LockBit isn’t just another ransomware strain. It’s the most prolific, most organized, and most dangerous ransomware operation ever documented, responsible for more confirmed attacks than any other group in history, across every major industry, in nearly every country on earth.
From hospital systems and financial institutions to aerospace giants and critical infrastructure, no sector has been spared. Accenture, Boeing, ICBC, the Industrial and Commercial Bank of China, the victim list reads like a Fortune 500 directory. Australia’s cyber agency confirmed that LockBit alone accounted for the largest share of ransomware incidents in the country between April 2022 and March 2023. That’s not a trend. That’s dominance.
What makes LockBit uniquely dangerous isn’t just its technical sophistication. However, the AES-RSA encryption architecture, cross-platform targeting, and rapid variant evolution from LockBit 2.0 through LockBit Black (3.0) to the emerging LockBit 5.0 in 2025 are formidable by any measure. What makes it dangerous is the business model. LockBit pioneered and perfected ransomware-as-a-service at scale, recruiting affiliates, automating attacks, and operating with the structure and efficiency of a technology company, not a criminal gang.
Law enforcement tried to stop it. Operation Cronos in early 2024 was one of the most coordinated ransomware takedowns in history, servers seized, infrastructure disrupted, arrests made. Within months, LockBit was back. By late 2025, it had formed a ransomware alliance with Qilin and DragonForce, signaling not decline but evolution.
This guide covers everything: who LockBit is, how every variant works technically, the most significant attacks on record, what the takedown achieved and what it didn’t, the 2025 alliance threat, and, critically, how organizations can detect exposure and recover if they’ve already been hit.
If you’re a security professional, a threat analyst, an IT decision-maker, or simply someone trying to understand one of the defining cybersecurity threats of this decade, this is the most complete LockBit resource available.
What Is LockBit Ransomware?
LockBit ransomware is a sophisticated, self-spreading malicious software designed to encrypt files across an organization’s network, render systems inoperable, and extort victims into paying a ransom in exchange for a decryption key. Unlike opportunistic malware that relies on a single attacker, LockBit is engineered for speed, scale, and automation, capable of encrypting thousands of files across hundreds of networked devices faster than most security teams can detect and respond.
What sets LockBit apart from the broader ransomware landscape is its consistency. Since its first appearance, it has maintained an unbroken cycle of development, deployment, and reinvention, keeping it at the top of every major threat intelligence report year after year.
LockBit Definition and Origins
LockBit first emerged in September 2019, initially circulating in Russian-language cybercrime forums under the name ABCD ransomware, a reference to the .abcd file extension it appended to encrypted files. It was a relatively unremarkable debut. Few analysts anticipated what it would become.
By 2020, the group had rebranded as LockBit, launched a dedicated leak site on the dark web, and introduced double-extortion tactics: encrypt the data, steal it, then threaten to publish it unless payment is received. The threat was no longer just operational disruption. It was reputational destruction.
From that point forward, LockBit’s evolution was relentless. Each version brought measurable technical advances, faster encryption, broader platform support, and more sophisticated evasion, and each iteration expanded the group’s reach and victim count. By 2022 and 2023, LockBit had become the single most active ransomware operation on the planet, a position it held even through law enforcement pressure.
Who Is the LockBit Ransomware Group?
The LockBit ransomware group is a financially motivated cybercriminal organization believed to operate primarily out of Russia and other former Soviet states, though its affiliate network spans the globe. The group functions less like a traditional hacking crew and more like a structured criminal enterprise, with dedicated developers, a marketing operation, a public-facing representative, and a formal affiliate recruitment program.
The group’s public persona has always been unusually bold. LockBit ran bug bounty programs, offered rewards for information about law enforcement operations targeting them, and their administrator, known as LockBitSupp, regularly gave interviews and made public statements on cybercrime forums. This wasn’t recklessness. It was calculated that brand management would attract the most capable affiliates and signal dominance to the broader criminal ecosystem.
That visibility ultimately contributed to the group’s partial unraveling, as law enforcement agencies used LockBitSupp’s digital footprints to build the case that led to Operation Cronos in 2024.
