// Threat Intelligence Profile

LockBit 3.0 Ransomware

The most prolific ransomware-as-a-service operation of 2022–2024. Infrastructure disrupted in Operation Cronos (February 2024) but activity continues. Analysis based on 43 negotiation transcripts.

Operational Overview

LockBit emerged in 2019 (originally as ABCD ransomware) and evolved through multiple iterations to become the most prolific ransomware operation globally by 2022. LockBit 3.0 (also known as LockBit Black), released in June 2022, incorporated code from the BlackMatter ransomware and introduced significant capability enhancements including a bug bounty programme, an expanded affiliate model, and StealBit — a custom data exfiltration tool. At its peak, LockBit was responsible for approximately 25–30% of all recorded ransomware incidents globally.

LockBit operated as a Ransomware-as-a-Service (RaaS) platform, with a core development team providing the encryptor, infrastructure, negotiation portal, and data leak site to a large and diverse network of affiliates. This RaaS model meant that the quality and character of individual attacks varied significantly — determined largely by the affiliate rather than the core LockBit team. Our 43 transcripts reflect this variation, showing marked differences in negotiation approach, professionalism, and flexibility across engagements.

In February 2024, Operation Cronos — a coordinated law enforcement action involving the UK NCA, US FBI, Europol, and agencies from 10 additional countries — seized LockBit's infrastructure, including its data leak site, negotiation portals, and backend servers. Approximately 200 cryptocurrency accounts were frozen. LockBit's administrator, operating under the handle "LockBitSupp," was subsequently identified as Dmitry Khoroshev, a Russian national who was sanctioned by the UK, US, and Australia. Despite the disruption, LockBit resurfaced with new infrastructure within days, and affiliate activity continued, demonstrating the resilience of decentralised RaaS models to law enforcement intervention.

Initial Access & Entry Vectors

LockBit affiliates employed an exceptionally broad range of initial access techniques, reflecting the diverse skill sets and preferences across the affiliate base. The most commonly documented entry vectors in our transcript and forensic data include:

  • Phishing and credential theft: Spear-phishing campaigns delivering infostealer malware or credential-harvesting payloads, with compromised credentials then used to authenticate to VPNs, RDP, or cloud services.
  • Exploitation of public-facing vulnerabilities: LockBit affiliates were consistently among the earliest adopters of newly disclosed critical vulnerabilities, exploiting flaws in Citrix (CitrixBleed, CVE-2023-4966), PaperCut, Barracuda ESG, and numerous other widely deployed products.
  • Access broker purchases: A significant proportion of LockBit incidents began with the purchase of pre-existing network access from Initial Access Brokers (IABs) operating on darknet forums.
  • Compromised remote access: Exposed RDP services, often with weak credentials, remained a primary vector throughout LockBit's operational period.

Post-compromise, LockBit affiliates typically deployed Cobalt Strike for command and control, conducted Active Directory reconnaissance using tools such as BloodHound and SharpHound, and used legitimate remote management software (AnyDesk, TeamViewer) to maintain persistent access before encryption.

Technical Characteristics

LockBit 3.0 represented a significant technical leap over its predecessors. The encryptor was largely rebuilt incorporating elements of BlackMatter's codebase, and introduced several notable features:

  • Partial encryption: LockBit 3.0 used configurable partial-file encryption (encrypting a percentage of file content rather than the whole file), dramatically increasing encryption speed across large environments.
  • Self-propagation: The encryptor could spread autonomously across network shares using Windows Management Instrumentation (WMI) and Group Policy Objects without requiring manual affiliate action.
  • StealBit: A custom exfiltration tool designed to upload victim data directly to LockBit's infrastructure at high speed, bypassing many Data Loss Prevention (DLP) controls.
  • ESXi targeting: A Linux/ESXi variant was developed to directly encrypt VMware virtual machine disk files.
  • Anti-analysis features: LockBit 3.0 incorporated multiple anti-analysis and anti-debugging techniques, and required a launch key parameter to execute — a technique designed to impede automated sandboxed detonation.

