LockBit is a Ransomware-as-a-service (RaaS) operation that targets organizations across a broad range of industries and regions.

Originally dubbed ABCD, LockBit has developed several versions of its malware, including LockBit Red, Black and Green. On its latest Tor leak site, LockBit 3.0, there are options on some victims’ listings to either extend the countdown timer by 24 hours, “destroy” the stolen data, or download the stolen data, for varying price points. LockBit actively engages with its fans and detractors on dark web forums like XSS, promoting its attacks and investing effort into its branding.

LockBit was the most active ransomware group by number of listed victims on its dark web leak site in 2022 and 2023. LockBit claimed more than a thousand victims last year, including high profile organizations such as the UK Ministry of Defense, Boeing, CDW, Portuguese water company Aguas do Porto, and TSMC, the world’s largest contract chipmaker.

In April 2023 researchers spotted samples of LockBit (which previously targeted Windows, Linux, and VMware ESXi servers) designed to target macOS, a first for major ransomware operations of this scale. In November 2023 a Cybersecurity Advisory was issued warning that LockBit was among many threats exploiting the CVE 2023-4966 Citrix Bleed Vulnerability.

In February 2024 LockBit suffered major disruption at the hands of the NCA, FBI, Europol, and other partners in “Operation Cronos”. The numbers behind Operation Cronos were impressive – two individuals arrested, 28 servers taken down, 200 crypto accounts frozen, and 1k decryption keys obtained – in addition to seizing LockBit’s source code, infrastructure for data exfiltration, and a vast amount of intelligence. The disruption was welcome news to cybersecurity defenders around the world but we observed that the cybercriminal community of the dark web were less impressed.

One of the actors behind the ransomware group LockBit issued a lengthy statement a week later. The actor acknowledged the attack, blaming their own complacency and claiming that law enforcement compromised an old version of PHP, which they had failed to update in their infrastructure. The administrator finished their statement by confirming that the group will carry on operating and even called for new affiliates to join their team.

On Tuesday May 7 the US Department of Justice unsealed charges against the admin and developer of the LockBit ransomware group. Dimitry Yuryevich Khoroshev is subject to 26 criminal counts as well as financial and travel sanctions in the US, UK and Australia. The DoJ has also offered a $10m reward for information that could lead to his arrest or conviction. The hijacked leak site was also brought back online by Operation Cronos, displaying information relating to affiliates who worked as part of LockBit’s ransomware-as-a-service (RaaS) scheme, and data points highlighting the effectiveness of the original law enforcement action in diminishing the group’s ability to launch new attacks and attract recruits after the damage done to its reputation.

You can read a full overview of Operation Cronos in our blog.