#
LockBit
#
Adversary Overview
First launched as “ABCD” ransomware in 2019, LockBit is a notorious ransomware variant known for its use of sophisticated tools, extortion methods, and high-severity attacks. LockBit operates a Ransomware-as-a-Service (RaaS) model, enabling affiliates to launch attacks using its tools. This decentralized approach democratizes access to ransomware tools and fosters a variety of behaviors that make detection and response more complex and unpredictable. Law enforcement agencies deemed LockBit the “most deployed ransomware variant across the world” in 2022, and nearly 30% of all ransomware attacks between 2022 and 2023 were conducted by LockBit affiliates. LockBit adapted continuously, launching bug bounty programs with LockBit 3.0 to improve its tools, targeting both Windows and Linux systems with evolving evasion tactics, and incorporating elements from the now-defunct Conti ransomware into LockBit Green, reflecting the code and tactic recycling trend in the ransomware ecosystem. To gain access on target systems, LockBit attackers have used legitimate resources (e.g., penetration testing tools Metasploit and Cobalt Strike, leveraging remote desktop protocols (RDP), native utilities such as PowerShell and batch scripts) as well as the exploitation of well-known vulnerabilities (e.g., CVE-2018-13379, CVE-2019-0708, and CVE-2020-1472). LockBit remained pervasive until its global impact prompted a multinational law enforcement operation to disrupt LockBit-affiliated platforms in February 2024. Despite the operation, LockBit continued to be the most prevalent strain until May 2024. Ongoing efforts under Operation Cronos led to the arrest and sanction LockBit operators in October 2024.