Who Is Behind LockBit? Known Members and Affiliates
The central figure publicly identified with LockBit is Dmitry Yuryevich Khoroshev, a Russian national alleged to be LockBitSupp, the group’s primary administrator and developer. In May 2024, the U.S. Department of Justice, alongside UK and Australian authorities, unsealed an indictment against Khoroshev, offering a $10 million reward for information leading to his arrest. He remains at large.
Beyond Khoroshev, several affiliates have been arrested across multiple jurisdictions. A dual Russian-Canadian national was arrested in 2022. Two Russian nationals were charged in the United States. A Polish individual was apprehended in connection with LockBit attacks in Europe. These arrests, while significant, targeted the affiliate layer, the operators who deploy LockBit’s tooling against specific victims, not the core development team.
This distinction matters. In the RaaS model, the developers and the attackers are rarely the same people. Arresting affiliates disrupts individual campaigns but leaves the underlying infrastructure and intellectual property intact, which is precisely why LockBit resumed operations after Operation Cronos.
How LockBit Operates as a Ransomware-as-a-Service (RaaS)
Ransomware-as-a-service is the business model that turned LockBit from a dangerous tool into a global criminal enterprise. The concept is straightforward: LockBit’s core team builds and maintains the ransomware, the infrastructure, the victim negotiation portal, and the leak site. Affiliates, vetted cybercriminals recruited through dark web forums, license access to that infrastructure and deploy attacks against targets of their choosing. Revenue is split, typically with affiliates retaining 70–80% of each ransom payment and the LockBit core team taking the remainder.
The model is brutally efficient. It allows the LockBit group to scale attack volume far beyond what a centralized team could execute, while insulating the core developers from direct operational exposure. Affiliates assume most of the front-line risk. Developers collect passive income from every successful extortion.
LockBit refined this model further by introducing a formal affiliate vetting process, a dedicated administrative panel for managing attacks and negotiations, automated tools for exfiltrating victim data, and a public-facing leak site that served both as an extortion mechanism and a reputational signal to other potential victims. The result was the most operationally mature ransomware program ever built, combining criminal ingenuity with genuine software engineering discipline.
Understanding this structure is essential context for everything that follows, because it explains why LockBit has proven so difficult to dismantle permanently, and why its threat posture in 2026 remains as serious as ever.
LockBit Versions and Variants: A Complete History
No ransomware group has iterated as deliberately or as rapidly as LockBit. Each version wasn’t simply a patch or a minor update; it was a strategic reinvention designed to outpace defenses, expand target coverage, and increase the operational ceiling for affiliates. Understanding the version history isn’t an academic exercise. It’s the only way to make sense of how a 2019 dark web experiment became the defining ransomware threat of the mid-2020s.
LockBit 1.0, The Beginning
LockBit’s first iteration surfaced in September 2019, initially identified by the .abcd extension it stamped onto encrypted files before the group settled on its now-infamous .lockbit extension. At this stage, LockBit was technically competent but not yet exceptional, a Windows-focused encryptor that spread laterally through corporate networks using compromised credentials and exploitation of exposed Remote Desktop Protocol (RDP) endpoints.
What distinguished even this early version was its speed. LockBit 1.0 was engineered to encrypt as many files as possible before detection, prioritizing throughput over stealth. Security teams accustomed to slower, noisier ransomware families were caught off guard by how quickly LockBit could render a network inoperable.
The group was already demonstrating the operational discipline that would define later versions, maintaining a dark web presence, communicating through cybercrime forums, and actively recruiting affiliates into an early RaaS structure. The foundation was modest. The ambition was not.
LockBit 2.0, Rapid Escalation
Released in mid-2021, LockBit 2.0 represented the group’s first major leap and the version that put LockBit on the radar of every serious threat intelligence team. The technical advances were significant: LockBit 2.0 introduced one of the fastest encryption speeds ever recorded for ransomware at that time, using a multithreaded approach that parallelized file encryption across available CPU cores. Independent analysis clocked it encrypting 25,000 files per minute on test systems, a number that made conventional detection and response timelines nearly irrelevant.
This version also introduced StealBit, LockBit’s proprietary data exfiltration tool, formalizing the double extortion model that had previously relied on third-party tools. Victims weren’t just facing encrypted systems; they were facing the imminent publication of sensitive internal data on LockBit’s dark web leak site unless they paid.
