logo svg
logo

July 13, 2026

Updated: July 13, 2026

LockBit Ransomware: How It Works, Versions, Tactics, and Defense

LockBit is both a ransomware family and a criminal ransomware-as-a-service ecosystem. This guide explains its operators, affiliates, versions, Operation Cronos, current status, typical attack lifecycle, defensive controls, the limits of available decryptors, and safe ways organizations can validate ransomware readiness across prevention, detection, response, and recovery.

Mohammed Khalil

Mohammed Khalil

Featured Image

Last verified: July 13, 2026

LockBit is both the name of a criminal ransomware-as-a-service operation and a family of ransomware used to steal data, encrypt systems, disrupt operations, and pressure victims. It is not one fixed intrusion team: core developers, administrators, affiliates, access brokers, infrastructure providers, and unrelated actors reusing leaked LockBit builders can play different roles.

Operation Cronos caused a major disruption in February 2024, but it did not make LockBit-derived code or future activity impossible. LockBit 5.0 samples targeting Windows, Linux, and ESXi were subsequently analyzed independently. Affiliate variation and code reuse mean that finding a LockBit-like sample does not, by itself, identify the responsible intrusion team.

This guide explains the ecosystem, versions, disruption, current status, attack lifecycle, defensive priorities, response options, and limits of available decryptors in the broader context of major ransomware groups.

Key takeaways

LockBit quick facts

FieldVerified treatment
Threat typeRansomware and data-extortion ecosystem
Operating modelRansomware-as-a-Service
First observedThe operation dates to approximately September 2019 in DOJ and technical histories; CISA tracks LockBit activity from January 2020
Common versionsEarly LockBit/ABCD, 2.0/Red, 3.0/Black, NG-Dev or claimed 4.0 development, and 5.0
Verified platformsEarly variants primarily affected Windows; later versions included Windows and ESXi support; LockBit 5.0 was analyzed across Windows, Linux, and ESXi
Typical objectivesData theft, encryption, extortion, and operational disruption
Major disruptionOperation Cronos, February 2024
Current statusLockBit-related code and samples remained relevant as of July 13, 2026, but the scale and control of the original operation remain uncertain
Decryption supportAvailable for some LockBit 3.0 incidents; eligibility is version- and victim-dependent
Primary sourcesCISA, DOJ, NCA, Europol, Treasury, MITRE ATT&CK, NIST, and primary technical research

Important: This is educational defensive guidance, not legal advice or an incident-specific recovery plan. An active ransomware incident should involve qualified incident responders, legal counsel, appropriate authorities, the organization’s insurer, and relevant sanctions specialists.

What is LockBit ransomware?

LockBit ransomware is a family of malicious encryption tools associated with a criminal RaaS ecosystem. Core operators developed and maintained the service, while largely independent affiliates obtained access to victim environments and conducted attacks. Consequently, “LockBit attack” can describe the malware used without reliably identifying one operator, affiliate, or intrusion method.

Ransomware-as-a-Service separates platform development from intrusion activity. LockBit’s administrators supplied malware builders, supporting infrastructure, leak or negotiation services, and an affiliate program. Affiliates selected targets, acquired or purchased access, moved through networks, stole data, and deployed ransomware.

This division matters for both attribution and defense. As the joint CISA LockBit advisory explains, LockBit’s large and initially unvetted affiliate population produced significant variation in tactics, techniques, and procedures.

“LockBit” can therefore refer to several related but distinct things:

LockBit attacks commonly combined encryption with data theft and threats to publish stolen information a form of double extortion. A leak-site listing, however, remains a criminal claim unless the victim, authorities, or independent evidence confirms the incident and its scope.

How the LockBit Ransomware-as-a-Service model works

Diagram showing LockBit developers, affiliates, initial access, data theft, encryption, extortion infrastructure, revenue sharing, and third-party reuse of leaked builders.

Figure 1. LockBit’s RaaS model separates core platform development from affiliate-led intrusions, making attack behavior and attribution inconsistent.

Source note: DeepStrike synthesis based on CISA, DOJ, Treasury, and Europol reporting.

