LockBit

LockBit is a ransomware gang that operates as a ransomware‑as‑a‑service (RaaS) platform. The group develops ransomware malware and provides it to affiliates who carry out the actual intrusions. Affiliates use the malware to encrypt victims’ data and demand payment for decryption keys. In addition to encryption, LockBit employs a double‑extortion tactic by threatening to publish stolen data on its leak site if the ransom is not paid. The group has claimed responsibility for numerous intrusions, including a July 2022 breach of the cybersecurity firm Entrust. Following the Entrust incident, LockBit posted the victim on its leak site and warned of releasing the data via peer‑to‑peer networks after a DDoS attack disrupted its infrastructure.

While specific size or revenue figures are not publicly disclosed, LockBit’s activity has been observed worldwide, affecting organizations across various industries and geographic regions. Numerous victims appear on the group’s leak site, indicating a broad reach and a pattern of targeting both large enterprises and smaller entities. Intelligence assessments consistently locate the group’s operational base in Russia, which is cited as its headquarters location. Distinguishing attributes of LockBit include its specialization in ransomware development, the affiliate‑driven RaaS model, and the rapid iteration of its malware (e.g., LockBit 2.0 and LockBit 3.0 variants). The group’s use of double extortion and its willingness to leverage peer‑to‑peer networks for data release set it apart from many other ransomware actors. No explicit information about a parent company, subsidiary structure, or formal ownership is available in the sources; LockBit functions as a loosely organized criminal collective. These characteristics collectively define LockBit as a prominent and evolving threat in the ransomware landscape.