Menu
Browse

Cyber Threat Actor: LockBit

Actor Type Location Known Incidents
 Icon
Crime Syndicate
Russia
1 incident
Profile

LockBit is also known by the alias ABCD and has been identified as operating from Russia according to multiple sources. The group functions as a ransomware‑as‑a‑service (RaaS) operation, offering affiliates a share of ransom payments in exchange for deploying its malware. This affiliation model has been described in several analyses that note the division of proceeds between developers and attackers. LockBit’s ties to other Russia‑linked ransomware cartels such as Conti, Black Basta, DarkSide, BlackMatter and BlackCat/ALPHV have been highlighted in reporting that maps its connections within the broader cybercrime ecosystem.

The primary objective observed in LockBit activity is financial gain through extortion, employing a double extortion tactic that first encrypts victim data and then threatens to publish stolen information if a ransom is not paid. Public statements from the group have included specific ransom demands, such as the $70 million request made against TSMC and the $10 million demand levied on MCNA after which 1.5 terabytes of data were leaked from BSI Bank. Initial access has been achieved through varied vectors, including a rogue Windows 7 PC in a manufacturing environment, phishing emails that impersonate trusted contacts, and the exploitation of unpatched vulnerabilities or insider assistance as noted in descriptions of attacks on contractors and aerospace suppliers. The group’s tooling consists of the LockBit ransomware family, notably version 3.0, which features a data leak site with countdown timers, options to extend the timeline, destroy data or obtain exclusive downloads, and payment mechanisms that accept Bitcoin or Monero.

LockBit has demonstrated a broad victim profile across sectors and geographies, reflecting opportunistic targeting rather than a narrow focus. Incidents have affected healthcare providers such as a Brazilian hospital group and a U.S. dental insurer that exposed the personal information of nearly nine million individuals, educational institutions including school districts in New Jersey and New York, government bodies like the South Korean National Tax Service and a Florida sheriff’s office, financial and technology firms exemplified by TSMC and Deutsche Bank, manufacturing companies in Italy and Peru, aerospace contractors supplying SpaceX, law‑enforcement agencies, and religious organizations such as Relentless Church in South Carolina. These examples illustrate the group’s capacity to strike organizations of varying size and sector while maintaining a consistent pattern of ransom‑driven data theft and leakage.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
126 sources