Encrypted files received extensions varying by affiliate configuration. Volume Shadow Copies were deleted, Windows Event Logs were cleared, and system recovery options were disabled prior to or during the encryption phase.

Negotiation Patterns & Demand Analysis

LockBit's negotiation behaviour was among the most variable of any major ransomware group, driven by the affiliate model. Our 43 transcripts include engagements ranging from highly professional, businesslike negotiations to aggressive, abusive exchanges — reflecting the wide spectrum of affiliate capabilities and approaches.

Initial demands ranged from tens of thousands of dollars for small business victims to hundreds of millions for large enterprises — the Royal Mail negotiation in our archive involved a £66M initial demand. The most significant indicator of likely negotiation outcome was which affiliate was operating the campaign: some affiliates consistently offered early discounts in exchange for prompt payment, while others maintained rigid positions and escalated quickly to data publication threats.

The LockBit platform provided affiliates with a standard negotiation portal accessible to victims via Tor, and a separate chat system for affiliate-operator communication. Timer-based pressure mechanisms were prominently displayed, counting down to data publication on the public leak site. In practice, our transcript data shows these timers were frequently extended — data publication was used as a threat more than an action.

A crucial lesson from our LockBit transcript archive: OFAC/OFSI sanctions screening is mandatory before engaging with any LockBit affiliate. Several LockBit affiliates have been specifically sanctioned, and the existence of a LockBit negotiation portal does not guarantee payment is permissible.

Notable Incidents

LockBit's victim list includes some of the most high-profile ransomware incidents on record. Among the most significant:

  • Royal Mail (January 2023): The UK's national postal service was hit by a LockBit 3.0 affiliate, with a £66M ransom demand. Royal Mail refused to negotiate and restored operations without paying. Full transcript available in our archive.
  • ION Trading UK (January 2023): A financial software provider whose systems are used by major banks and trading firms. The attack caused widespread disruption to derivatives trading and required manual reporting workarounds across multiple financial institutions.
  • Bank of America (via Infosys McCamish, 2023): LockBit attacked an outsourcing partner, compromising data of over 57,000 Bank of America customers.
  • Boeing (2023): LockBit claimed access to sensitive Boeing data and published a portion when Boeing failed to meet payment deadlines.

Post-Operation Cronos Activity

The February 2024 law enforcement disruption temporarily reduced LockBit's operational tempo but did not end the group. Within days of the NCA takeover of their infrastructure, LockBit's administrator announced new infrastructure and invited affiliates to continue. Throughout 2024 and into 2025, LockBit-affiliated activity continued to be recorded, though at a reduced volume compared to the group's 2022–2023 peak. Several legacy LockBit variants and the LockBit 3.0 encryptor (whose builder was leaked in 2022) continued to be used by different actors.

View Negotiation Transcripts

43 LockBit 3.0 negotiation transcripts are available in our public archive, including the full Royal Mail vs LockBit exchange.

Quick Reference

StatusDISRUPTED
First Observed2019 (LockBit 3.0: 2022)
Transcripts43
Demand Range$50K – £66M+
ModelRaaS, Double Extortion
Primary TargetsAll sectors, all sizes
Entry VectorsMultiple (affiliate-dependent)
DisruptionOperation Cronos, Feb 2024
AdministratorDmitry Khoroshev (sanctioned)

Key Negotiation Insights

ToneHighly variable (affiliate-dependent)
NegotiabilityVariable
Timeline PressureHigh (countdown timers)
Data Leak ThreatActive (LockBit leak site)
Sanctions RiskHIGH — screen before engaging

Related Resources

Under Attack by LockBit?

If LockBit has targeted your organisation, contact Binary Response immediately. Our team has direct experience with LockBit incidents including sanctions screening, negotiation strategy, and technical recovery.

Get Emergency Help

Need Help Responding to a LockBit Attack?

Our incident response team has handled multiple LockBit engagements. We can help with containment, forensic investigation, sanctions screening, negotiation, and recovery.

Contact Our Team
🚨 Active Incident? Contact Us Now