LockBit 2.0 expanded its platform to include VMware ESXi servers, a deliberate pivot toward enterprise virtualization infrastructure that dramatically increased the potential blast radius of each attack. The Accenture attack in August 2021, one of the most high-profile ransomware incidents of that year, was carried out using LockBit 2.0, signaling to the world that no organization was too large or too secure to be targeted.
Removal of LockBit 2.0 ransomware was possible in some cases through third-party tools and, later, through law enforcement-released decryptors. Still, recovery was far from guaranteed and typically required significant forensic work to remediate compromised environments fully.
LockBit 3.0 (LockBit Black), Technical Leap
Launched in June 2022, LockBit 3.0, commonly referred to as LockBit Black, was the group’s most technically sophisticated release and the version that cemented its position as the world’s most active ransomware operation. The jump from 2.0 to 3.0 wasn’t incremental. It was a fundamental architectural overhaul.
LockBit Black was developed in part by incorporating code from the BlackMatter ransomware family, whose source code had leaked following that group’s dissolution. The result was a hybrid that combined LockBit’s operational infrastructure with BlackMatter’s more advanced evasion and encryption techniques. It introduced modular capabilities, anti-analysis features designed to complicate sandbox detection, and a novel ransomware note format that provided victims with multiple extortion options beyond a simple ransom payment, including options to purchase time extensions, destroy stolen data, or download it themselves.
This version also introduced LockBit’s bug bounty program, an almost unprecedented move in the ransomware world, where the group publicly offered rewards to anyone who could identify vulnerabilities in their own malware or infrastructure. It was simultaneously a technical quality-control mechanism and a brazen marketing stunt.
LockBit Black expanded cross-platform targeting further, with confirmed Linux and Windows variants, and deepened ESXi exploitation capabilities. By 2023, it was responsible for the majority of LockBit attacks globally, and its IOCs, file extensions, ransom note formats, and network behavior became among the most widely distributed threat intelligence artifacts in the industry.
LockBit Black decryptors were eventually made available through law enforcement following Operation Cronos in 2024, but only for a subset of victims whose keys were recovered during the infrastructure seizure.
LockBit 4.0 and LockBit 5.0, The 2025 Evolution
LockBit 4.0 was previewed as early as late 2024; ironically, details of its development were partially exposed during the Operation Cronos infrastructure seizure, when law enforcement published files from LockBit’s internal systems that included development roadmaps. Despite this humiliation, the group pressed forward.
By 2025, LockBit 5.0 had emerged as the group’s current active variant, representing a further evolution in encryption speed, evasion capability, and cross-platform targeting. LockBit 5.0 incorporates more aggressive anti-forensics techniques, refined affiliate tooling, and expanded support for cloud and hybrid infrastructure environments, a deliberate response to the enterprise security hardening trends of recent years.
The emergence of LockBit 5.0 alongside the October 2025 alliance with Qilin and DragonForce signals that the group is not in decline. It is restructuring, modernizing, and expanding its operational reach through collaboration, a pattern more consistent with a maturing criminal enterprise than a group on the run.
LockBit Black: Technical Architecture and Encryption Details
LockBit Black’s encryption architecture deserves special attention because it serves as the technical benchmark against which all subsequent LockBit variants are measured.
At its core, LockBit Black uses a hybrid AES-RSA encryption scheme. Files are encrypted using AES-256 (symmetric encryption), chosen for its speed at scale. The AES keys themselves are then encrypted using RSA-2048 (asymmetric encryption), with the public key embedded in the malware and the private key held exclusively by the attacker. This design means that even if the encrypted files and the malware sample are both recovered, decryption without the attacker’s RSA private key is computationally infeasible.
The encryptor operates in three modes depending on file size: full encryption for small files, partial encryption for large files (encrypting the first and last segments to maximize speed while ensuring files remain inoperable), and a configurable mode for affiliates who want to tune the speed-thoroughness balance based on the target environment.
LockBit Black also implements intermittent encryption, a technique that encrypts only portions of a file rather than its entire contents. This makes the ransomware execute faster and harder to detect through file entropy analysis, which many endpoint detection tools rely on to identify encryption in progress.
