

LockBit Ransomware Hacked, Insider Secrets Exposed - Help Net Security

https://www.helpnetsecurity.com/2025/05/09/lockbit-hacked-data-leaked/

Inside LockBit's Admin Panel Leak - Trellix

https://www.trellix.com/blogs/research/inside-the-lockbits-admin-panel-leak-affiliates-victims-and-millions-in-crypto/

Joint Technical Advisory on LockBit 3.0 and 4.0 - Singapore CSA

https://isomer-user-content.by.gov.sg/36/1f56c162-080e-4e49-a005-abf1fd9bd0e4/Joint%20Technical%20Advisory%20on%20LockBit%203.0%20and%204.0%20(2%20May%202025).pdf

Ransomware TTPs in Shifting Threat Landscape - Google Mandiant

https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/

LockBit 3.0: Inside the Ransomware-as-a-Service

https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit

Operation Cronos: International action against LockBit

https://www.europol.europa.eu/media-press/newsroom/news/operation-cronos-law-enforcement-strikes-against-lockbit

U.S. Department of Justice - Russian National Charged in Connection with Lockbit Ransomware Attacks

https://www.justice.gov/opa/pr/russian-national-charged-connection-lockbit-ransomware-attacks

LockBit 3.0 Ransomware: Inside the Affiliate and Builder Leak

https://www.sentinelone.com/labs/lockbit-3-0-ransomware-inside-the-affiliate-and-builder-leak/

Operation Cronos: International Law Enforcement Disrupts LockBit

https://www.europol.europa.eu/media-press/newsroom/news/lockbit-ransomware-group-disrupted-by-international-operation

LockBit Leader Unmasked and Sanctioned by International Authorities

https://www.justice.gov/opa/pr/lockbit-ransomware-developer-and-administrator-charged-and-sanctioned

CISA Advisory: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a

LockBit 3.0 Technical Analysis - Trend Micro

https://www.trendmicro.com/en_us/research/22/g/lockbit-3-0-update.html

Operation Cronos: LockBit Disruption - Europol

https://www.europol.europa.eu/media-press/newsroom/news/operation-cronos-law-enforcement-disrupt-lockbit

Operation Cronos: Law Enforcement Disrupts LockBit Ransomware

https://www.europol.europa.eu/media-press/newsroom/news/operation-cronos-law-enforcement-disrupt-lockbit-ransomware

LockBit 3.0 Ransomware: Inside the Affiliate and Builder Leak

https://www.trendmicro.com/en_us/research/22/j/lockbit-3-0-ransomware-affiliate-and-builder-leak.html

LockBit 3.0 Ransomware: Inside the Affiliate and Victim Chats

https://www.trendmicro.com/en_us/research/23/a/lockbit-3-ransomware-affiliate-and-victim-chats.html

UK NCA Operation Cronos - LockBit Takedown

https://www.nationalcrimeagency.gov.uk/news/lockbit-takedown

LockBit 5.0 Ransomware: Technical Analysis - Proven Data

https://www.provendata.com/blog/lockbit-5

LockBit Ransomware Gang Hacked, Ops Data Leaked - Dark Reading

https://www.darkreading.com/threat-intelligence/lockbit-ransomware-gang-hacked-data-leaked

MOXFIVE Threat Actor Spotlight - LockBit 5.0

https://www.moxfive.com/resources/moxfive-threat-actor-spotlight-lockbit-5-0

Bitdefender Threat Debrief April 2026

https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-threat-debrief-april-2026

The LockBit takedown one year on - Computer Weekly

https://www.computerweekly.com/news/366619310/A-landscape-forever-altered-The-LockBit-takedown-one-year-on

Top 10 Critical Threat Actors to Watch in 2026 - Netlas

https://netlas.io/blog/top_10_critical_threat_actors/

LockBit 3.0 Ransomware: Inside the Affiliate and Builder Panels

https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant-lockbit-3-0.html

FBI Flash: LockBit 3.0 Ransomware Indicators of Compromise

https://www.ic3.gov/Media/News/2023/230216.pdf

LockBit 3.0: An Analysis of the Ransomware's Updated Tactics

https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html

UK, US and international law enforcement disrupt world's biggest ransomware operation

https://www.nationalcrimeagency.gov.uk/news/uk-us-and-international-law-enforcement-disrupt-world-s-biggest-ransomware-operation

Operation Cronos: Law Enforcement Action Against LockBit - Europol

https://www.europol.europa.eu/media-press/newsroom/news/lockbit-ransomware-infrastructure-disrupted-in-international-operation

Operation Cronos: International Crackdown on LockBit

https://www.nationalcrimeagency.gov.uk/news/lockbit-infrastructure-seized