LockBit
| Formation | 2019 |
|---|---|
| Type | Cybercrime |
LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group (also called ransomware) enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.
LockBit operates using an affiliate-based ransomware-as-a-service (RaaS) model in which core developers maintain the malware, payment infrastructure and data leak sites, while affiliates are responsible for gaining initial access to victim networks and conducting lateral movement and data exfiltration. This division of roles enables scalable operations and has contributed to the group’s high incident volume across multiple sectors. Observed intrusion methods include the use of compromised credentials, exploitation of public-facing services and initial access brokers.
In addition to encrypting systems, LockBit attacks commonly involve the exfiltration of sensitive data and deliberate efforts to locate and disable backup systems and shadow copies, increasing the complexity and duration of recovery for affected organizations.
According to a joint statement by various government agencies, LockBit was the world's most prolific ransomware in 2022. It was estimated in early 2023 to be responsible for 44% of all ransomware incidents globally. In the United States between January 2020 and May 2023, LockBit was used in approximately 1,700 ransomware attacks, with US$91 million paid in ransom to hackers.
Government agencies did not formally attribute the group to any nation-state. Software with the name "LockBit" appeared on a Russian-language based cybercrime forum in January 2020. The group is financially motivated. However, in an interview on Inside Darknet, members claimed they are not Russian.
In February 2024 law enforcement agencies seized control of LockBit dark web sites used for attacks. However, further attacks with LockBit ransomware were later reported, with the group attempting to perform a comeback.
In May 2025, the LockBit ransomware group's infrastructure was breached and defaced. The data breach resulted in a data dump, exposing Bitcoin wallet addresses, public encryption keys, internal chat logs with victims, affiliate details, and other sensitive information.