The ransomware terminates a predefined list of processes, services, databases, backup software, and security tools before beginning encryption, ensuring maximum file access. It deletes shadow copies and other recovery mechanisms before locking files, systematically eliminating the fastest recovery paths available to victims.
The result is an encryption architecture that is fast, resilient, and specifically engineered to defeat the recovery strategies most organizations rely on as a last resort.
How LockBit Ransomware Works, Technical Deep Dive
Understanding how LockBit ransomware works isn’t just useful for incident responders; it’s essential for any organization that wants to build defenses capable of stopping it before encryption begins. LockBit’s attack chain is methodical, fast, and deliberately engineered to exploit gaps in most enterprise security architectures. Each phase of the attack is optimized to maximize damage while minimizing detection time.
Initial Access Vectors, Fortinet Exploits, Confluence, and Phishing
LockBit doesn’t rely on a single entry point. Its affiliate model means that initial access methods vary by operator, but several vectors appear consistently across documented attacks and deserve specific attention.
Exploitation of unpatched vulnerabilities is the most common and most damaging entry method. Fortinet firewall vulnerabilities, particularly those affecting FortiOS and FortiProxy, have been repeatedly exploited by LockBit affiliates, including the MORA_001 threat actor group identified in early 2025 attacks. Atlassian Confluence vulnerabilities have also been leveraged to gain initial footholds in enterprise environments, with a documented attack chain from Confluence exploitation to LockBit ransomware deployment across multiple incidents. These aren’t zero-days. They are known, patched vulnerabilities being exploited against organizations that failed to apply available fixes, a pattern that makes prevention entirely achievable for organizations that maintain rigorous patch management.
Compromised Remote Desktop Protocol (RDP) credentials remain a foundational access vector, particularly for LockBit affiliates targeting mid-market organizations with less mature perimeter security. Credentials obtained through infostealer malware, often purchased on dark web markets, give affiliates authenticated access to enterprise environments without triggering the alerts associated with brute force attempts.
Phishing and spear-phishing round out the primary access methods, used particularly in attacks where no exploitable public-facing vulnerability is available. LockBit affiliates have deployed malicious documents, credential-harvesting pages, and macro-enabled payloads across targeted phishing campaigns, often with sufficient organizational research to bypass basic security awareness training.
Once inside, LockBit moves fast. Dwell time, the period between initial access and ransomware deployment, has been measured in hours in some documented LockBit incidents, compared to the industry average of days or weeks for other threat actors.
Encryption Algorithm, AES + RSA Explained.
LockBit’s encryption model is built for one purpose: making recovery without the attacker’s private key computationally impossible. It achieves this through a hybrid cryptographic architecture that combines the speed of symmetric encryption with the key security of asymmetric encryption.
Files on the victim’s system are encrypted using AES-256, a symmetric cipher chosen specifically because it can process large volumes of data at extremely high speed. Each file receives a unique AES key, preventing bulk decryption even if a single key is recovered. Those individual AES keys are then encrypted using RSA-2048. In this asymmetric algorithm, the public key is embedded in the malware, and the corresponding private key exists only on infrastructure controlled by the LockBit operator.
The practical consequence of this architecture is that even a complete forensic image of the infected system, including the malware binary itself, provides no path to decryption without the RSA private key. This is why law enforcement-released decryptors following Operation Cronos only worked for victims whose keys happened to be stored on the seized servers at the time of the takedown. Keys associated with earlier or later attacks remained inaccessible.
LockBit File Extensions, .lockbit and .locked
LockBit’s file extension behavior has evolved across versions and serves as one of the most immediately visible indicators that a LockBit infection is in progress or has completed.
LockBit 1.0 originally used the .abcd extension before transitioning to the .lockbit extension that became the group’s signature. This extension is appended to every encrypted file; a document named report.pdf becomes report.pdf.Lockbit makes the scope of encryption immediately apparent to victims and responders alike.
LockBit Black introduced a behavioral shift: rather than using a fixed extension, it generates a unique, randomized alphanumeric extension for each victim environment. This was a deliberate evasion technique designed to defeat detection rules and threat hunting queries that relied on static extension matching. Some LockBit Black infections have been identified with .locked extensions, though this is not universal.
