LockBit Ransomware Group: Threat Actor Profile
LockBit industrialized affiliate ransomware to become the most prolific RaaS franchise of the early 2020s — 2,000+ victims and $120M+ in payments — before the 2024 Operation Cronos takedown. A full profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
LockBit became the most prolific ransomware franchise of the early 2020s by industrializing affiliate operations, negotiating at scale, and continually iterating its malware family. The U.S. DOJ said LockBit hit more than 2,000 victims and received more than $120 million in ransom payments before Operation Cronos.
LockBit: at a glance
- Aliases: LockBit Black, LockBit 2.0, LockBit 3.0, ABCD, LockBitSupp (persona)
- Country / affiliation: Russian-speaking criminal ecosystem
- Assessed status (as of July 2026): Degraded but active
- Primary objectives: Affiliate-driven double extortion at industrial scale
- Financial destruction / gain: >$120 million in ransom payments received and hundreds of millions in demands, across 2,000+ victims
- Type: ransomware-as-a-service (RaaS) (double-extortion franchise)
Who is LockBit?
The 2024 international takedown (Operation Cronos) badly damaged the brand and unmasked its leadership, but Reuters and later vendor reporting show LockBit remained capable of resurfacing and rebranding through 2025. In 2026 it is best described as degraded, embarrassed, but not fully extinct.
Aliases and attribution
LockBit ran as a ransomware-as-a-service (RaaS) brand fronted by the persona 'LockBitSupp,' renting its builder to 188+ disclosed affiliates. Operation Cronos, led by the UK NCA with the FBI and Europol, seized infrastructure and named the alleged administrator. As with most cybercrime threat actor groups, the operation is distributed and resilient to any single arrest.
Financial impact and damage
DOJ figures put confirmed LockBit ransom payments above $120 million, with hundreds of millions more demanded across 2,000+ victims spanning healthcare, manufacturing, and government. Its StealBit exfiltration tool and prolific affiliate output made LockBit responsible for a large share of global ransomware incidents at its peak — a major driver of the era's ransomware statistics.
LockBit timeline
- 2020: LockBit emerges
- 2021: LockBit 2.0 released
- 2022: LockBit 3.0 / LockBit Black with a bug-bounty program
- 2024: Operation Cronos disruption seizes infrastructure and names leadership
- 2025: Reuters reports another infrastructure compromise
Notable attacks and campaigns
LockBit pioneered ransomware 'marketing' — a bug-bounty program, brand stunts, and a slick affiliate portal. Operation Cronos (February 2024) turned LockBit's own leak site against it, publishing decryptors and affiliate details. Despite the humiliation, LockBit attempted relaunches and rebrands, illustrating the resilience of the RaaS model.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1548.002 — Bypass UAC: LockBit 3.0 can use an elevated COM interface to bypass UAC. Monitor reflective elevation chains and COM abuse from unsigned or temp-path binaries.
- T1562 / T1070.005 — Disable Tools / Clear Event Logs: LockBit disables security tools and deletes log files. Alert on Defender tampering, service stoppage, and wevtutil log-clearing.
- T1490 / T1486 — Inhibit Recovery / Data Encrypted for Impact: LockBit deletes shadow copies and encrypts with AES/ChaCha20/RSA, exfiltrating via StealBit first. Protect backups and watch for exfil-then-encrypt sequencing.
Detection and defense against LockBit
LockBit's speed and affiliate diversity mean detection must catch the common kill-chain stages early:
- Protect backups and block mass vssadmin / shadow-copy deletion.
- Alert on security-tool tampering, service stoppage, and event-log clearing (wevtutil).
- Watch for StealBit-style exfiltration preceding encryption (exfil-then-encrypt).
- Constrain PowerShell and detect sudden Group Policy manipulation.
- Enforce MFA, patch internet-facing systems, and segment to limit lateral movement.
The bottom line
LockBit was the ransomware world's dominant franchise; even degraded by Operation Cronos, it remains a benchmark for how resilient the RaaS model can be. See how LockBit ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
What is LockBit ransomware?
LockBit is a Russian-speaking ransomware-as-a-service operation that became the most prolific ransomware franchise of the early 2020s, hitting 2,000+ victims through a network of affiliates before its 2024 disruption.
How much did LockBit make?
The DOJ said LockBit received more than $120 million in ransom payments, with hundreds of millions more in demands across over 2,000 victims.
What was Operation Cronos?
Operation Cronos was a February 2024 international law-enforcement takedown, led by the UK NCA with the FBI and Europol, that seized LockBit's infrastructure, published decryptors, and named its alleged administrator.
Is LockBit still active in 2026?
LockBit is degraded but not extinct. After Operation Cronos it attempted relaunches and rebrands, and a further infrastructure compromise was reported in 2025, but its capability and reputation are much diminished.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: