LockBit: A Complete Threat Intelligence Profile

History and Evolution

LockBit 1.0: Origins (September 2019 – June 2021)

LockBit first appeared on Russian-language cybercriminal forums in September 2019, initially operating under the name "ABCD" ransomware—a reference to the .abcd file extension appended to encrypted files. The operation was the work of a developer using the alias "LockBitSupp," who positioned the project as a technically superior alternative to the dominant RaaS platforms of the era, particularly Maze and REvil. Early versions of the locker were written in C and targeted Windows environments exclusively, encrypting files with a combination of AES and RSA and delivering ransom notes directing victims to a Tor-based negotiation portal.

During this initial phase, LockBit distinguished itself through speed. The developer made performance a core selling point on forum advertisements, claiming encryption rates that substantially outpaced competitors. Independent testing by security researchers largely validated these claims: LockBit 1.0 could encrypt a standard enterprise workstation in approximately four minutes, roughly three times faster than Ryuk and twice as fast as REvil at the time. This speed advantage became a central element of the LockBit brand and a key recruitment tool for attracting affiliates who valued rapid operational execution to minimize detection windows.

The affiliate program during this period was relatively modest, with an estimated 20–30 active affiliates operating primarily across the CIS-adjacent cybercriminal ecosystem. Targeting was broadly opportunistic, with no clear sector or geographic specialization. The operation generated limited media attention, overshadowed by higher-profile groups such as Maze (which popularized the double extortion model) and REvil (which dominated headlines with high-profile supply chain attacks).

LockBit 2.0: Rapid Ascent (June 2021 – June 2022)

The release of LockBit 2.0 in June 2021 marked the operation's transformation from a mid-tier RaaS provider to the dominant force in the ransomware ecosystem. The updated locker introduced several technical innovations that would prove decisive: automated Active Directory Group Policy propagation (enabling self-spreading across domain-joined networks), a streamlined wallpaper-based ransom notification system, and the introduction of StealBit—a custom-built data exfiltration utility that automated the process of identifying and extracting sensitive files prior to encryption.

LockBit 2.0 also introduced significant operational improvements to the affiliate program. The operation launched a dedicated data leak site (DLS) with a professional design and a public-facing timer that counted down to data publication, creating psychological pressure on victims to negotiate. LockBitSupp actively cultivated a public persona, posting prolifically on XSS and Exploit forums, engaging in public feuds with competing RaaS operations, and offering a $1 million bug bounty for anyone who could identify his real identity—a move designed to project confidence and attract attention.

The affiliate recruitment drive during this period was aggressive and highly effective. By early 2022, Dark Angel estimates that LockBit had onboarded 70–80 active affiliates, many of them experienced operators migrating from the recently disbanded Conti operation and the law enforcement-disrupted REvil. The operation's 80/20 affiliate-developer revenue split (80% to the affiliate, 20% to LockBit) was competitive, and the platform's reliability and encryption speed made it the preferred choice for high-volume affiliates.

LockBit 3.0 / LockBit Black: Technical Apex (June 2022 – February 2024)

LockBit 3.0, internally designated "LockBit Black," was released in June 2022 and represented the operation's most technically advanced payload. The locker underwent a substantial architectural overhaul, incorporating anti-analysis features borrowed from the BlackMatter ransomware (itself a successor to DarkSide). Key technical changes included execution gating through a command-line password parameter (preventing automated sandbox analysis), API resolution through hash-based function lookups (complicating static analysis), and enhanced string encryption throughout the binary.

The LockBit 3.0 payload supported multiple encryption modes configurable at build time: full file encryption, partial encryption of file headers only, and intermittent encryption (encrypting fixed-size blocks at configurable intervals throughout each file). The intermittent encryption mode, which became the default configuration for most affiliates, achieved extraordinary speeds—encrypting 100 GB of mixed file types in under 6 minutes on commodity enterprise hardware—while rendering files unrecoverable without the decryption key. The encryption scheme used AES-256 in CTR mode for file content, with per-file AES keys encrypted using a session RSA-2048 public key embedded at build time.