For incident responders, the extension alone is not a reliable version identifier. Cross-referencing the ransom note format, the encryption behavior, and available IOCs provides a more accurate picture of which variant is present and what recovery options may exist.
Multi-Platform Targeting, Windows, Linux, ESXi, and VMware
One of LockBit’s most strategically significant technical advances has been its deliberate expansion beyond Windows environments into the infrastructure layers that underpin modern enterprise computing.
Windows remains the primary target across all LockBit versions, reflecting its dominance in corporate endpoint and server environments. Windows variants are the most thoroughly documented and the most frequently deployed by affiliates.
Linux variants were introduced with LockBit 3.0, extending the group’s reach into server environments running Linux-based workloads, web infrastructure, and development systems. The Linux build shares core encryption logic with the Windows variant but is adapted for Linux file system structures and process management.
The most strategically impactful expansion has been into VMware ESXi hypervisor environments. By targeting ESXi directly, LockBit can encrypt the virtual disk files of every virtual machine running on a host with a single attack, effectively taking down entire server fleets rather than individual systems. This dramatically multiplies the operational impact of each affiliate deployment and has become a standard component of LockBit attacks against mid- to large-sized enterprise targets.
VMware vCenter targeting further extends this capability, allowing affiliates with sufficient network access to move laterally across virtualized infrastructure at scale. The combination of ESXi and vCenter exploitation has made LockBit uniquely effective against organizations that have consolidated their infrastructure into virtualized environments, a group that includes the majority of modern enterprises.
Indicators of Compromise (IOCs) and MITRE ATT&CK TTPs
LockBit has one of the most extensively documented IOC profiles in the ransomware ecosystem, a product of both its high attack volume and the significant research investment made by government agencies, threat intelligence vendors, and independent security researchers.
Key behavioral indicators include the rapid termination of database processes, backup services, and security software before encryption, and a consistent pre-encryption routine across all LockBit versions. Shadow copy deletion via VSSAdmin commands is a near-universal behavior, as is modifying system boot configurations to prevent recovery mode access.
From a MITRE ATT&CK perspective, LockBit consistently maps to techniques including T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1489 (Service Stop), T1562 (Impair Defenses), and T1027 (Obfuscated Files or Information). Initial access techniques vary by affiliate but commonly include T1190 (Exploit Public-Facing Application) and T1078 (Valid Accounts).
Network-level IOCs include outbound connections to LockBit’s command-and-control infrastructure, StealBit exfiltration traffic, and lateral movement behavior consistent with credential harvesting tools such as Mimikatz. File system IOCs include the characteristic ransom note filenames, the encrypted file extensions described above, and the presence of LockBit’s self-deletion mechanism, which attempts to remove the ransomware binary after execution to complicate forensic analysis.
LockBit Ransomware Note: What Victims Receive
The LockBit ransom note is deposited in every directory containing encrypted files, ensuring victims encounter it immediately upon discovering the infection. Its format has evolved across versions, but the core structure and purpose remain consistent.
The note identifies the attack as LockBit ransomware, confirms that files have been encrypted and data has been exfiltrated, and provides instructions for accessing the negotiation portal on LockBit’s dark web infrastructure via the Tor browser. Victims are given a unique victim ID required to authenticate on the portal and initiate contact with the operator.
LockBit Black introduced a notably more sophisticated note format that presented victims with multiple options beyond simple ransom payment, including the ability to purchase time extensions before data publication, pay to have stolen data destroyed without decryption, or, in some configurations, download the stolen data directly. This optionality wasn’t generosity. It was a calculated escalation of psychological pressure designed to maximize the probability of payment at whatever price point the victim could be moved to.
Ransom demands vary enormously based on the target’s size, revenue, and the scope of the encryption, ranging from tens of thousands of dollars for smaller targets to tens of millions for large enterprises. Payment is demanded in cryptocurrency, typically Monero or Bitcoin, processed through the negotiation portal under a deadline before the stolen data is published on LockBit’s dark web leak site.
The note is, in effect, the final stage of a meticulously engineered pressure system, one that begins the moment an affiliate gains initial access and ends either with payment, data publication, or, in rare cases, successful recovery through alternative means.