At a high level, LockBit administrators developed the ransomware platform and recruited affiliates. An affiliate obtained initial access directly or through another criminal supplier then conducted the intrusion. Victim-specific ransomware builds or configurations could be generated through the service. Stolen data, encryption, negotiation infrastructure, and revenue sharing completed the commercial model.

The allocation of responsibilities was not necessarily identical in every case. Affiliates could bring different tooling, access methods, targets, and experience. Infrastructure seizures can consequently damage central coordination and revenue while leaving individual affiliates, credentials, stolen data, or copied malware code available elsewhere.

Is LockBit still active?

The most accurate answer is dated and qualified: LockBit-related malware and activity remained relevant as of July 13, 2026, but available evidence does not establish that the original pre-Cronos organization regained its former scale or central control.

Evidence levelWhat the evidence supports
Confirmed by official sourcesOperation Cronos seized or disabled significant infrastructure, obtained source code and affiliate intelligence, recovered decryption material, and supported arrests, charges, and sanctions.
Confirmed by technical analysisTrend Micro analyzed LockBit 5.0 binaries for Windows, Linux, and ESXi in September 2025. LevelBlue published further multi-sample analysis in early 2026.
Reported with caveatsIn May 2025, Reuters reported that LockBit infrastructure appeared to have been compromised and data leaked. Reuters did not independently verify the entire dataset.
Criminal claimStatements by the operation about releases, victims, alliances, or recovery are not treated as confirmation without independent evidence.
Editorial assessmentLockBit-derived code remains usable, but malware similarity alone cannot prove that an incident was controlled by the original administrators.

The UK National Crime Agency’s May 2024 assessment said LockBit was operating at limited capacity and that its global threat had been significantly reduced at that point. That was a dated assessment, not proof that all future activity was eliminated.

Later developments cut both ways. A reported May 2025 compromise of LockBit infrastructure suggested further damage to its operational security. Conversely, Trend Micro’s LockBit 5.0 analysis and LevelBlue’s 2026 sample research established that technically developed LockBit-branded samples continued to exist.

Neither observation alone measures successful intrusions, confirmed victims, affiliate participation, or the authority of a central operator.

LockBit timeline: 2019 to the latest verified update

DateDevelopmentEvidence status
Sep 2019–Jan 2020Early ransomware associated with the “ABCD” name and emerging LockBit operationTechnical and official history
June 2021LockBit 2.0, also called LockBit Red, appearedTechnically confirmed
June 2022LockBit 3.0, or LockBit Black, entered useTechnically confirmed
September 2022A LockBit 3.0 builder leak lowered the barrier to unrelated reuseTechnically reported
2023Joint government advisories documented the affiliate model, TTPs, and Citrix Bleed exploitationOfficially confirmed
February 20, 2024Operation Cronos seized infrastructure and exposed operational informationOfficially confirmed
May 7, 2024Authorities identified, charged, and sanctioned alleged administrator and developer Dmitry KhoroshevOfficial allegation and sanctions
Oct–Dec 2024Further arrests, sanctions, and charges including the charge against alleged developer Rostislav Panev were announcedOfficial proceedings
February 11, 2025The U.S., UK, and Australia acted against hosting provider Zservers and two administratorsOfficial sanctions
May 8, 2025LockBit infrastructure reportedly suffered a breach and data leakReported with caveats
September 25, 2025LockBit 5.0 Windows, Linux, and ESXi variants were technically analyzedTechnically confirmed
Jan–Feb 2026Researchers published analysis of additional LockBit 5.0 samplesTechnically confirmed
July 13, 2026Code remained relevant; the original operation’s current scale and control remained uncertainDated editorial assessment

The legal distinction is important. The official sources reviewed for this article describe Khoroshev as charged and sanctioned, not convicted. A March 2025 DOJ release described Panev as extradited to the United States and detained pending trial.

Timeline of LockBit ransomware versions and enforcement events from 2019 through the latest verified 2026 update.

Figure 2. LockBit’s evolution includes malware releases, law-enforcement disruptions, infrastructure exposure, and later independently analyzed samples.

Source note: CISA, DOJ, NCA, Europol, U.S. Treasury, Trend Micro, BleepingComputer, and Reuters; dates and status reverified before publication.

