LockBit ransomware had targeted 2000 victims and extorted $120M since 2020.[^1] It was disrupted by the DOJ and the UK.[^1] They targeted individuals and organizations in the manufacturing and semiconductor industries.[^1] LockBit is a malware-as-a-service.[^1] The Z Server provider provided infrastructure for the Lockbit ransomware. Authorities discovered a laptop running a VM that operated a LockBit control panel off of a SZerver subleased IP Address. LockBit is a Russian cybercriminal organization that targets small and medium-sized businesses in Education, finance, healthcare, software services, manufacturing, and professional services. They use Phishing, Spear Phishing, and brute force attacks. Lockbit can customize the compilation and execution of payloads.[^2] LockBit 3.0 uses a modular approach to encrypting the payload until execution.[^2] Lockbit uses RDP for initial access.[^2] Lockbit uses the open-source installer Chocolatey to install and execute malicious payloads.[^2] They use SMB to spread vie PsExec and Group Policy Objects.[^2] Lockbit affiliates from Poland and Ukraine have been arrested.[^3] Two individuals, one in Canada and one in the US, have been arrested for their roles in developing the lockbit ransomware.[^3] LockBit was active for more than 4 years.[^3] 34 LockBit servers were taken down in the Netherlands, Germany, Finland, France, Switzerland, Australia, the US, and the UK.[^3] In 2023, the lockbit negotiators changed their negotiation model due to inconsistent payments and inconsistent demands under their affiliates.[^4] LockBit was hacked in May 2025.[^5] The leaked database includes 60k leaked bitcoin addresses, malware configuration files, and chat logs for victim negotiations.[^5] A password was required to unpack the .text section of the malware.
The Leader of the Lockbit Group was Lockbitsupp.[^6]
[[StealBit]] – used for data exfiltration
[[Maze Cartel]] – included the lockbit actors
[[HPH Sector]] – is regularly targeted by Lockbit
[[XSS.js]] – hosts Lockbit Threat Actors
[[LockBit Database Leak]]
[[APT-Iran]] – has begun to use Lockbit ransomware in its operations
Backlinks
[[Great Britain]]
[[HC3]]
IP Addresses
[[Leak Sites]]
[[Lumma Stealer]]
[[Netherlands]]
[[Phishing]]
[[PsExec]]
[[Remote Desktop Protocol (RDP)]]
[[Russian Hacking]]
[[Semiconductors]]
[[SMB]]
[[Spear-Phishing]]
[[Switzerland]]
[[XSS.js]]
[[Z Server]]
Sources
[1] “11.12.24-Cyber-Threat-Snapshot.” Accessed: Dec. 28, 2024. [Online]. Available: https://homeland.house.gov/wp-content/uploads/2024/11/11.12.24-Cyber-Threat-Snapshot.pdf
[2]HHS_hc3-top-10
[3]register_ncaLockbitRansomware
[4] “ArcticWolf_HistoryRansomware,” ArcticWolf_HistoryRansomware. [Online]. Available: https://arcticwolf.com/resources/blog/the-history-of-ransomware/
[5]CyberwireDaily
[6] C. Krebs, “Who Got Arrested in the Raid on the XSS Crime Forum?,” Krebs on Security. [Online]. Available: https://krebsonsecurity.com/2025/08/who-got-arrested-in-the-raid-on-the-xss-crime-forum/