Ransomware Group
LockBit
Also known as: LockBit 2.0, LockBit 3.0, LockBit Black, LockBit Green
Status: active • First seen 2019-09 • 2,000+ known victims
LockBit is like a criminal franchise. The main group creates the ransomware "product" and recruits affiliates to deploy it against victims. Affiliates get 60-80% of the ransom, while LockBit takes a cut. This model has made them extremely prolific - they've attacked hospitals, schools, manufacturers, and businesses of all sizes.
Overview
LockBit is one of the most prolific ransomware-as-a-service (RaaS) operations in history. Despite law enforcement disruptions in 2024, the group continues to operate and has claimed thousands of victims worldwide across all industries.
Target Industries
Healthcare, Manufacturing, Professional Services, Construction, Retail, Education, Government, Technology
How They Attack
- • Phishing emails with malicious attachments
- • Exploiting unpatched vulnerabilities (VPNs, RDP)
- • Purchasing initial access from access brokers
- • Brute-forcing weak credentials
- • Living-off-the-land techniques using legitimate tools
Notable Victims
Boeing (2023), ICBC (2023), Royal Mail UK (2023), Fulton County, GA (2024), Multiple hospitals and school districts
Is your business exposed?
How to Protect Against LockBit
- 1.
Patch all public-facing systems immediately (VPNs, firewalls, email servers)
- 2.
Enable MFA on all remote access (VPN, RDP, email)
- 3.
Maintain offline backups (air-gapped or immutable)
- 4.
Disable RDP if not needed; if needed, put behind VPN
- 5.
Implement network segmentation
- 6.
Deploy EDR solution on all endpoints
CrowdStrike, SentinelOne, or Microsoft Defender for Business
- 7.
Train employees on phishing recognition
MITRE ATT&CK Techniques
Related Groups
Blackcat, Clop, Play, Black Basta, Akira
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required