LockBit
LockBit is a ransomware-as-a-service (RaaS) family active since 2019 and one of the most prolific ransomware operations observed in recent years. The provided content references multiple variants and aliases including LockBit 2.0, LockBit 3.0, and LockBit Black, with LockBit 3.0 described as an evolution of the family with roots in BlackMatter and introduced around June 2022 after bugs were found in LockBit 2.0. LockBit was described as the dominant ransomware of 2023 and remained a leading family in incident response cases in the first half of 2024 despite a major law-enforcement disruption in February 2024 under Operation Cronos.
The malware is primarily a Windows ransomware family, though the broader LockBit ecosystem is also referenced in Linux/ESXi contexts through code reuse and derivative activity by other actors. LockBit 3.0 payloads are typically delivered through third-party post-exploitation frameworks such as Cobalt Strike, including chains where SocGholish dropped Cobalt Strike and Cobalt Strike then delivered LockBit. Other reporting in the content shows LockBit being deployed as a final-stage payload by unrelated actors and criminal groups, including Twelve and NullBulge, and delivered after precursor malware such as Danabot, Async RAT, and Xworm. The content also notes that leaked LockBit source code and builders have been reused by other actors, including SEXi for Windows targets and NullBulge via the leaked LockBit Black builder.
LockBit 3.0 is designed to execute with administrative privileges and can attempt UAC bypass via CMSTP if needed. For persistence, it can install multiple Windows system services and write a copy of itself to %programdata% before launching from that location. The malware attempts to terminate numerous services and processes prior to encryption, including backup- and security-related services such as backup, veeam, vss, sophos sql svc$, and msexchange, as well as user applications such as excel, firefox, outlook, thunderbird, winword, powerpnt, notepad, and wordpad. The content also states that LockBit 3.0 can enable local and network share encryption, terminate processes and services, kill Windows Defender, delete event logs, self-delete, print ransom notes, and change the desktop wallpaper, depending on configuration. Encryption is described as extremely rapid, with ransom notes and encrypted files prepended by campaign-specific strings; observed encrypted-file extensions included HLJkNskOq and futRjC7nx. Victims are instructed to contact the operators through a Tor-based support portal.
The family employs substantial anti-analysis and evasion functionality. Reported techniques include code packing, obfuscation, dynamic function resolution, function trampolines, runtime decryption using XOR, anti-debugging checks against heap flags, hiding threads from debuggers via NtSetInformationThread with ThreadHideFromDebugger, and tampering with DbgUiRemoteBreakin using ZwProtectVirtualMemory and SystemFunction040. Separate intrusion reporting tied to LockBit affiliates also showed side-loading of Cobalt Strike Beacon through the signed VMwareXferlogs.exe utility using a malicious glib-2.0.dll. In that case, the DLL performed anti-debugging checks, restored clean code from disk to remove EDR/EPP userland hooks, patched EtwEventWrite and AmsiScanBuffer with RET instructions to suppress telemetry and scanning, decrypted an RC4-encrypted Beacon loader from c0000015.log, and executed it via a suspended thread and queued APC.
The content associates LockBit with a broad criminal ecosystem rather than a single intrusion set. It is referenced as a mature RaaS operation with affiliate management features, leak-site mirrors, an instant search tool, and payment support including Bitcoin, Monero, and Zcash. LockBitSupp is identified as the public-facing operator persona in reporting around the February 2024 disruption. The family is also mentioned in relation to affiliates or adjacent actors such as Microsoft-tracked DEV-0401, and as a payload used by groups including Twelve and NullBulge. Operational norms attributed to LockBit include avoiding Russian-linked or broader CIS targets.
Targeting in the provided content is broad and enterprise-focused. LockBit is discussed in relation to attacks across many sectors and geographies, and incident-response reporting cited it as especially prevalent in 2023 and 2024. Related reporting also places LockBit activity in environments involving Windows domains, VMware infrastructure, and network shares. Known indicators and artifacts directly mentioned in the content include the use of VMwareXferlogs.exe and malicious glib-2.0.dll in one affiliate intrusion, RC4-encrypted payload file c0000015.log, download source 45.32.108[.]54, Cobalt Strike C2 149.28.137[.]7, malicious DLL SHA1 729eb505c36c08860c4408db7be85d707bdcbf1b, encrypted payload SHA1 e35a702db47cb11337f523933acd3bce2f60346d, ransom-note-only samples used by Twelve, and filenames such as twelve.exe, 12.exe, enc.exe, betta.exe, sed.exe, and svo.exe for LockBit-derived payloads compiled from publicly available source code.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
21 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Starting in mid-July 2025, threat actors began actively exploiting two path traversal vulnerabilities affecting on-premises SharePoint servers: CVE-2025-53770 and CVE-2025-53771. These two vulnerabilities are related to CVE-2025-49704 and CVE-2025-49706... attackers managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution.