LockBit versions compared

Version or nameFirst observationPlatformsMajor characteristicsStatus or evidencePrimary source
Early LockBit / ABCDApprox. Sep 2019WindowsEarly generation associated with the emerging RaaS operation; “ABCD” reflected an extension seen in early incidentsHistoricalDOJ; Trend Micro
LockBit 2.0 / RedJune 2021Windows; later Linux/ESXi capabilityExpanded affiliate service and StealBit-related data-exfiltration capabilityWidely documented historical versionMITRE; Trend Micro
LockBit 3.0 / BlackJune 2022Windows and VMware ESXiMore modular, affiliate-configurable generation with enhanced evasion and exfiltration featuresHistorically deployed; leaked builder complicates later attributionMITRE; Trend Micro
LockBit GreenJanuary 2023WindowsIncorporated code associated with Conti; best treated as a variant or forkLimited historical relevance; not proof of formal 4.0Trend Micro
LockBit-NG-Dev / claimed 4.0February 2024 analysisWindows development sample; design suggested portabilityIn-development rewrite with incomplete functionalityDevelopment evidence, not proof of broad deploymentTrend Micro
LockBit 5.0September 2025 analysisWindows, Linux, and VMware ESXiCross-platform variants with significant code evolution and behavior intended to impair recovery and visibilityAnalyzed samples exist; broad prevalence is not establishedTrend Micro

The version number identifies malware lineage, not necessarily the humans responsible for an intrusion. A third party using a leaked LockBit 3.0 builder can create a technically LockBit-compatible sample without being an authorized affiliate of the original service.

How a LockBit attack typically progresses

There is no universal LockBit intrusion chain. The following lifecycle synthesizes behavior described by CISA, MITRE ATT&CK, incident reporting, and primary technical analysis. It should be used as a defensive model not as an assertion that every affiliate performs every stage.

StageWhat defenders may observeCapability vs. operator behaviorSource
Initial accessCompromised credentials, exposed remote access, phishing, or exploitation of internet-facing vulnerabilitiesObserved affiliate entry paths not functions of the encryptorCISA; Citrix advisory
Establish and expand accessRemote administration, new sessions, tooling transfer, or use of existing management servicesTools and sequence depend on the affiliate and environmentCISA
Privilege and identity abusePrivileged accounts, credential access, or changes expanding administrative reachPrimarily intrusion behavior rather than an inherent encryption featureCISA
Reconnaissance and lateral movementAccount, host, domain, share, backup, and virtualization discovery followed by east-west accessMethods vary by affiliate capability and available privilegesMITRE 2.0/3.0
Defense impairmentAttempts to interfere with security services, logging, or recovery processesSome functions exist in malware variants; others may be performed separatelyMITRE 3.0; Trend 5.0
Data collection and exfiltrationUnusual staging, archiving, cloud transfers, or sustained outbound trafficMay use LockBit-associated, third-party, or legitimate toolingMITRE StealBit; CISA
Backup interferenceAccess to backup consoles, deletion or modification attempts, or recovery-setting changesCan occur before encryption to increase operational pressureCISA StopRansomware
EncryptionHigh-volume file changes, process or service disruption, inaccessible VMs, or new extensionsCentral ransomware capability; behavior differs by version and platformTrend Micro 5.0
ExtortionRansom notes, communication attempts, and threats to disclose stolen dataCriminal claims about theft or deletion require independent validationNCA Cronos

Credential-based entry deserves particular attention because stolen accounts can bypass controls that focus only on malware files. DeepStrike’s analysis of compromised credentials provides broader context, but each organization should base detection thresholds on its own identity architecture and normal activity.