Concurrently, LockBitSupp expanded platform capabilities to include a Linux/ESXi variant (written in C and targeting VMware virtual machine disk files), a macOS proof-of-concept build (never deployed operationally, likely developed as a marketing exercise), and an enhanced affiliate panel with automated victim communication templates, negotiation tracking, and cryptocurrency payment processing. The operation also launched "LockBit Green," a variant based on source code from the defunct Conti ransomware operation, targeting organizations where Conti-derived payloads might evade LockBit-specific detection signatures.

Operation Cronos: Law Enforcement Disruption

The Takedown (February 19–20, 2024)

Operation Cronos was a multinational law enforcement operation coordinated by the UK's National Crime Agency (NCA) and supported by Europol, the FBI, and agencies from 11 countries including France, Germany, Japan, Australia, Canada, and Sweden. Executed on February 19–20, 2024, the operation targeted LockBit's core infrastructure and achieved the most comprehensive disruption of a ransomware operation in the history of coordinated cybercrime enforcement.

The operational achievements were substantial. Law enforcement seized 34 servers across multiple jurisdictions, including the primary administration panel used by affiliates, the public-facing data leak site, and multiple backup infrastructure nodes. Over 200 cryptocurrency wallets linked to LockBit ransom payments were frozen. Critically, investigators obtained the complete LockBit backend database, which contained affiliate registration details, victim negotiation logs, payment records, and—most significantly for ongoing investigations—the association between affiliate identifiers and the specific attacks they conducted. Approximately 2,500 decryption keys were recovered, enabling law enforcement to offer decryption assistance to past victims.

Two individuals were arrested in connection with the operation: a Polish national and a Ukrainian national, both alleged to be LockBit affiliates. Indictments were also unsealed against Russian nationals Artur Sungatov and Ivan Kondratyev (the latter operating under the alias "Bassterlord," a well-known affiliate who had previously published tutorials on conducting ransomware intrusions).

The Unmasking of LockBitSupp

In a move designed to maximize psychological impact, the NCA repurposed LockBit's own data leak site to publish a series of reveals in the days following the takedown. The operation's infrastructure was used to display countdown timers—mimicking LockBit's own victim-shaming tactics—leading to the public identification of LockBitSupp as Dmitry Yuryevich Khoroshev, a 31-year-old Russian national from Voronezh. The US Department of Justice unsealed an indictment against Khoroshev, and the US Department of the Treasury's OFAC designated him under Executive Order 13694, making it potentially unlawful for US persons and entities to pay ransoms to LockBit. A reward of up to $10 million was offered for information leading to Khoroshev's arrest.

LockBitSupp publicly denied the identification, claiming on a newly established Tor site that law enforcement had named the wrong individual. However, the breadth of corroborating evidence presented—spanning cryptocurrency tracing, infrastructure registration data, and forum account correlation—lent high confidence to the attribution among the threat intelligence community.

Post-Disruption Recovery Attempts

LockBitSupp's response to Operation Cronos was rapid but ultimately reflected diminished capability. Within five days of the takedown, LockBitSupp published a lengthy statement on a new .onion domain, attributing the compromise to a failure to patch a critical PHP vulnerability (CVE-2023-3824) on the operation's servers. The statement framed the disruption as a temporary setback, claimed that backup infrastructure and affiliate relationships remained intact, and announced plans for enhanced operational security measures.

A new data leak site was launched, and the group resumed posting purported victims within the first week. However, Dark Angel's analysis of post-Cronos leak site activity reveals that the recovery was largely performative. A significant proportion of posted "victims" were recycled from pre-Cronos data, re-posted entries from other ransomware operations, or organizations whose compromise could not be independently verified. Verified new victim postings declined by approximately 73% in the six months following Operation Cronos compared to the equivalent pre-disruption period.