The version of Velociraptor observed in this incident was outdated (version 0.73.4.0) and exposed to a privilege escalation vulnerability (CVE-2025-6264), which may have been leveraged for persistence as this vulnerability can lead to arbitrary command execution and endpoint takeover.
Starting in mid-July 2025, threat actors began actively exploiting two path traversal vulnerabilities affecting on-premises SharePoint servers: CVE-2025-53770 and CVE-2025-53771. These two vulnerabilities are related to CVE-2025-49704 and CVE-2025-49706... attackers managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution.
CVE-2018-13379 : A path traversal vulnerability in Fortinet SSL VPNs that was routinely exploited by multiple threat actors, including the LockBit ransomware group, across several years.
PaperCut servers have been previously breached by ransomware gangs in 2023 by exploiting a critical, unauthenticated remote code execution (RCE) vulnerability (CVE–2023–27350)... One month later, CISA and the FBI issued a joint advisory warning that the Bl00dy Ransomware gang had also begun exploiting the CVE-2023–27350 RCE vulnerability to gain initial access to the networks of educational organizations.
PaperCut servers have been previously breached by ransomware gangs in 2023 by exploiting a critical, unauthenticated remote code execution (RCE) vulnerability (CVE–2023–27350) and a high-severity information disclosure flaw (CVE–2023–27351).
Initial Access and Persistence CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain super_admin privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces... Another common exploitation method we observed involved the threat actor using the fortigate-firewall account to exploit CVE-2025-24472 rather than CVE-2024-55591.
Initial Access and Persistence CVE-2024-55591 and CVE-2025-24472 allow unauthenticated attackers to gain super_admin privileges on vulnerable FortiOS devices (<7.0.16) with exposed management interfaces. A proof-of-concept (PoC) exploit was publicly released on January 27, and within 96 hours, we observed active exploitation in the wild using two distinct methods: jsconsole ... HTTPS ...
The experts argued that the attackers likely did not exploit recently disclosed CVE-2022-41040 and CVE-2022-41082 vulnerabilities. | In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware. Threat actors initially deployed web shell on a compromised Exchange server, then it took just 7 days to escalate privileges to Active Directory admin and stole roughly 1.3 TB of data before encrypting systems hosted in the network.
The experts argued that the attackers likely did not exploit recently disclosed CVE-2022-41040 and CVE-2022-41082 vulnerabilities. | In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware. Threat actors initially deployed web shell on a compromised Exchange server, then it took just 7 days to escalate privileges to Active Directory admin and stole roughly 1.3 TB of data before encrypting systems hosted in the network.
Looking at the Microsoft Exchange Server vulnerability history, the remote code execution vulnerability was disclosed on December 16, 2021 (CVE-2022-21969) | In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware. Threat actors initially deployed web shell on a compromised Exchange server, then it took just 7 days to escalate privileges to Active Directory admin and stole roughly 1.3 TB of data before encrypting systems hosted in the network.
According to malware research group vx-underground citing LockBitSupp, the alleged leader of the LockBit operation, law enforcement hacked into the ransomware operation’s servers using a known vulnerability in the popular web coding language PHP. The vulnerability used to compromise its servers is tracked as CVE-2023-3824, a remote execution flaw patched in August 2023, giving LockBit months to fix the bug. | A sweeping law enforcement operation led by the U.K.’s National Crime Agency (NCA) this week took down LockBit, the notorious Russia-linked ransomware gang... It has long been known that LockBit, which first entered the competitive cybercrime scene in 2019, is one of, if not the most prolific ransomware gangs.
The GOLD MYSTIC threat group has operated the LockBit name-and-shame ransomware-as-a-service (RaaS) scheme since mid-2019, exploiting unauthorized access to thousands of organizations to deploy ransomware and steal data to facilitate the extortion of victims.
Researchers at Huntress Security Operations Center (SOC) observed what they call "a sharp uptick" in exploitation activity targeting Bomgar Remote Support (now part of BeyondTrust), with attackers reaching systems through a critical unauthenticated remote code execution (RCE) flaw, CVE-2026-1731.
Storm-2603... observed stealing MachineKeys and deploying Warlock and Lockbit ransomware... They conduct lateral movement using PsExec and Impacket, deploying Warlock and LockBit ransomware to encrypt systems. | Exploited vulnerabilities include CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, collectively known as ToolShell. CVE-2025-49704: A remote code execution vulnerability allowing attackers to run arbitrary code without authentication.