LockBit tactics mapped to defensive controls

Observed objectiveDefensive controlEvidence to monitorSafe validationSource
Abuse exposed remote accessRemove unnecessary exposure; require phishing-resistant MFAAsset and remote-authentication evidenceAuthorized external surface reviewCISA
Use stolen credentialsSeparate admin identities, PAM, conditional accessIdP events, privilege elevation, session anomaliesIdentity and AD assessmentCISA
Exploit internet-facing systemsAsset ownership, risk-based patching, compensating controlsVersion data, vulnerability evidence, WAF logsScanning plus scoped manual validationCISA Citrix
Abuse privileged accountsTiered administration and least privilegeGroup, policy, role, and directory changesPrivileged-path reviewNIST IR 8374r1
Move laterallySegmentation and restricted administrative protocolsEast-west RDP, SMB, WinRM, SSH, and vCenter trafficAuthorized segmentation testMITRE 3.0
Interfere with security toolingEDR tamper protection and restricted service controlService stops, policy changes, sensor-health gapsBenign purple-team testMITRE 3.0
Exfiltrate dataEgress controls, classification, DLP, cloud visibilityOutbound volume, staging, archiving, cloud destinationsSynthetic DLP test dataMITRE StealBit
Access backupsIsolated identities, immutable copies, administrative separationBackup logins, retention changes, failed jobsRestore exercise and tabletopCISA
Encrypt Windows systemsBehavioral detection, application control, rapid isolationMass file writes, service changes, endpoint clustersNon-destructive simulator in a labMITRE 2.0
Encrypt Linux or ESXiHarden management planes and protect root-level identitiesHypervisor logins, datastore operations, VM changesConfig review and isolated restoreTrend 5.0
Disrupt event evidenceCentralized, append-protected loggingLog-clear events, ingestion gaps, retention changesTelemetry continuity testTrend 5.0

What Operation Cronos changed

Operation Cronos was an international law-enforcement operation led by the UK National Crime Agency with support from partner authorities. It targeted LockBit’s central infrastructure and participants rather than merely removing one malware sample.

Europol reported that 34 servers were taken down, two people were arrested at the operation’s launch, more than 200 cryptocurrency accounts were frozen, and decryption keys were recovered. By June 2024, the FBI said it possessed more than 7,000 LockBit decryption keys, reflecting a later and broader key count.

Eurojust listed ten operational partner countries: the United Kingdom, France, Germany, Sweden, the Netherlands, the United States, Switzerland, Australia, Canada, and Japan. Arrests also occurred in Poland and Ukraine. Counts can therefore differ when sources count partner countries, operational locations, or arrest jurisdictions.

The NCA obtained control of LockBit’s primary administration environment and public-facing leak infrastructure, along with source code and affiliate intelligence. It also reported finding victim data still stored after a ransom had reportedly been paid, undermining claims that payment guarantees deletion.

What Operation Cronos achievedWhat it did not prove
Seized or disabled important servers and domainsThat every affiliate, credential, or copy of the malware was eliminated
Recovered source code, operational intelligence, and decryption materialThat every LockBit victim could decrypt files
Identified affiliates and exposed internal operationsThat every later LockBit-branded sample came from those affiliates
Supported arrests, charges, extradition proceedings, and sanctionsThat charged individuals had been convicted
Damaged trust between administrators and affiliatesThat the brand could never be reused
Reduced operational capacity at the time of disruptionThat later activity returned to its earlier scale
Helped victims through official decryptor initiativesThat decryption removes persistence, reverses data theft, or completes recovery

This illustrates why law enforcement can substantially reduce a RaaS operation without eliminating reusable ransomware code. It also shows how law enforcement tracks dark-web criminals through infrastructure, accounts, operational mistakes, financial evidence, and international cooperation.

LockBit’s documented impact

LockBit statistics are easy to misstate because official releases used different dates, geographies, and definitions. The following figures should be read separately, not added together.

FigurePeriodGeographyMeasureSourceLimitation
~1,700 attacks; ~$91M paidJan 2020–May 2023United StatesReported attacks and ransom paymentsCISA, June 2023Attacks may not be unique victims; excludes demands and wider losses
>2,000 victims; ~$120M receivedThrough Feb 20, 2024Global, incl. U.S.DOJ cumulative victim and payment estimateDOJ, Feb 2024Later releases use broader totals and later cutoff
>7,000 builds; ≥2,110 negotiationsJun 2022–Feb 2024Global server dataBuilds/attacks and negotiation records in seized systemsNCA, May 2024A build does not prove execution, compromise, or payment
>2,500 victims in ≥120 countries; ≥$500M paidThrough Mar 2025 releaseGlobal; 1,800 U.S.Later DOJ cumulative estimateDOJ, Mar 2025Broader and later scope than earlier snapshots

Claims about LockBit’s percentage of global ransomware should always state the measurement period, dataset, and whether the denominator represents leak-site posts, incidents, detections, or confirmed compromises. No single share is presented here as a permanent measure. See DeepStrike’s separately scoped current ransomware statistics for broader trend context.