Organizational Structure and Affiliate Model

The Developer-Affiliate Relationship

LockBit operated under a pure RaaS model in which the core development team (led by LockBitSupp) maintained the ransomware payload, infrastructure, and affiliate panel, while independent affiliates conducted the actual intrusions, data exfiltration, and ransomware deployment. This division of labor was fundamental to LockBit's scalability: the core team never needed to conduct intrusions directly, instead scaling horizontally by onboarding additional affiliate operators who brought their own access, tooling, and operational tradecraft.

The affiliate panel was a web-based application accessible via Tor that provided affiliates with a comprehensive operational toolkit. Affiliates could generate custom locker builds with configurable parameters (encryption mode, exclusion lists, ransom note content, embedded public key), monitor active campaigns, manage victim negotiations through an integrated chat interface, and track cryptocurrency payments. The panel also provided operational statistics—encryption speed benchmarks, victim response rates, and payment conversion ratios—that allowed affiliates to optimize their operations.

Recruitment and Vetting

Affiliate recruitment was conducted primarily on the RAMP and XSS Russian-language cybercriminal forums, with LockBitSupp maintaining a prominent and active presence on both platforms. Prospective affiliates were required to demonstrate prior experience with ransomware operations or network intrusion, typically by providing references from established forum members or evidence of past successful operations. LockBitSupp imposed a financial deposit requirement of 1–2 BTC (approximately $30,000–$60,000 at 2023 values) to screen out low-capability actors and law enforcement infiltrators.

The vetting process, while more rigorous than many competing operations, was not impervious. The diversity of affiliate skill levels was evident in the wide variance of TTP sophistication observed across LockBit incidents: some affiliates demonstrated advanced persistent threat (APT)-level tradecraft, while others relied on commodity tools and opportunistic initial access purchased from access brokers.

Revenue Model

LockBit's standard revenue split allocated 80% of ransom payments to the affiliate and 20% to the core development team. This split was competitive within the RaaS market and remained consistent throughout the operation's lifespan. For high-performing affiliates who generated substantial revenue, LockBitSupp reportedly offered preferential terms, including reduced developer shares and priority access to new payload variants and features.

At its operational peak in 2023, Dark Angel estimates that the LockBit operation generated between $90 million and $120 million in annual ransom revenue (based on cryptocurrency tracing, victim reporting, and negotiation data extracted from the backend database following Operation Cronos). This figure encompasses only confirmed payments and likely understates total revenue due to unreported payments and the use of privacy-enhancing cryptocurrency mixing services.

Technical Analysis: Tactics, Techniques, and Procedures

Initial Access

LockBit affiliates employed a broad and evolving range of initial access techniques, reflecting the diversity of the affiliate base. Dark Angel's analysis of 280 confirmed LockBit incidents identifies four primary initial access vectors.

Exploitation of public-facing applications constituted the single largest vector, accounting for approximately 35% of observed incidents. The most frequently exploited vulnerabilities included CVE-2023-4966 (Citrix Bleed), which enabled session hijacking on Citrix NetScaler ADC and Gateway appliances, and was heavily exploited by LockBit affiliates throughout Q4 2023 and into early 2024. Additional commonly exploited CVEs included FortiOS vulnerabilities (CVE-2022-42475, CVE-2024-21762), F5 BIG-IP (CVE-2023-46747), and Ivanti Connect Secure (CVE-2024-21887). Affiliates maintained watch lists of newly disclosed vulnerabilities affecting perimeter devices and routinely began exploitation within 48 hours of proof-of-concept publication.

Remote Desktop Protocol (RDP) brute-force and credential stuffing accounted for approximately 25% of incidents. Affiliates used tools such as NLBrute, Masscan, and custom scripts to identify internet-exposed RDP services and conduct credential attacks. Compromised RDP credentials were also frequently purchased from initial access brokers (IABs) on RAMP and Genesis Market (before its takedown), with average prices for corporate RDP access ranging from $500 to $3,000 depending on organization size and industry.

Phishing campaigns represented approximately 20% of initial access events. LockBit affiliates deployed both traditional spearphishing campaigns (delivering malicious documents, ISO containers, and HTML smuggling payloads) and callback phishing ("BazarCall"-style) operations in which victims were induced to call a fake support number and install remote access software. Some affiliates partnered with botnet operators to purchase existing footholds established through Emotet, Qakbot (pre-takedown), or Pikabot malware distribution campaigns.

Access brokers provided the remaining approximately 20% of initial access. LockBit affiliates were among the most active buyers on IAB marketplaces, purchasing VPN credentials, webshell access, and compromised Citrix/RDP sessions. The LockBit affiliate panel included functionality for affiliates to register their intended targets, reducing the risk of multiple affiliates simultaneously attacking the same organization.

Execution and Lateral Movement

Once initial access was established, LockBit affiliates typically followed a well-documented playbook for establishing persistence, escalating privileges, and moving laterally within the victim network. The median dwell time for LockBit operations was approximately 6 days, though this varied significantly based on affiliate capability and network complexity.

Post-exploitation frameworks were deployed as the primary command-and-control mechanism. Cobalt Strike remained the most commonly observed framework across LockBit incidents (present in approximately 60% of cases), though Dark Angel documented increasing adoption of Brute Ratel C4, Sliver, and Havoc Framework among more sophisticated affiliates seeking to evade Cobalt Strike-focused EDR detections. SystemBC, a proxy-capable backdoor, was frequently used as a secondary C2 channel.

Lateral movement relied heavily on living-off-the-land binaries (LOLBins) and legitimate administrative tools. PsExec (both the Sysinternals version and the custom LockBit-integrated variant) was used to execute payloads across domain-joined systems. RDP with harvested credentials facilitated interactive access to high-value targets such as domain controllers, file servers, and backup infrastructure. Windows Management Instrumentation (WMI) and PowerShell remoting provided additional execution pathways. Credential harvesting tools—predominantly Mimikatz, but also Rubeus for Kerberos attacks and SharpHound/BloodHound for Active Directory reconnaissance—were deployed in the majority of incidents to obtain domain administrator credentials.

Affiliates consistently targeted Active Directory infrastructure as a priority. Obtaining Domain Admin credentials enabled group policy-based deployment of the ransomware locker across the entire domain, maximizing encryption coverage while minimizing the operational window during which detection was possible.

Data Exfiltration

Double extortion was the standard operational model for LockBit operations from version 2.0 onward. Data exfiltration typically occurred 24–72 hours before ransomware deployment and employed three primary tooling approaches.

StealBit, LockBit's custom-developed exfiltration utility, was the operation's signature tool. StealBit automated the process of crawling targeted file systems, identifying files matching configurable criteria (file types, directory names, size thresholds), and uploading them to LockBit-controlled infrastructure. The tool supported multiple exfiltration protocols and was designed to operate with minimal system impact to avoid detection. StealBit communicated with a network of rotating upload servers maintained by the LockBit infrastructure team.

Rclone, the legitimate open-source cloud storage synchronization tool, was the most commonly observed alternative exfiltration method. Affiliates configured Rclone to synchronize targeted directories to Mega.nz accounts, attacker-controlled cloud storage, or dedicated exfiltration servers. Rclone's legitimate use in enterprise environments provided a degree of evasion against tools that relied on binary reputation scoring.

MEGAsync, the official Mega.nz desktop synchronization client, was used in approximately 15% of observed incidents as a straightforward means of uploading stolen data to cloud storage. Some affiliates also employed WinSCP, FileZilla, or curl-based scripts for exfiltration to attacker-controlled FTP or HTTP upload servers.

Encryption

The LockBit 3.0 locker was engineered for maximum encryption speed and operational resilience. The encryption pipeline operated as follows: upon execution, the locker generated a unique AES-256 session key and encrypted it with the RSA-2048 public key embedded at build time. Each file was then encrypted using AES-256 in CTR mode with a per-file initialization vector derived from the session key and file metadata. The encrypted session key and file recovery metadata were appended to each encrypted file.

