Cybercrime high Russia / Eastern Europe

LockBit

Ransomware-as-a-Service (RaaS) — Russian-speaking core · Financial — ransomware extortion

Reports 1

Active Since 2019

Last Reported 21 May 2026

Sectors Targeted healthcare, legal-professional, government

Tactics, Techniques & Procedures (TTPs)

RaaS affiliate model with high revenue share
RDP and VPN brute force for initial access
Credential stuffing against unpatched SSL-VPN devices
StealBit custom exfiltration tool for double extortion
EDR and security tool tampering
Fastest-benchmarked encryption speed across ransomware families

Known Targets

NHS-adjacent healthcare providersLaw firms and professional servicesManufacturing and logisticsLocal government bodiesFinancial servicesGlobal enterprises across 120+ countries

Analyst Notes

Operation Cronos (February 2024), led by the UK NCA with FBI and Europol, seized LockBit infrastructure and published decryption keys. Administrator Dmitry Khoroshev was indicted in May 2024. Affiliates rebuilt within weeks. LockBit remains one of the most active ransomware brands by victim count — a demonstration that RaaS infrastructure can survive significant law enforcement disruption.

Also Known As

LockBit 2.0LockBit 3.0 / LockBit BlackLockBit GreenABCD ransomware (predecessor)

MITRE ATT&CK Techniques

T1486 Data Encrypted for Impact T1490 Inhibit System Recovery T1110 Brute Force T1562.001 Impair Defenses: Disable or Modify Tools T1041 Exfiltration Over C2 Channel

Intelligence Reports

Briefing healthcarelegal-professional

LockBit Resurgence: Affiliate Network Active Across UK Healthcare and Professional Services

Despite Operation Cronos and the February 2024 infrastructure seizure, LockBit-affiliated actors continue to operate under the LockBit 3.0 and successor infrastructure. UK healthcare and professional services organisations have been among the most recent confirmed victims.

21 May 2026 · 5 min read