.png)
LockBit Ransomware Group Profile
Breach Summary
The LockBit ransomware group was the most prolific and damaging ransomware operation in history, responsible for more confirmed attacks than any other ransomware group across 2022 and 2023. A profile of LockBit's operations provides essential context for understanding the modern ransomware threat landscape, the Ransomware-as-a-Service model, and the law enforcement operations that ultimately disrupted the group in 2024.
What Happened
LockBit operated from approximately 2019 through February 2024, when Operation Cronos — a coordinated law enforcement action by the UK NCA, FBI, Europol, and agencies from 10 other countries — seized LockBit's infrastructure and websites. The operation arrested two LockBit affiliates, charged additional individuals, and published LockBit's internal affiliate data and decryption keys. LockBit's leader 'LockBitSupp' was identified as Russian national Dmitry Khoroshev and indicted by US, UK, and Australian authorities. The operation significantly disrupted LockBit operations, though the group attempted to reconstitute.
Attack Vector Detail
LockBit operated as a Ransomware-as-a-Service platform, providing ransomware code, infrastructure, and negotiation support to affiliates who conducted the actual intrusions. Affiliates kept approximately 80% of ransom payments; LockBit took 20%. This model enabled LockBit to scale globally with affiliates using diverse initial access techniques: RDP exploitation, phishing, VPN vulnerability exploitation, and purchasing access from Initial Access Brokers on criminal marketplaces.
LockBit's technical innovation included LockBit 3.0 (Black), which introduced the first bug bounty program in ransomware history — offering rewards to security researchers who found bugs in the ransomware code — and StealBit, a custom data exfiltration tool that improved the speed and reliability of double extortion operations.
Breach Pattern Timeline
September 2019
LockBit emerges as 'ABCD ransomware' and rebrands to LockBit shortly after. Russia-aligned ransomware-as-a-service (RaaS) operation built around an affiliate model — operators provide infrastructure and malware; affiliates conduct attacks and split payments.
2020-2021
LockBit 2.0 released. Adds StealBit data-theft tool. Establishes data leak site for double-extortion. Becomes one of top 5 most active ransomware brands by victim count.
June 2022
LockBit 3.0 ('LockBit Black') released. Introduces ransomware-bug-bounty program (paying researchers to identify flaws), making LockBit the most professionalized ransomware operation. Conducts attacks against Accenture, Continental, Royal Mail, and many others.
2022-2023
LockBit dominates ransomware ecosystem — at peak ~25-30% of all ransomware attacks attributed to LockBit affiliates. Major victims include Boeing (Oct 2023, Citrix Bleed), ICBC (Nov 2023), Rheinmetall, Bridgestone, and thousands of small-to-mid enterprises.
November 2023
LockBit affiliate exploits Citrix Bleed (CVE-2023-4966) against Boeing, ICBC, and dozens of others — driving 2023 mass exploitation campaign.
February 19-20, 2024
Operation Cronos: coordinated UK NCA-led international law enforcement operation seizes LockBit's dark web infrastructure, decryption keys, victim data, and identifies LockBit administrators. Largest law enforcement disruption of any ransomware operation to date.
May 7, 2024
U.S. DOJ unseals indictment of Dmitry Khoroshev (LockBitSupp) — alleged LockBit administrator — and OFAC sanctions him. $10M reward for his apprehension.
2024-2025
LockBit attempts rebuilding under successor branding ('LockBit 4.0' / 'LockBit-NG-Dev') but never recovers prior scale. Many former LockBit affiliates migrate to other RaaS operations (RansomHub, BlackSuit, Akira).
2025-2026
LockBit remains technically operational but at a fraction of pre-Operation Cronos scale. Operation Cronos becomes foundational precedent for: (1) law enforcement infrastructure disruption as a viable strategy against ransomware, (2) decryption key recovery as alternative to ransom payment, (3) the durability of affiliate ecosystems even after central operator disruption.
Total impact: Estimated 2,000+ victims attributed to LockBit affiliates 2019-2024 with collective ransom demands exceeding $1B+, foundational case for ransomware-as-a-service business model and Operation Cronos as canonical law enforcement disruption.
Executive Lessons
LockBit's longevity — from 2019 through its February 2024 disruption by Operation Cronos — demonstrated that ransomware groups can operate as resilient enterprises even under law enforcement pressure. LockBit's public-facing affiliate program, reputation management, and marketing-driven approach normalized ransomware-as-a-service as a criminal business model. LockBit's attempts to resume operations after the Cronos takedown reinforce that law enforcement disruption is not the same as elimination.
Related Reading
Private Equity Implications
LockBit targeted mid-market companies as aggressively as enterprise targets because mid-market organizations have large enough revenues to pay significant ransoms while typically having weaker defenses than the enterprise companies. PE portfolio companies in the LockBit revenue range — $50M-$500M revenue — were primary targets.