Three encryption modes were available to affiliates through the build configuration panel:

• Full encryption: The entire file was encrypted end-to-end. Most secure but slowest.
• Partial encryption: Only the first 4 KB of each file was encrypted, corrupting file headers and rendering files unusable while maximizing speed.
• Intermittent encryption: Fixed-size blocks (typically 4 KB) were encrypted at regular intervals (typically every 16 KB) throughout the file. This was the default and most commonly deployed mode, achieving near-full-encryption security guarantees at dramatically higher speeds.

The locker was multi-threaded, utilizing all available CPU cores to parallelize encryption across files and directories simultaneously. Self-propagation mechanisms enabled network-wide deployment: the locker could distribute itself via Group Policy Object (GPO) modification, PsExec-based remote execution, or SMB lateral copy. Prior to encrypting, the locker terminated processes and services that might hold file locks (including database services, backup agents, and security tools), deleted Volume Shadow Copies via vssadmin delete shadows /all /quiet, and cleared Windows Event Logs to impede forensic analysis.

Encrypted files received configurable extensions (the default for LockBit 3.0 was a random 9-character alphanumeric string unique to each build). A ransom note was dropped in each encrypted directory and a wallpaper change directed users to the Tor-based negotiation portal.

MITRE ATT&CK Mapping

The following MITRE ATT&CK techniques represent the most consistently observed TTPs across LockBit operations tracked by Dark Angel. This mapping is derived from incident response data, malware reverse engineering, and infrastructure intelligence spanning LockBit 2.0 and 3.0 campaigns.

T1566 — Phishing: LockBit affiliates deployed spearphishing attachments and callback phishing campaigns to establish initial footholds. Observed payloads evolved from macro-laden Office documents to ISO/IMG containers, OneNote files with embedded scripts, and HTML smuggling. Several affiliates partnered with botnet operators (Emotet, Pikabot) to leverage pre-established infections as initial access vectors.

T1190 — Exploit Public-Facing Application: The exploitation of perimeter devices represented the highest-volume initial access vector. CVE-2023-4966 (Citrix Bleed) was the most heavily exploited vulnerability across the LockBit affiliate base, enabling session token theft and authenticated access to internal networks without credential compromise. Rapid weaponization of new CVEs affecting VPN/gateway appliances was a hallmark of the operation.

T1078 — Valid Accounts: Compromised credentials obtained from infostealer logs (Raccoon, Lumma, RedLine), IAB purchases, and credential-stuffing attacks provided authenticated access that bypassed perimeter defenses. MFA bypass through session token theft, MFA fatigue, and AiTM proxy kits was documented in approximately 20% of MFA-protected environments.

T1059 — Command and Scripting Interpreter: PowerShell was the dominant execution engine, used to disable Windows Defender (Set-MpPreference -DisableRealtimeMonitoring $true), execute encoded payloads, and invoke credential harvesting tools. Batch scripts orchestrated pre-encryption preparation tasks including service termination and shadow copy deletion.

T1021 — Remote Services: RDP and SMB were the primary lateral movement protocols. PsExec facilitated remote execution across domain-joined systems, while WMI and PowerShell remoting provided additional pathways. Affiliates routinely enabled RDP on systems where it was disabled and created local administrator accounts to ensure persistent lateral access.

T1486 — Data Encrypted for Impact: The core LockBit objective. AES-256 + RSA-2048 encryption with intermittent mode as default. Multi-threaded for speed. Self-propagation via GPO and PsExec. Shadow copy deletion and service termination preceded encryption to maximize impact and prevent recovery.

T1048 — Exfiltration Over Alternative Protocol: StealBit, Rclone, and MEGAsync were the primary exfiltration tools. Data was staged in C:\ProgramData or C:\Windows\Temp before upload. Exfiltration typically preceded encryption by 24–72 hours, providing the double extortion leverage regardless of whether the victim could recover from encryption.

