Cyber Threat Actor: LockBit
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
199 incidents |
|---|
Profile
LockBit is a ransomware‑as‑a‑service operation that operates under several aliases including LockBit, LockBit 2.0 and LockBit 3.0 and is publicly linked to Russian‑speaking cybercriminals. The group functions as a criminal consortium where developers provide the ransomware platform and affiliates conduct the intrusions, sharing ransom proceeds according to a predefined split. This structure has allowed LockBit to persist despite law‑enforcement takedowns and to continuously update its malware with new features such as extended countdown timers and data‑destruction options.
LockBit’s victims span a wide range of industries and geographic regions, reflecting a financially motivated strategy that seeks monetary gain through encryption and double extortion. Publicly reported incidents show the group targeting banks in Senegal and the United States, healthcare providers in Maui and Australia, municipal governments in the United States and France, industrial manufacturers in Germany, pharmaceutical firms in California, telecommunications suppliers in Taiwan, and even sports associations in the Netherlands and South Korea. The consistent pattern is the demand for a ransom payment coupled with the threat to leak stolen data if the demand is not met, indicating that the primary objective is profit rather than espionage or pure disruption.
Technical details from the sources reveal that LockBit gains initial access through common vectors such as phishing emails with malicious links, compromised third‑party suppliers, and exposed remote desktop services. Once inside a network, the group deploys its ransomware to encrypt files while simultaneously exfiltrating sensitive data, which is then posted to a dark‑web leak site to increase pressure on the victim. The ransomware includes a countdown mechanism that can be extended for a fee, and affiliates sometimes offer services to delete or download the stolen data for additional payment, illustrating a modular extortion model built around the core malware.
Representative operations that illustrate LockBit’s activity include the ransomware attack on Banque de l’Habitat du Sénégal that compromised half a million client records and prompted a $1 million demand, the intrusion into Evolve Bank & Trust that led to the theft of extensive personal and financial data after an employee clicked a malicious link, the breach of the Community Clinic of Maui that exposed medical and personal information of over 120 000 individuals, and the supply‑chain compromise of a TSMC IT vendor that resulted in a claimed $70 million ransom demand. Other notable cases involve the locking of systems at the Royal Dutch Football Association, the South Korean National Tax Service, the Florida sheriff’s office, and the dental insurer MCNA, where nearly nine million individuals’ data were leaked after a $10 million ransom went unpaid. These examples demonstrate the group’s broad reach and its reliance on ransomware coupled with data leak threats to achieve financial objectives.
