Cyber Threat Actor: LockBit
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
—
|
0 incidents |
|---|
Profile
The threat actor known by the alias ABCD originated in September 2019 as the original name of the ransomware operation that later rebranded to LockBit, then LockBit 2.0 and finally LockBit 3.0. It operates under a ransomware‑as‑a‑service model in which affiliates pay the core developers for access to the ransomware platform and receive up to three‑quarters of any ransom payment, while the developers retain the remainder. The group employs a double extortion tactic, encrypting victims’ data and threatening to publish stolen information on a public data leak site if the ransom is not paid, and it offers additional paid services such as extending the publication countdown, deleting all exfiltrated data, or granting exclusive download access to the stolen files, with payment accepted in Bitcoin or Monero.
Attribution and affiliations are described in the source material as being linked to Russia‑affiliated ransomware cartels, with the group’s leader nicknamed LockBitSupp reported to reside in Russia. The actor is also considered part of the malware family that includes LockerGoga and MegaCortex, and it has been associated with other prominent ransomware operations such as Conti, its successor Black Basta, DarkSide and its descendants BlackMatter and BlackCat/ALPHV. These connections are presented as observed associations rather than independent assessments of the group’s origin or structure.
Publicly reported operations illustrate the actor’s broad targeting across multiple sectors. The group has been linked to over 1,400 attacks against victims in the United States and elsewhere, having issued ransom demands exceeding $100 million and receiving more than $75 million in payments as of the latest reporting. Specific incidents include a ransomware attack on the Taiwanese semiconductor manufacturer TSMC that originated from a compromised third‑party supplier, Kinmax Technology, and a data breach at the Belgian‑based fencing company Zaun where approximately 10 GB of data was exfiltrated. The actor has claimed responsibility for the theft of 1.5 TB of data from Indonesia’s Bank Syariah Indonesia, the compromise of U.S. operations of the Japanese zipper manufacturer YKK, and the encryption of systems at the Italian firms STIM Group, Gruppo Mercurio, Metronotte Vigilanza, Comacchio, Errebielle, Tecnosysitalia, Lubrimetal and Bontà Viva. Additional victims cited in the sources comprise the South Korean National Tax Service, the Royal Dutch Football Association, the Dutch men’s and women’s national teams, various U.S. school districts, churches such as Relentless Church in South Carolina, and law‑enforcement entities including the Washington County Sheriff’s Office in Florida. Despite public statements that the group avoids targeting hospitals, it has nevertheless attacked medical institutions and, in some cases, provided free decryptors after the fact to appear benevolent.
The actor’s tactics, techniques and procedures described in the material include gaining initial access through phishing emails, compromised third‑party suppliers, unpatched vulnerabilities, insider assistance or specialized groups, and exploiting exposed Remote Desktop Protocol services. After establishing foothold, the ransomware encrypts files while the attackers exfiltrate data for leverage. The group also maintains a bug‑hunting platform related to its infrastructure, invests in cryptocurrency acquisition, and continuously updates its affiliate portal and monetization options. These details are drawn exclusively from the supplied articles and constitute the factual basis for this profile.
