July 13, 2026
Updated: July 13, 2026
LockBit is both a ransomware family and a criminal ransomware-as-a-service ecosystem. This guide explains its operators, affiliates, versions, Operation Cronos, current status, typical attack lifecycle, defensive controls, the limits of available decryptors, and safe ways organizations can validate ransomware readiness across prevention, detection, response, and recovery.
Mohammed Khalil

Last verified: July 13, 2026
LockBit is both the name of a criminal ransomware-as-a-service operation and a family of ransomware used to steal data, encrypt systems, disrupt operations, and pressure victims. It is not one fixed intrusion team: core developers, administrators, affiliates, access brokers, infrastructure providers, and unrelated actors reusing leaked LockBit builders can play different roles.
Operation Cronos caused a major disruption in February 2024, but it did not make LockBit-derived code or future activity impossible. LockBit 5.0 samples targeting Windows, Linux, and ESXi were subsequently analyzed independently. Affiliate variation and code reuse mean that finding a LockBit-like sample does not, by itself, identify the responsible intrusion team.
This guide explains the ecosystem, versions, disruption, current status, attack lifecycle, defensive priorities, response options, and limits of available decryptors in the broader context of major ransomware groups.
| Field | Verified treatment |
|---|---|
| Threat type | Ransomware and data-extortion ecosystem |
| Operating model | Ransomware-as-a-Service |
| First observed | The operation dates to approximately September 2019 in DOJ and technical histories; CISA tracks LockBit activity from January 2020 |
| Common versions | Early LockBit/ABCD, 2.0/Red, 3.0/Black, NG-Dev or claimed 4.0 development, and 5.0 |
| Verified platforms | Early variants primarily affected Windows; later versions included Windows and ESXi support; LockBit 5.0 was analyzed across Windows, Linux, and ESXi |
| Typical objectives | Data theft, encryption, extortion, and operational disruption |
| Major disruption | Operation Cronos, February 2024 |
| Current status | LockBit-related code and samples remained relevant as of July 13, 2026, but the scale and control of the original operation remain uncertain |
| Decryption support | Available for some LockBit 3.0 incidents; eligibility is version- and victim-dependent |
| Primary sources | CISA, DOJ, NCA, Europol, Treasury, MITRE ATT&CK, NIST, and primary technical research |
Important: This is educational defensive guidance, not legal advice or an incident-specific recovery plan. An active ransomware incident should involve qualified incident responders, legal counsel, appropriate authorities, the organization’s insurer, and relevant sanctions specialists.
LockBit ransomware is a family of malicious encryption tools associated with a criminal RaaS ecosystem. Core operators developed and maintained the service, while largely independent affiliates obtained access to victim environments and conducted attacks. Consequently, “LockBit attack” can describe the malware used without reliably identifying one operator, affiliate, or intrusion method.
Ransomware-as-a-Service separates platform development from intrusion activity. LockBit’s administrators supplied malware builders, supporting infrastructure, leak or negotiation services, and an affiliate program. Affiliates selected targets, acquired or purchased access, moved through networks, stole data, and deployed ransomware.
This division matters for both attribution and defense. As the joint CISA LockBit advisory explains, LockBit’s large and initially unvetted affiliate population produced significant variation in tactics, techniques, and procedures.
“LockBit” can therefore refer to several related but distinct things:
LockBit attacks commonly combined encryption with data theft and threats to publish stolen information a form of double extortion. A leak-site listing, however, remains a criminal claim unless the victim, authorities, or independent evidence confirms the incident and its scope.

Figure 1. LockBit’s RaaS model separates core platform development from affiliate-led intrusions, making attack behavior and attribution inconsistent.
Source note: DeepStrike synthesis based on CISA, DOJ, Treasury, and Europol reporting.
At a high level, LockBit administrators developed the ransomware platform and recruited affiliates. An affiliate obtained initial access directly or through another criminal supplier then conducted the intrusion. Victim-specific ransomware builds or configurations could be generated through the service. Stolen data, encryption, negotiation infrastructure, and revenue sharing completed the commercial model.
The allocation of responsibilities was not necessarily identical in every case. Affiliates could bring different tooling, access methods, targets, and experience. Infrastructure seizures can consequently damage central coordination and revenue while leaving individual affiliates, credentials, stolen data, or copied malware code available elsewhere.