Documented cases

IncidentWhat is supportedWhat should not be inferred
Royal Mail, 2023UK government material says the incident affected domestic and international operations for several weeks. The NCSC uses it to illustrate that a RaaS supplier and access affiliate can be different parties.Do not convert a demand into payment or treat central administrators as the hands-on team without evidence.
ICBC Financial Services, 2023U.S. Treasury attributed the disruptive incident to LockBit. It affected systems, email, and settlement activity involving more than $9 billion in Treasury-backed assets.The cited source does not establish that a ransom was paid.
Indonesia national data center, 2024Reuters reported that officials identified a Brain Cipher variant derived from LockBit 3.0 and described disruption to immigration and other public services.Code lineage alone does not prove control by original LockBit administrators.

Confirmed incidents, leak-site listings, ransom demands, ransom payments, total losses, and recovery costs are different measurements. Business interruption, rebuilding, legal work, notification, and lost revenue can exceed the payment itself; these are addressed separately in DeepStrike’s analysis of ransomware recovery costs.

How to prevent and detect LockBit-related attacks

The final NIST IR 8374 Revision 1, published June 11, 2026, frames ransomware risk across the NIST Cybersecurity Framework 2.0 functions: Govern, Identify, Protect, Detect, Respond, and Recover. The following priorities apply that lifecycle to LockBit-related behavior.

What to do if you find a LockBit ransom note

  1. Activate the approved incident-response and crisis-management plans.
  2. Isolate affected systems using established procedures while avoiding unnecessary destruction of evidence.
  3. Preserve volatile and forensic evidence where feasible, including relevant memory, logs, identity events, network data, notes, and suspicious files.
  4. Do not delete the ransom note or malware sample.
  5. Identify affected identities, endpoints, servers, cloud resources, hypervisors, security systems, and backup infrastructure.
  6. Investigate potential data collection and exfiltration not only encryption.
  7. Determine whether attackers still have access and whether persistence or unauthorized credentials remain.
  8. Contact the appropriate law-enforcement or national cyber authority.
  9. Involve qualified forensic responders, legal counsel, the insurer, executive leadership, and communications personnel.
  10. Assess contractual, regulatory, privacy, labor, sectoral, and cross-border notification duties by jurisdiction.
  11. Check recognized official decryption resources from an isolated analysis environment.
  12. Restore only after containment, eradication, identity remediation, and validation of the recovery environment.
  13. Rotate affected credentials and secrets according to evidence and dependency-aware procedures.
  14. Record evidence, decisions, timing, approvals, and communications.

Do not execute a decryptor or suspected malware directly on production systems. CISA maintains an official ransomware response checklist, but the exact sequence should be adapted by the organization’s incident commander and responders.

Does the LockBit decryptor work?

It may work for some LockBit 3.0 victims, but it is not a universal LockBit recovery tool.

No More Ransom’s official tool directory lists a LockBit 3.0 decryptor developed by the Japanese police. Eligibility depends on the ransomware version, the recovered keys, how encryption occurred, the condition of affected files, and available evidence.

Even successful decryption does not:

Victims should work with qualified responders and test recovery on controlled copies before making production changes.

Should a LockBit victim pay the ransom?

There is no safe, universal answer that can be reduced to an SEO yes-or-no. Payment is a legal, sanctions, operational, ethical, insurance, and business-continuity decision that must be assessed for the specific victim and jurisdiction.

U.S. authorities strongly discourage ransom payments. Payment offers no guarantee that a working decryptor will be provided, that stolen data will be deleted, or that the victim will not be targeted again. Operation Cronos investigators reported finding victim data retained on LockBit systems even after payment.

