LockBit emerged in September 2019 (initially called "ABCD" ransomware) and grew into one of the most active ransomware-as-a-service operations of the early 2020s. Under the RaaS model, a core development team maintains the malware and a leak site, while affiliates carry out intrusions and split ransom payments with the operators—typically with affiliates retaining the larger share.
The group iterated through several versions, including LockBit 2.0 (2021), LockBit Black / 3.0 (2022), and LockBit Green (2023), and pioneered tactics such as paying for insider access, running a public bug bounty for its own code, and using fast self-propagating encryption. Affiliates practice double extortion: exfiltrating data before encryption and threatening publication on a Tor-hosted leak site if the victim refuses to pay.
According to a joint advisory issued in 2023 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and partner agencies, LockBit was the most-deployed ransomware variant globally in 2022. Notable victims have included the UK's Royal Mail (January 2023), Boeing (2023), the Industrial and Commercial Bank of China's U.S. arm (November 2023), and the UK's National Health Service supplier Advanced.
In February 2024, the UK's National Crime Agency, the FBI, and Europol announced Operation Cronos, seizing LockBit's infrastructure, leak site, and decryption keys, and indicting affiliates. In May 2024, U.S. and UK authorities identified Russian national Dmitry Khoroshev as the alleged administrator known as "LockBitSupp," and the U.S. Treasury imposed sanctions on him. The group attempted to relaunch on new infrastructure but with significantly diminished output.
For policy researchers, LockBit illustrates the cross-border enforcement challenges posed by RaaS ecosystems based in non-cooperative jurisdictions, the tension between paying ransoms and sanctions compliance, and the role of coordinated takedowns as a disruption tool.
Example
In January 2023, a LockBit affiliate disrupted UK Royal Mail's international export services, demanding a ransom that Royal Mail publicly refused to pay.
Frequently asked questions
A business model in which malware developers lease encryption tools and infrastructure to affiliates, who conduct intrusions and share ransom proceeds with the operators.
Keep learning