The most accurate answer is dated and qualified: LockBit-related malware and activity remained relevant as of July 13, 2026, but available evidence does not establish that the original pre-Cronos organization regained its former scale or central control.
| Evidence level | What the evidence supports |
|---|---|
| Confirmed by official sources | Operation Cronos seized or disabled significant infrastructure, obtained source code and affiliate intelligence, recovered decryption material, and supported arrests, charges, and sanctions. |
| Confirmed by technical analysis | Trend Micro analyzed LockBit 5.0 binaries for Windows, Linux, and ESXi in September 2025. LevelBlue published further multi-sample analysis in early 2026. |
| Reported with caveats | In May 2025, Reuters reported that LockBit infrastructure appeared to have been compromised and data leaked. Reuters did not independently verify the entire dataset. |
| Criminal claim | Statements by the operation about releases, victims, alliances, or recovery are not treated as confirmation without independent evidence. |
| Editorial assessment | LockBit-derived code remains usable, but malware similarity alone cannot prove that an incident was controlled by the original administrators. |
The UK National Crime Agency’s May 2024 assessment said LockBit was operating at limited capacity and that its global threat had been significantly reduced at that point. That was a dated assessment, not proof that all future activity was eliminated.
Later developments cut both ways. A reported May 2025 compromise of LockBit infrastructure suggested further damage to its operational security. Conversely, Trend Micro’s LockBit 5.0 analysis and LevelBlue’s 2026 sample research established that technically developed LockBit-branded samples continued to exist.
Neither observation alone measures successful intrusions, confirmed victims, affiliate participation, or the authority of a central operator.
| Date | Development | Evidence status |
|---|---|---|
| Sep 2019–Jan 2020 | Early ransomware associated with the “ABCD” name and emerging LockBit operation | Technical and official history |
| June 2021 | LockBit 2.0, also called LockBit Red, appeared | Technically confirmed |
| June 2022 | LockBit 3.0, or LockBit Black, entered use | Technically confirmed |
| September 2022 | A LockBit 3.0 builder leak lowered the barrier to unrelated reuse | Technically reported |
| 2023 | Joint government advisories documented the affiliate model, TTPs, and Citrix Bleed exploitation | Officially confirmed |
| February 20, 2024 | Operation Cronos seized infrastructure and exposed operational information | Officially confirmed |
| May 7, 2024 | Authorities identified, charged, and sanctioned alleged administrator and developer Dmitry Khoroshev | Official allegation and sanctions |
| Oct–Dec 2024 | Further arrests, sanctions, and charges including the charge against alleged developer Rostislav Panev were announced | Official proceedings |
| February 11, 2025 | The U.S., UK, and Australia acted against hosting provider Zservers and two administrators | Official sanctions |
| May 8, 2025 | LockBit infrastructure reportedly suffered a breach and data leak | Reported with caveats |
| September 25, 2025 | LockBit 5.0 Windows, Linux, and ESXi variants were technically analyzed | Technically confirmed |
| Jan–Feb 2026 | Researchers published analysis of additional LockBit 5.0 samples | Technically confirmed |
| July 13, 2026 | Code remained relevant; the original operation’s current scale and control remained uncertain | Dated editorial assessment |
The legal distinction is important. The official sources reviewed for this article describe Khoroshev as charged and sanctioned, not convicted. A March 2025 DOJ release described Panev as extradited to the United States and detained pending trial.

Figure 2. LockBit’s evolution includes malware releases, law-enforcement disruptions, infrastructure exposure, and later independently analyzed samples.
Source note: CISA, DOJ, NCA, Europol, U.S. Treasury, Trend Micro, BleepingComputer, and Reuters; dates and status reverified before publication.
| Version or name | First observation | Platforms | Major characteristics | Status or evidence | Primary source |
|---|---|---|---|---|---|
| Early LockBit / ABCD | Approx. Sep 2019 | Windows | Early generation associated with the emerging RaaS operation; “ABCD” reflected an extension seen in early incidents | Historical | DOJ; Trend Micro |
| LockBit 2.0 / Red | June 2021 | Windows; later Linux/ESXi capability | Expanded affiliate service and StealBit-related data-exfiltration capability | Widely documented historical version | MITRE; Trend Micro |
| LockBit 3.0 / Black | June 2022 | Windows and VMware ESXi | More modular, affiliate-configurable generation with enhanced evasion and exfiltration features | Historically deployed; leaked builder complicates later attribution | MITRE; Trend Micro |
| LockBit Green | January 2023 | Windows | Incorporated code associated with Conti; best treated as a variant or fork | Limited historical relevance; not proof of formal 4.0 | Trend Micro |
| LockBit-NG-Dev / claimed 4.0 | February 2024 analysis | Windows development sample; design suggested portability | In-development rewrite with incomplete functionality | Development evidence, not proof of broad deployment | Trend Micro |
| LockBit 5.0 | September 2025 analysis | Windows, Linux, and VMware ESXi | Cross-platform variants with significant code evolution and behavior intended to impair recovery and visibility | Analyzed samples exist; broad prevalence is not established | Trend Micro |
The version number identifies malware lineage, not necessarily the humans responsible for an intrusion. A third party using a leaked LockBit 3.0 builder can create a technically LockBit-compatible sample without being an authorized affiliate of the original service.