The OFAC ransomware advisory warns that payments involving sanctioned persons or jurisdictions may create sanctions exposure. Identifying the real counterparty can also be difficult. Other jurisdictions impose their own requirements.

Affected organizations should involve legal counsel, law enforcement, their insurer, incident-response professionals, and sanctions specialists. Insurance coverage or business pressure does not itself make a payment lawful or effective. DeepStrike’s ransomware payment trends provide aggregate context but cannot determine the correct action in an individual incident.

How to validate ransomware readiness safely

Penetration testing can identify exploitable entry paths and control weaknesses. It does not reproduce every stage of a ransomware incident, and it cannot guarantee that LockBit or another group will fail. Testing must be authorized in writing, safely scoped, and coordinated with system owners.

DeepStrike LockBit readiness matrix mapping attack stages to preventive controls, detection evidence, and safe validation exercises.

Figure 3. Ransomware readiness depends on validating entry paths, identity controls, movement detection, containment, and recovery not on a single security test.

Source note: Original DeepStrike framework informed by the CISA StopRansomware Guide and NIST IR 8374 Revision 1.

LockBit readiness checklist

Governance

External exposure

Identity

Endpoint and server

Network

Cloud and virtualization

Data exfiltration

Backups

Detection

Response

Recovery

Third parties

Frequently asked questions

What is LockBit ransomware?

LockBit is both a ransomware malware family and the name of a criminal RaaS ecosystem. Its administrators developed the service while affiliates generally conducted victim intrusions.

Who is behind LockBit?

Authorities have identified and charged alleged administrators, developers, and affiliates, including alleged administrator Dmitry Khoroshev. Individual attacks may involve different affiliates, access brokers, infrastructure providers, or unrelated users of leaked code. Official sources do not classify LockBit as state-sponsored.

Is LockBit still active?

LockBit-related code and independently analyzed samples remained relevant as of July 13, 2026. That does not prove that the original operation recovered its pre-Cronos scale, affiliates, or central control.

What is LockBit 5.0, and is it the same as LockBit 4.0?

LockBit 5.0 is a later generation analyzed across Windows, Linux, and ESXi. “LockBit 4.0” was associated with criminal release claims and an in-development NG-Dev sample. NG-Dev showed development activity but not broad 4.0 deployment.

What happened during Operation Cronos?

Authorities seized or disrupted infrastructure, recovered source code and decryption keys, obtained affiliate intelligence, froze accounts, and supported arrests, charges, and sanctions. The operation did not eliminate copied code or every participant.

Is there a free LockBit decryptor?

An official LockBit 3.0 decryptor is available through No More Ransom. It only helps eligible incidents and should be evaluated with qualified responders in a controlled environment.

Can penetration testing prevent a LockBit attack?

No. A penetration test can identify exploitable paths and control weaknesses within its scope and test period. Readiness also requires identity security, detection, segmentation, backups, incident response, recovery, legal preparation, and governance.

Should a victim pay a LockBit ransom?

Authorities discourage payment, and it does not guarantee decryption or deletion of stolen data. Sanctions and other legal risks may apply. Victims should obtain incident-specific advice from counsel, law enforcement, their insurer, qualified responders, and sanctions specialists.

Conclusion

LockBit is best understood as an evolving criminal ecosystem rather than one binary or intrusion team. Developers, administrators, affiliates, infrastructure providers, access sellers, and users of leaked code can all produce different evidence and different levels of attribution confidence.

Operation Cronos substantially disrupted that ecosystem, but takedowns do not erase reusable code. Similarly, a decryptor can help some victims without resolving data theft, persistence, identity compromise, legal duties, or recovery integrity.

Organizations should validate exposed entry paths, identity security, segmentation, telemetry, containment, backups, restoration, and executive response as connected capabilities. If your organization needs to test whether those controls withstand authorized, realistic attack paths, consider a properly scoped engagement through DeepStrike’s penetration testing services.

About the author

Mohammed Khalil is a Cybersecurity Architect at DeepStrike. He writes about penetration testing, red teaming and operational resilience. This guide was developed from primary ECB and EU sources and does not replace legal advice or instructions from the relevant authority.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us