T1070 — Indicator Removal: LockBit 3.0 included built-in log clearing functionality, deleting Windows Event Logs (System, Security, Application) and clearing recent file artifacts. The locker could also self-delete after execution, and some affiliates deployed dedicated cleanup scripts to remove forensic artifacts from compromised hosts.

Infrastructure Analysis

LockBit maintained one of the most sophisticated infrastructure architectures in the ransomware ecosystem, reflecting the maturity of the operation and the technical capability of the core development team.

Leak Site and Negotiation Portals

The primary data leak site operated as a Tor hidden service (.onion domain) and served as LockBit's public-facing brand. The site listed victim organizations with countdown timers, published stolen data upon timer expiration, and included a search function that enabled visitors to search published datasets by keyword. At its peak, the LockBit DLS received an estimated 400,000 monthly visits, making it the most trafficked ransomware leak site in operation.

Victim negotiation was conducted through a separate Tor-based portal, accessible via a unique URL embedded in the ransom note. The negotiation interface provided a chat-based communication channel between the victim (or their incident response consultants) and the LockBit team. Negotiations were typically handled by the affiliate who conducted the intrusion, though LockBitSupp and the core team could intervene in high-value cases.

Decentralized Resilience Model

A defining feature of LockBit's infrastructure was its degree of decentralization and redundancy. The operation maintained multiple mirror sites, backup panels, and geographically distributed hosting across bulletproof hosting providers. This architecture was designed to ensure continuity in the event of server seizures or DDoS attacks (the latter being a known risk, as competing ransomware operations and disgruntled victims occasionally targeted leak sites).

Despite this redundancy, Operation Cronos demonstrated that centralized components—particularly the affiliate administration panel and the backend database—remained single points of failure. The post-Cronos infrastructure, while functional, operates on a substantially reduced scale, with fewer mirror sites and diminished reliability reported by remaining affiliates on underground forums.

Victim Analysis

Dark Angel's tracking of LockBit data leak site postings and corroborated incident data provides a comprehensive view of the operation's victimology across its full lifespan.

Geographic Distribution

LockBit's victimology was geographically diverse, spanning over 120 countries. However, targeting was heavily concentrated in high-GDP nations with substantial corporate sectors. The United States accounted for approximately 38% of all victims, followed by the United Kingdom (8%), Germany (7%), France (6%), Canada (5%), Italy (5%), and Australia (4%). European organizations collectively represented approximately 30% of total victims. Consistent with established Russian-speaking cybercriminal norms, LockBit implemented language checks in the locker that excluded systems configured with CIS-region language settings (Russian, Ukrainian, Belarusian, Kazakh, and others), though this restriction was configurable by affiliates at build time.

Notable Campaigns

Several LockBit incidents achieved particular notoriety due to victim prominence or operational impact. The Royal Mail attack (January 2023), attributed to LockBit affiliate "Bassterlord," disrupted international postal services for the United Kingdom for weeks and resulted in an $80 million ransom demand. The Boeing breach (October 2023) saw approximately 43 GB of data published to the leak site after the company reportedly declined to pay. The Industrial and Commercial Bank of China (ICBC) US subsidiary attack (November 2023) disrupted US Treasury bond settlement and demonstrated LockBit's willingness to target systemically important financial institutions. The Fulton County, Georgia attack (January 2024) compromised court systems and county administrative functions, drawing attention due to ongoing high-profile legal proceedings being conducted in the jurisdiction.

Current Operational Status

As of early 2025, the LockBit operation exists in a substantially degraded state. While the operation has not been fully dismantled, and LockBitSupp continues to maintain a presence on underground forums and a functional (though diminished) Tor infrastructure, the operational indicators point to a group that has lost its dominant market position and faces significant structural challenges to recovery.

Activity volume has declined precipitously. Dark Angel's DLS monitoring indicates that verified new victim postings fell by approximately 73% in the six months following Operation Cronos and have not recovered. Many postings during this period consisted of recycled pre-Cronos data, victims shared with other operations, or claims that could not be independently verified. This pattern is consistent with an operation attempting to project continuity while lacking the affiliate base to sustain genuine high-volume operations.