There is no universal LockBit intrusion chain. The following lifecycle synthesizes behavior described by CISA, MITRE ATT&CK, incident reporting, and primary technical analysis. It should be used as a defensive model not as an assertion that every affiliate performs every stage.
| Stage | What defenders may observe | Capability vs. operator behavior | Source |
|---|---|---|---|
| Initial access | Compromised credentials, exposed remote access, phishing, or exploitation of internet-facing vulnerabilities | Observed affiliate entry paths not functions of the encryptor | CISA; Citrix advisory |
| Establish and expand access | Remote administration, new sessions, tooling transfer, or use of existing management services | Tools and sequence depend on the affiliate and environment | CISA |
| Privilege and identity abuse | Privileged accounts, credential access, or changes expanding administrative reach | Primarily intrusion behavior rather than an inherent encryption feature | CISA |
| Reconnaissance and lateral movement | Account, host, domain, share, backup, and virtualization discovery followed by east-west access | Methods vary by affiliate capability and available privileges | MITRE 2.0/3.0 |
| Defense impairment | Attempts to interfere with security services, logging, or recovery processes | Some functions exist in malware variants; others may be performed separately | MITRE 3.0; Trend 5.0 |
| Data collection and exfiltration | Unusual staging, archiving, cloud transfers, or sustained outbound traffic | May use LockBit-associated, third-party, or legitimate tooling | MITRE StealBit; CISA |
| Backup interference | Access to backup consoles, deletion or modification attempts, or recovery-setting changes | Can occur before encryption to increase operational pressure | CISA StopRansomware |
| Encryption | High-volume file changes, process or service disruption, inaccessible VMs, or new extensions | Central ransomware capability; behavior differs by version and platform | Trend Micro 5.0 |
| Extortion | Ransom notes, communication attempts, and threats to disclose stolen data | Criminal claims about theft or deletion require independent validation | NCA Cronos |
Credential-based entry deserves particular attention because stolen accounts can bypass controls that focus only on malware files. DeepStrike’s analysis of compromised credentials provides broader context, but each organization should base detection thresholds on its own identity architecture and normal activity.
| Observed objective | Defensive control | Evidence to monitor | Safe validation | Source |
|---|---|---|---|---|
| Abuse exposed remote access | Remove unnecessary exposure; require phishing-resistant MFA | Asset and remote-authentication evidence | Authorized external surface review | CISA |
| Use stolen credentials | Separate admin identities, PAM, conditional access | IdP events, privilege elevation, session anomalies | Identity and AD assessment | CISA |
| Exploit internet-facing systems | Asset ownership, risk-based patching, compensating controls | Version data, vulnerability evidence, WAF logs | Scanning plus scoped manual validation | CISA Citrix |
| Abuse privileged accounts | Tiered administration and least privilege | Group, policy, role, and directory changes | Privileged-path review | NIST IR 8374r1 |
| Move laterally | Segmentation and restricted administrative protocols | East-west RDP, SMB, WinRM, SSH, and vCenter traffic | Authorized segmentation test | MITRE 3.0 |
| Interfere with security tooling | EDR tamper protection and restricted service control | Service stops, policy changes, sensor-health gaps | Benign purple-team test | MITRE 3.0 |
| Exfiltrate data | Egress controls, classification, DLP, cloud visibility | Outbound volume, staging, archiving, cloud destinations | Synthetic DLP test data | MITRE StealBit |
| Access backups | Isolated identities, immutable copies, administrative separation | Backup logins, retention changes, failed jobs | Restore exercise and tabletop | CISA |
| Encrypt Windows systems | Behavioral detection, application control, rapid isolation | Mass file writes, service changes, endpoint clusters | Non-destructive simulator in a lab | MITRE 2.0 |
| Encrypt Linux or ESXi | Harden management planes and protect root-level identities | Hypervisor logins, datastore operations, VM changes | Config review and isolated restore | Trend 5.0 |
| Disrupt event evidence | Centralized, append-protected logging | Log-clear events, ingestion gaps, retention changes | Telemetry continuity test | Trend 5.0 |
Operation Cronos was an international law-enforcement operation led by the UK National Crime Agency with support from partner authorities. It targeted LockBit’s central infrastructure and participants rather than merely removing one malware sample.
