February 2024. The NCA, FBI, Europol, and law enforcement from ten countries seized LockBit’s infrastructure, took control of its leak site, arrested members in Poland and Ukraine, sanctioned its administrator, and published a trove of operational data revealing more than 7,000 decryption keys and the identities of thousands of affiliates. It was the most ambitious coordinated ransomware disruption operation ever attempted.
By May 2024, LockBit was back. New infrastructure. Same affiliates. The administrator, now publicly identified as Dmitry Khoroshev, operating under the alias LockBitSupp, posted a defiant statement. Affiliate recruitment continued. Attacks continued.
That resilience is the story. LockBit is not a piece of software. It is an affiliate programme. Disrupting the management infrastructure disrupts the programme temporarily. The affiliates — the operators who conduct the actual intrusions — are a distributed network. Most were never identified. Most kept working.
Group Overview
| Attribute | Detail |
|---|---|
| Type | Ransomware-as-a-Service (RaaS) criminal operation |
| Attribution | Eastern European cybercriminal group; administrator identified as Dmitry Khoroshev (Russian national) |
| First observed | 2019 (LockBit 1.0); LockBit 2.0 (2021); LockBit 3.0 / LockBit Black (2022) |
| Peak activity | 2022-2024: claimed over 2,000 victims in 2023 alone |
| Enforcement action | Operation Cronos, February 2024 — infrastructure seizure; Khoroshev sanctioned by US, UK, Australia |
| Post-Cronos status | Active. Affiliate network continues operations; LockBit 4.0 announced |
| Revenue model | 20% commission to LockBit; 80% to affiliates from ransom payments |
| Average ransom demand | Hundreds of thousands to tens of millions USD, depending on victim size |
LockBit’s dominance in the ransomware ecosystem between 2021 and 2024 was not based on superior technical sophistication. The encryption was fast. The affiliate programme was professionally managed. The brand was maintained with deliberate effort — Khoroshev ran LockBit more like a software company with a customer service ethos than a traditional criminal operation. Bug bounty programmes. Responsive support for affiliates. A reputation for actually providing decryptors when ransom was paid. That reputational investment is what made the brand resilient.
Evolution of the Platform
LockBit 1.0 (2019-2020)
Early LockBit was an unremarkable entry into the RaaS market. The initial variant, known internally as “ABCD ransomware” before rebranding, targeted Windows systems with standard encryption capabilities. Distribution was through underground criminal forums and relied on affiliates purchasing access to the builder and deploying it through their own intrusion operations.
LockBit 2.0 (2021)
The 2.0 release introduced StealBit: a custom data exfiltration tool that automated the theft of sensitive files before encryption, enabling the double extortion model. Stolen data was published on a dedicated leak site, “LockBit 2.0 Happy Blog,” to create pressure for ransom payment.
The 2.0 release also introduced lateral movement automation: the ability to spread across domain-joined Windows systems using Active Directory group policy update mechanisms, dramatically accelerating the time from initial access to domain-wide encryption. This capability closed the window for defenders to detect and contain an intrusion before ransomware deployment.
LockBit 3.0 / LockBit Black (2022)
The 3.0 variant was a substantial architectural overhaul. Source code from BlackMatter (a previous prominent RaaS operation) appears to have been incorporated. New capabilities included:
- Bring Your Own Vulnerable Driver (BYOVD) for EDR/AV bypass. LockBit 3.0 deploys a signed but vulnerable Windows driver and exploits it to disable endpoint security products before encryption.
- Anti-analysis protections including encryption of the binary that requires a command-line password at execution — preventing analysis by automated sandboxes.
- Extended affiliate features including a user-friendly affiliate panel with analytics, automated payment processing, and support infrastructure.
Post-Cronos Operations (2024-2026)
Operation Cronos disrupted the management infrastructure but the LockBit builder and affiliate network were not fully neutralised. Leaked builder code from a 2022 breach had already allowed other actors to create LockBit variants independently. Following Cronos, activity attributed to LockBit affiliates continued under multiple designations, with LockBit-branded ransomware deployed in new intrusions within weeks of the takedown.
The announced LockBit 4.0 represents an attempt to reconstitute the official programme with enhanced operational security and new infrastructure.
The Affiliate Model: Why Takedowns Don’t Work as Expected
Understanding why LockBit survived its own takedown requires understanding the affiliate model clearly.
LockBit management: a small core team responsible for developing the ransomware software, maintaining the affiliate panel and leak site, and handling negotiations and decryptor management. Operation Cronos targeted this layer.
LockBit affiliates: dozens to hundreds of independent criminal operators who access the platform, conduct their own intrusions using their own techniques, deploy the LockBit payload, and conduct their own victim communications. The affiliates are the operational attack capacity. They use LockBit because it is a reliable, well-supported product. They are not employees.