Affiliate confidence has eroded substantially. The exposure of the affiliate database during Operation Cronos demonstrated that LockBit could not guarantee the anonymity of its partners—a foundational requirement for any RaaS platform. Underground forum discussions tracked by Dark Angel reveal significant mistrust among former and prospective affiliates, with many citing the Cronos database exposure as evidence that the operation is too compromised for safe participation. The concurrent rise of competing platforms, particularly RansomHub (which offers a 90/10 affiliate-favorable split), has further drained the affiliate pool.

LockBit 4.0 claims surfaced on underground forums in late 2024, with LockBitSupp announcing development of a next-generation locker with enhanced anti-analysis capabilities, improved ESXi support, and a redesigned affiliate portal. Dark Angel assesses these claims as primarily aimed at affiliate recruitment and reputation rehabilitation rather than indicators of imminent operational resurgence. No LockBit 4.0 samples have been identified in the wild as of the publication date of this report, and the core development team's capacity for significant technical advancement under ongoing law enforcement pressure is assessed as limited.

The OFAC sanctions designation against Dmitry Khoroshev introduces an additional complication for the operation's viability. US-based organizations (and entities with US nexus) face potential legal liability for making ransom payments to LockBit, reducing the operation's ability to monetize successful intrusions against a significant portion of its historical victim pool. While sanctions are imperfect deterrents and can be circumvented through intermediaries and cryptocurrency laundering, they raise the cost and risk profile of engagement for both victims and affiliates.

Indicators of Compromise

The following indicators are representative of LockBit 3.0 operations observed by Dark Angel across multiple incident response engagements. These IOCs are provided for defensive reference and detection engineering purposes. Due to the leaked builder and widespread LockBit 3.0 derivative usage, the presence of these indicators does not conclusively attribute an incident to the official LockBit RaaS platform.

Note: Due to the configurability of LockBit 3.0 builds and the availability of the leaked builder, static IOCs such as file hashes have limited shelf life. Detection strategies should prioritize behavioral indicators (shadow copy deletion patterns, mass file modification, service termination sequences) over hash-based matching.

Detection and Mitigation Guidance

The following recommendations are prioritized based on Dark Angel's assessment of the most impactful defensive measures against LockBit-pattern operations, including both the official LockBit RaaS and derivative attacks using the leaked builder.