Europol reported that 34 servers were taken down, two people were arrested at the operation’s launch, more than 200 cryptocurrency accounts were frozen, and decryption keys were recovered. By June 2024, the FBI said it possessed more than 7,000 LockBit decryption keys, reflecting a later and broader key count.
Eurojust listed ten operational partner countries: the United Kingdom, France, Germany, Sweden, the Netherlands, the United States, Switzerland, Australia, Canada, and Japan. Arrests also occurred in Poland and Ukraine. Counts can therefore differ when sources count partner countries, operational locations, or arrest jurisdictions.
The NCA obtained control of LockBit’s primary administration environment and public-facing leak infrastructure, along with source code and affiliate intelligence. It also reported finding victim data still stored after a ransom had reportedly been paid, undermining claims that payment guarantees deletion.
| What Operation Cronos achieved | What it did not prove |
|---|---|
| Seized or disabled important servers and domains | That every affiliate, credential, or copy of the malware was eliminated |
| Recovered source code, operational intelligence, and decryption material | That every LockBit victim could decrypt files |
| Identified affiliates and exposed internal operations | That every later LockBit-branded sample came from those affiliates |
| Supported arrests, charges, extradition proceedings, and sanctions | That charged individuals had been convicted |
| Damaged trust between administrators and affiliates | That the brand could never be reused |
| Reduced operational capacity at the time of disruption | That later activity returned to its earlier scale |
| Helped victims through official decryptor initiatives | That decryption removes persistence, reverses data theft, or completes recovery |
This illustrates why law enforcement can substantially reduce a RaaS operation without eliminating reusable ransomware code. It also shows how law enforcement tracks dark-web criminals through infrastructure, accounts, operational mistakes, financial evidence, and international cooperation.
LockBit statistics are easy to misstate because official releases used different dates, geographies, and definitions. The following figures should be read separately, not added together.
| Figure | Period | Geography | Measure | Source | Limitation |
|---|---|---|---|---|---|
| ~1,700 attacks; ~$91M paid | Jan 2020–May 2023 | United States | Reported attacks and ransom payments | CISA, June 2023 | Attacks may not be unique victims; excludes demands and wider losses |
| >2,000 victims; ~$120M received | Through Feb 20, 2024 | Global, incl. U.S. | DOJ cumulative victim and payment estimate | DOJ, Feb 2024 | Later releases use broader totals and later cutoff |
| >7,000 builds; ≥2,110 negotiations | Jun 2022–Feb 2024 | Global server data | Builds/attacks and negotiation records in seized systems | NCA, May 2024 | A build does not prove execution, compromise, or payment |
| >2,500 victims in ≥120 countries; ≥$500M paid | Through Mar 2025 release | Global; 1,800 U.S. | Later DOJ cumulative estimate | DOJ, Mar 2025 | Broader and later scope than earlier snapshots |
Claims about LockBit’s percentage of global ransomware should always state the measurement period, dataset, and whether the denominator represents leak-site posts, incidents, detections, or confirmed compromises. No single share is presented here as a permanent measure. See DeepStrike’s separately scoped current ransomware statistics for broader trend context.
| Incident | What is supported | What should not be inferred |
|---|---|---|
| Royal Mail, 2023 | UK government material says the incident affected domestic and international operations for several weeks. The NCSC uses it to illustrate that a RaaS supplier and access affiliate can be different parties. | Do not convert a demand into payment or treat central administrators as the hands-on team without evidence. |
| ICBC Financial Services, 2023 | U.S. Treasury attributed the disruptive incident to LockBit. It affected systems, email, and settlement activity involving more than $9 billion in Treasury-backed assets. | The cited source does not establish that a ransom was paid. |
| Indonesia national data center, 2024 | Reuters reported that officials identified a Brain Cipher variant derived from LockBit 3.0 and described disruption to immigration and other public services. | Code lineage alone does not prove control by original LockBit administrators. |
Confirmed incidents, leak-site listings, ransom demands, ransom payments, total losses, and recovery costs are different measurements. Business interruption, rebuilding, legal work, notification, and lost revenue can exceed the payment itself; these are addressed separately in DeepStrike’s analysis of ransomware recovery costs.
The final NIST IR 8374 Revision 1, published June 11, 2026, frames ransomware risk across the NIST Cybersecurity Framework 2.0 functions: Govern, Identify, Protect, Detect, Respond, and Recover. The following priorities apply that lifecycle to LockBit-related behavior.