When the management infrastructure was seized, affiliates lost access to their panels temporarily. They did not lose their access to victim networks, their skill in conducting intrusions, or their motivation. Many simply waited for new infrastructure or used backup platforms (RansomHub became a major beneficiary of LockBit affiliate migration post-Cronos).
This is the fundamental structural challenge in ransomware disruption: unless all active affiliates are arrested simultaneously, the attack capacity survives.
Technical Capabilities
Initial Access
LockBit affiliates use the full range of available initial access techniques. Documented vectors from confirmed LockBit attacks include:
- Exploitation of public-facing VPN and remote access appliances (Citrix Bleed, CVE-2023-4966, was actively exploited by LockBit affiliates)
- RDP brute force and credential stuffing against exposed RDP services
- Phishing for credential theft followed by VPN access
- Purchasing initial access from brokers on darknet forums
The diversity of initial access vectors reflects the affiliate model: different affiliates use different techniques. There is no single LockBit initial access signature.
Post-Compromise Tradecraft
Following initial access, documented affiliate patterns include:
- Cobalt Strike for C2 and lateral movement — the most consistently observed post-compromise tool
- Mimikatz for credential harvesting
- AnyDesk / TeamViewer for persistence alongside malware
- Active Directory reconnaissance using ADFind or BloodHound
- Group Policy Object abuse for lateral movement and payload distribution
- Volume Shadow Copy deletion (vssadmin delete shadows) to prevent recovery
BYOVD for EDR Bypass
LockBit 3.0’s BYOVD technique specifically targets endpoint security products. A legitimate but vulnerable Windows kernel driver is deployed and exploited to terminate EDR processes or disable kernel-level security callbacks. This technique defeats endpoint security products that lack specific protections against driver exploitation, which is most of them unless specifically hardened.
Detection opportunity: BYOVD attacks require loading a vulnerable driver that is not in your normal baseline. Monitoring for kernel driver loads from unusual paths or with unexpected signatures provides detection coverage.
Encryption
LockBit 3.0 uses AES for file encryption with RSA for key protection. Encryption is implemented to prioritise speed: large files are partially encrypted (intermittent encryption) to maximise the number of files affected per unit time rather than fully encrypting every file. This reduces the total encryption time for enterprise deployments while still rendering files unrecoverable.
StealBit Exfiltration
StealBit is automated, fast, and specifically designed to identify and prioritise high-value files. It targets file extensions and directory names associated with financial data, legal documents, intellectual property, and personally identifiable information. Exfiltration occurs to attacker-controlled cloud infrastructure before encryption begins.
Major Victims
The documented LockBit victim list represents a cross-sector, cross-geography impact profile:
- ICBC (Industrial and Commercial Bank of China) — November 2023. Disrupted US Treasury market operations.
- Boeing — October 2023. 43 GB of data published after Boeing declined to pay.
- Royal Mail — January 2023. Disrupted international parcel delivery for weeks.
- CDW — September 2023. IT services provider; 80 GB of data published.
- NHS dental contractor BUPA / multiple NHS trusts — ongoing healthcare targeting.
- Fulton County, Georgia — January 2024. Disrupted government services including court systems.
The targeting pattern confirms LockBit’s sector-agnostic approach: wherever affiliates can gain access, they deploy. Healthcare is disproportionately represented, consistent with the broader ransomware ecosystem’s exploitation of the sector’s historically weaker security posture and high operational continuity requirements.
Defensive Priorities
Patch VPN and remote access appliances immediately. LockBit affiliates exploit publicly disclosed VPN vulnerabilities at scale. Citrix ADC/Gateway, Fortinet, and Ivanti vulnerabilities have all been exploited by LockBit affiliates. Time from CVE publication to exploitation in LockBit attacks is measured in days, not weeks.
Enforce MFA on all remote access. RDP brute force and credential stuffing against unprotected remote access is a primary LockBit affiliate entry point. MFA enforcement closes this vector.
Deploy specific BYOVD protections. Microsoft’s Vulnerable Driver Blocklist, enabled through Windows Defender Application Control, blocks known-vulnerable drivers used in BYOVD attacks. This is not enabled by default. Enable it and maintain it.
Protect Volume Shadow Copies. VSS deletion is the last action before encryption. If VSS deletion attempts can be detected and blocked, recovery options survive the attack. Microsoft’s Protected Folders and VSS protection policies in backup software provide some coverage.
Offline, tested backups. The only reliable recovery path from LockBit ransomware (absent paying) is clean offline backups not accessible from the compromised network. Test them. Regularly.