1. Patch perimeter devices within 48–72 hours of critical CVE disclosure. Exploitation of VPN appliances and edge devices (Citrix, Fortinet, Ivanti, Palo Alto) was the dominant initial access vector across LockBit operations. Maintain an emergency patching capability for internet-facing infrastructure that can be executed within 48 hours. Where patching is delayed, apply vendor-recommended mitigations and increase monitoring of the affected device.
2. Deploy phishing-resistant MFA on all remote access. FIDO2/WebAuthn hardware tokens or passkeys should be mandated for VPN, RDP gateway, Citrix, and all privileged account access. Push-based and SMS-based MFA is insufficient against the session token theft and AiTM techniques routinely employed by LockBit affiliates.
3. Monitor for behavioral indicators of pre-encryption activity. Deploy detection rules for: mass Volume Shadow Copy deletion (vssadmin, wmic shadowcopy), rapid sequential service/process termination (particularly database and backup agent processes), anomalous Group Policy Object modifications, bulk file extension changes within short time windows, and registry modifications to HKLM\SOFTWARE\Policies\Microsoft\Windows Defender.
4. Implement network segmentation isolating backup infrastructure. LockBit operators routinely targeted Veeam Backup & Replication servers, Commvault infrastructure, and Windows Server Backup configurations. Backup infrastructure must be segmented into isolated network zones with dedicated administrative credentials that are not accessible from the primary corporate domain. Maintain at least one offline or immutable backup copy.
5. Restrict and monitor administrative tool usage. Establish baselines for PsExec, WMI, PowerShell remoting, and RDP usage. Alert on execution from anomalous source hosts or during non-business hours. Deploy application allowlisting on high-value servers to prevent unauthorized tool execution. Block or restrict RMM tools (AnyDesk, ScreenConnect, Splashtop) on endpoints where they are not required for business operations.
6. Deploy egress monitoring and DLP controls. Monitor for unusual outbound data volumes, particularly to cloud storage services (Mega.nz, file.io). Detect Rclone and MEGAsync execution on endpoints. Alert on bulk archive file creation (7z, RAR, ZIP) in staging directories (C:\ProgramData, C:\Windows\Temp, user profile AppData directories). Implement DNS-based controls to block or alert on connections to known file-sharing services from servers and workstations where such services are not business-required.
7. Harden Active Directory against privilege escalation. Implement a tiered administration model separating Domain Admin credentials from daily-use accounts. Deploy LAPS for local administrator password management. Monitor for Kerberoasting (anomalous TGS requests for service accounts), DCSync attacks (replication requests from non-DC sources), and unauthorized LDAP queries indicative of BloodHound/SharpHound reconnaissance. Regularly audit Group Policy Objects for unauthorized modifications.
8. Maintain tested incident response procedures with pre-arranged retainers. Given LockBit's compressed operational timelines (median 6-day dwell time, sub-hour encryption once deployed), organizations must have pre-established incident response plans, communication templates, legal frameworks, and retainer agreements with qualified IR firms. Conduct tabletop exercises specifically simulating ransomware scenarios quarterly.

Methodology

This threat intelligence profile is based on data collected and analyzed by Dark Angel's research team across the following sources and methodologies.

Incident Response Data: Analysis of 280 confirmed LockBit ransomware engagements conducted or supported by Dark Angel between January 2022 and February 2025. Incident data includes initial access vector identification, TTP documentation, tool recovery, dwell time calculation, and ransom demand amounts. All organizational data has been anonymized and aggregated.

Malware Reverse Engineering: Technical analysis of 45 unique LockBit payload samples spanning versions 1.0, 2.0, 3.0 (Black), and Green variants. Analysis includes static disassembly, dynamic behavioral analysis in controlled sandbox environments, and encryption scheme validation.

Data Leak Site Monitoring: Continuous automated and manual monitoring of all LockBit Tor hidden services (primary DLS, mirrors, and negotiation portals) from September 2019 through the present. Post-Cronos monitoring includes the successor infrastructure established by LockBitSupp.

Underground Forum Intelligence: Monitoring of Russian-language cybercriminal forums (XSS, Exploit, RAMP) for LockBitSupp postings, affiliate recruitment activity, operational discussions, and community sentiment. Analysis includes archived posts from LockBitSupp dating to 2019.

Law Enforcement Disclosures: Analysis of publicly released materials from Operation Cronos participants, including NCA press releases, DOJ indictments, OFAC designations, and Europol advisories. Backend database statistics cited in this report are derived from law enforcement disclosures and corroborated against Dark Angel's independent tracking data.

Confidence Assessment: This report uses the Admiralty system for confidence grading. Historical operational data and technical analysis carry high confidence. Victim counts and financial estimates carry moderate confidence due to inherent limitations in DLS-based tracking (not all victims are posted) and payment visibility. Forward-looking assessments regarding LockBit's operational trajectory carry low-to-moderate confidence and represent analytical judgments.

Related Reports

• The State of Ransomware 2025 — Annual overview of the ransomware ecosystem covering 8 major groups, victim analysis, and evolving TTPs.
• Ransomware-as-a-Service: The Business Model Behind Modern Extortion — Deep dive into RaaS economics, affiliate programs, profit-sharing models, and the underground market dynamics that sustain the ecosystem.
• Ransomware Attack Chains: A MITRE ATT&CK Analysis — End-to-end kill chain mapping with detection opportunities at each stage of a ransomware intrusion.