Do not execute a decryptor or suspected malware directly on production systems. CISA maintains an official ransomware response checklist, but the exact sequence should be adapted by the organization’s incident commander and responders.
It may work for some LockBit 3.0 victims, but it is not a universal LockBit recovery tool.
No More Ransom’s official tool directory lists a LockBit 3.0 decryptor developed by the Japanese police. Eligibility depends on the ransomware version, the recovered keys, how encryption occurred, the condition of affected files, and available evidence.
Even successful decryption does not:
Victims should work with qualified responders and test recovery on controlled copies before making production changes.
There is no safe, universal answer that can be reduced to an SEO yes-or-no. Payment is a legal, sanctions, operational, ethical, insurance, and business-continuity decision that must be assessed for the specific victim and jurisdiction.
U.S. authorities strongly discourage ransom payments. Payment offers no guarantee that a working decryptor will be provided, that stolen data will be deleted, or that the victim will not be targeted again. Operation Cronos investigators reported finding victim data retained on LockBit systems even after payment.
The OFAC ransomware advisory warns that payments involving sanctioned persons or jurisdictions may create sanctions exposure. Identifying the real counterparty can also be difficult. Other jurisdictions impose their own requirements.
Affected organizations should involve legal counsel, law enforcement, their insurer, incident-response professionals, and sanctions specialists. Insurance coverage or business pressure does not itself make a payment lawful or effective. DeepStrike’s ransomware payment trends provide aggregate context but cannot determine the correct action in an individual incident.
Penetration testing can identify exploitable entry paths and control weaknesses. It does not reproduce every stage of a ransomware incident, and it cannot guarantee that LockBit or another group will fail. Testing must be authorized in writing, safely scoped, and coordinated with system owners.

Figure 3. Ransomware readiness depends on validating entry paths, identity controls, movement detection, containment, and recovery not on a single security test.
Source note: Original DeepStrike framework informed by the CISA StopRansomware Guide and NIST IR 8374 Revision 1.
LockBit is both a ransomware malware family and the name of a criminal RaaS ecosystem. Its administrators developed the service while affiliates generally conducted victim intrusions.
Authorities have identified and charged alleged administrators, developers, and affiliates, including alleged administrator Dmitry Khoroshev. Individual attacks may involve different affiliates, access brokers, infrastructure providers, or unrelated users of leaked code. Official sources do not classify LockBit as state-sponsored.
LockBit-related code and independently analyzed samples remained relevant as of July 13, 2026. That does not prove that the original operation recovered its pre-Cronos scale, affiliates, or central control.
LockBit 5.0 is a later generation analyzed across Windows, Linux, and ESXi. “LockBit 4.0” was associated with criminal release claims and an in-development NG-Dev sample. NG-Dev showed development activity but not broad 4.0 deployment.
Authorities seized or disrupted infrastructure, recovered source code and decryption keys, obtained affiliate intelligence, froze accounts, and supported arrests, charges, and sanctions. The operation did not eliminate copied code or every participant.
An official LockBit 3.0 decryptor is available through No More Ransom. It only helps eligible incidents and should be evaluated with qualified responders in a controlled environment.
No. A penetration test can identify exploitable paths and control weaknesses within its scope and test period. Readiness also requires identity security, detection, segmentation, backups, incident response, recovery, legal preparation, and governance.
Authorities discourage payment, and it does not guarantee decryption or deletion of stolen data. Sanctions and other legal risks may apply. Victims should obtain incident-specific advice from counsel, law enforcement, their insurer, qualified responders, and sanctions specialists.
LockBit is best understood as an evolving criminal ecosystem rather than one binary or intrusion team. Developers, administrators, affiliates, infrastructure providers, access sellers, and users of leaked code can all produce different evidence and different levels of attribution confidence.
Operation Cronos substantially disrupted that ecosystem, but takedowns do not erase reusable code. Similarly, a decryptor can help some victims without resolving data theft, persistence, identity compromise, legal duties, or recovery integrity.
Organizations should validate exposed entry paths, identity security, segmentation, telemetry, containment, backups, restoration, and executive response as connected capabilities. If your organization needs to test whether those controls withstand authorized, realistic attack paths, consider a properly scoped engagement through DeepStrike’s penetration testing services.
Mohammed Khalil is a Cybersecurity Architect at DeepStrike. He writes about penetration testing, red teaming and operational resilience. This guide was developed from primary ECB and EU sources and does not replace legal advice or instructions from the relevant authority.

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today
Contact Us