threatintel
actor tracker
All actors

LockBit

lockbit · primary source: Other · first observed 2019 · last observed 2024
RU · RussiaRansomwareHigh confidencelast cited May 6, 2024 · 2y ago

Russian-speaking ransomware-as-a-service operation that by mid-2023 was the most prolific ransomware brand on public leak-site tracking by victim count. Disrupted in February 2024 by Operation Cronos (UK NCA-led) which seized the leak site and decryption keys. In May 2024 the US DOJ unsealed an indictment of Dmitry Khoroshev ('LockBitSupp') as the operation's administrator. Affiliate program model; victims span manufacturing, healthcare, government, and education globally.

Aliases

LockBit 3.0OtherLockBit BlackOtherLockBit GreenOtherBitwise SpiderCrowdStrike

Motivations

financial gain

Target sectors

manufacturinghealthcaregovernmenteducationprofessional services

Target countries

USGBFRDEITCAAUBRMXJPIN

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • LockBit
  • Russia
  • financial gain
Capability
Infrastructure
  • adobe-us-updatefiles.digital
Victim
  • manufacturing
  • healthcare
  • government
  • US
  • GB
  • +1 more

MITRE ATT&CK techniques

T1486T1490T1567.002T1059.001

Tools & malware

1 entry

Timeline

1 event
  1. IndictmentHigh2024-05-07·U.S. Department of Justice

    DOJ unseals 26-count indictment of LockBit administrator Khoroshev

    U.S. DOJ unsealed a 26-count indictment of Dmitry Yuryevich Khoroshev (LockBitSupp), 31, of Voronezh, Russia, naming him as LockBit's creator, developer, and administrator. The indictment alleges Khoroshev received approximately $100M in BTC from his 20% share of LockBit ransoms; State announced a $10M reward for information leading to his arrest. The action followed February 2024's NCA-led Operation Cronos seizure of LockBit infrastructure.

    indictmentransomwarerussiaoperation-cronos

Indicators of compromise

4 indicators
csv
TypeValueFirst seenSource
SHA-256
cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63
family · LockBit
SHA256 of Mag.dll, the persistence module identified running within the UpdateAdobeTask scheduled job on victims of the LockBit 3.0 Citrix Bleed campaign. Table 3 of AA23-325A.
Nov 20, 2023CISA
Name
CVE-2023-4966 (Citrix Bleed)
family · LockBit
LockBit 3.0 affiliates' primary initial-access vector during the October-November 2023 wave documented in joint CISA/FBI/MS-ISAC/ACSC advisory AA23-325A - NetScaler ADC and Gateway session-token theft used against Boeing, ICBC, Allen & Overy, and DP World.
Nov 20, 2023CISA
SHA-256
ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44
family · LockBit
SHA256 of adobelib.dll dropped to C:\Users\Public\ by the 123.ps1 PowerShell loader during the LockBit 3.0 Citrix Bleed campaign, executed via rundll32 with a 104-hex-character key. Table 3 of AA23-325A.
Nov 20, 2023CISA
Domain
adobe-us-updatefiles[.]digital
family · LockBit
Tool-download domain contacted by adobelib.dll POST requests in the LockBit 3.0 Citrix Bleed campaign; resolved to 172.67.129.176 and 104.21.1.180 as of November 16, 2023. Table 3 of AA23-325A.
Nov 15, 2023CISA

Related actors

shared ATT&CK techniques

References

cite this page

Threat Intel Tracker. (2026-05-19). LockBit — actor profile. Retrieved from https://threatintel.local/actors/lockbit

latest cited activity · 2024-05-07 · 4 cataloged indicators