Storm-2603... observed stealing MachineKeys and deploying Warlock and Lockbit ransomware... They conduct lateral movement using PsExec and Impacket, deploying Warlock and LockBit ransomware to encrypt systems. | CVE-2025-49706: A spoofing vulnerability enabling post-authentication remote code execution on affected SharePoint servers.
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
Affiliates of LockBit ransomware have previously targeted vulnerabilities in ConnectWise ScreenConnect (i.e., CVE-2024-1708 and CVE-2024-1709) for initial access.
...threat actors have been observed weaponizing a vulnerable version of Bitrix for initial access, followed by using the Zerologon flaw to escalate privileges.
Affiliates of LockBit ransomware have previously targeted vulnerabilities in ConnectWise ScreenConnect (i.e., CVE-2024-1708 and CVE-2024-1709) for initial access.
Attackers leveraged CVE-2023-46604, a remote code execution flaw in the ActiveMQ messaging broker, to break into an exposed Windows server and ultimately encrypt systems via Remote Desktop Protocol — spanning roughly 19 calendar days from initial access to full encryption.
Groups observed using it
39 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data.
The CyberVolk collective is a prime example of how readily threat actors can access and deploy dangerous ransomware builders such as AzzaSec, Diamond, LockBit, Chaos and others.
Talos IR responded to Warlock, Babuk, and Kraken ransomware variants for the first time, while also responding to previously seen families Qilin and LockBit.
As in previous attacks, they encrypted data using variants of LockBit 3.0 (for Windows systems) and Babuk (for NAS devices).
NullBulge is delivering LockBit ransomware payloads to their Async and Xworm victims as a later-stage infection.
During a recent investigation, our DFIR team discovered that LockBit Ransomware-as-a-Service (Raas) side-loads Cobalt Strike Beacon through a signed VMware xfer logs command line utility.
Techniques & procedures
32 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
5 techniques
Initial Access
Threat actors predominately exploited public-facing applications for initial access this quarter... Almost 40 percent of all engagements involved ToolShell activity... attackers began actively exploiting two path traversal vulnerabilities affecting on-premises SharePoint servers... resulting in unauthenticated remote code execution.
NullBulge’s attacks are characterized by ‘poisoning the well’: the group targets the software supply chain by injecting malicious code into legitimate software distribution mechanisms, exploiting trusted platforms like GitHub, Reddit and Hugging Face to maximize their reach.
Execution
5 techniques
Execution
MITRE ATT&CK T1047 – Windows Management Instrumentation
the adversary used Scheduler tasks set up by modifying group policies. This enabled the adversary to execute these on all machines in the domain at the same time
Persistence
4 techniques
Persistence
Privilege Escalation
7 techniques
Privilege Escalation
the adversary used Scheduler tasks set up by modifying group policies. This enabled the adversary to execute these on all machines in the domain at the same time
they tried distributing and running malware through the task scheduler and modified group policies to save malicious tasks for the entire domain
Stealth
9 techniques
Stealth
... разработчики The Gentlemen систематически реверсят семплы Babuk, Qilin, LockBit 5.0 и Medusa, вытаскивая ... техники обфускации (T1027) ...
Besides renaming files, the attackers also removed services and files they had created and cleared event logs to evade detection... Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }
The config.json file contains settings... 'delete_eventlogs': true
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
4 techniques
Discovery
title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE ... Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE ... tags: - attack.discovery - attack.t1087.001 - attack.t1087.002
selection_accounts_root: CommandLine|contains: ' accounts ' ... selection_accounts_flags: CommandLine|contains: ' /do' # short for domain ... tags: - attack.discovery - attack.t1087.001 - attack.t1087.002
Command and Control
1 technique
Command and Control
Impact
4 techniques
Impact
Some ransomware operators do not allow targeting (encrypting and exfiltrating data) of non-profit organizations, healthcare, and government entities... | Fifth, operators of ransomware variants based on leaked source codes of notable ransomware brands widely adopted another pressure method: double ransom payments unless a victim pays a ransom within 24, 48, or 72 hours after a ransomware attack.
IOCs tracked for this family
232 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Well-known ransomware family mentioned here as banning attacks on Russian-linked targets.
A major ransomware-as-a-service operation referenced as a predecessor and benchmark for newer programs. The content notes its infrastructure was seized in Operation Cronos in February 2024, but the brand remained active in Q1 2026 with 163 victims.
A ransomware-as-a-service scheme referenced as one of the platforms whose resources were leveraged by the operators before The Gentlemen became independent.
A ransomware family that UNC3753 reportedly deployed in 2022 before the group shifted away from ransomware to pure data theft and extortion.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.