Law Enforcement Action, Takedowns, Arrests, and Leaks
For years, LockBit operated with near-total impunity. Governments tracked it. Agencies warned about it. Researchers documented it in exhaustive detail. And yet the attacks kept coming, the victim count kept climbing, and the group kept recruiting affiliates as though law enforcement pressure was nothing more than background noise. That changed, partially, in February 2024. But the story of what happened next is as important as the takedown itself.
Operation Cronos: The LockBit Takedown Explained
Operation Cronos was a coordinated law enforcement action executed on February 19, 2024, involving agencies from ten countries: the United Kingdom’s National Crime Agency, the United States FBI and Department of Justice, Europol, and partner agencies from Australia, Canada, France, Germany, Japan, Sweden, the Netherlands, and Switzerland. It was one of the most expansive ransomware disruption operations ever mounted.
The results, on paper, were significant. Law enforcement seized 34 LockBit servers across Europe and North America. They took control of LockBit’s primary dark web leak site, the same platform the group had used to shame and extort victims for years publicly, and replaced its contents with law enforcement messaging and, crucially, victim decryption resources. Over 200 cryptocurrency wallets linked to LockBit operations were seized. More than 1,000 decryption keys were recovered from the seized infrastructure and made available to victims through the No More Ransom portal, giving some organizations a path to recovery without paying a ransom.
Authorities also obtained and began publishing LockBit’s internal data, affiliate lists, negotiation logs, and backend configurations, turning the group’s own leak site into a law enforcement bulletin board. The psychological impact was deliberate and considerable. LockBit had spent years humiliating victims publicly. Operation Cronos returned that humiliation in kind, exposing the operation’s inner workings to the same cybercriminal community LockBit had cultivated for years.
The operation’s most significant intelligence achievement was the public identification of Dmitry Yuryevich Khoroshev as LockBitSupp, the group’s administrator and primary developer, along with the unsealing of a federal indictment and a $10 million reward offer for information leading to his arrest. For a threat actor who had maintained operational anonymity for 5 years, being publicly named by the U.S. Department of Justice was a significant security threat.
LockBit Gang Hacked, Internal Data Exposed
Operation Cronos delivered a second blow beyond the infrastructure seizure: it exposed LockBit’s internal operational data at a level of detail that few believed possible. The law enforcement takeover of LockBit’s administrative panel revealed the full scope of the group’s affiliate program, including the number of registered affiliates, their attack histories, ransom negotiation transcripts, and the revenue splits associated with individual attacks.
The data confirmed what threat intelligence analysts had long suspected but could not prove: LockBit’s affiliate network was substantially larger than publicly visible attack volume suggested. Hundreds of affiliates had access to LockBit’s tooling at various points, many of whom had conducted attacks that were never publicly claimed on the leak site, either because victims paid quietly, negotiations were ongoing, or affiliates chose not to publish.
Ransom negotiation logs exposed the mechanics of LockBit’s extortion operation in granular detail, including instances in which LockBit operators negotiated against their own stated positions, accepted significantly reduced payments, and, in some cases, failed to provide working decryptors after payment was received. This internal data leak damaged LockBit’s credibility with both victims considering payment and affiliates evaluating whether the operation remained trustworthy enough to partner with.
The internal data also revealed development roadmaps, including materials related to what would become LockBit 4.0, which authorities published specifically to undermine confidence in the group’s next iteration before it could launch.
Arrests and Indictments: What We Know
Operation Cronos and the broader multi-year investigation into LockBit resulted in arrests and charges across several jurisdictions, primarily targeting the affiliate layer of the operation rather than its core development team.
In the United States, two Russian nationals, Artur Sungatov and Ivan Kondratyev (also known as Bassterlord), were charged with deploying LockBit ransomware against targets including manufacturers, hospitals, and government entities. Kondratyev faced additional charges related to his prior involvement with the REvil ransomware group.
In Europe, a Polish national and two Ukrainian nationals were arrested in connection with LockBit attacks, with the Polish arrest occurring at the specific request of French authorities. A Russian-Canadian dual national, Mikhail Vasiliev, had been arrested in Canada in late 2022 in an earlier phase of the investigation and subsequently pleaded guilty to cybercrime charges.
Dmitry Khoroshev, the alleged administrator, remains indicted but uncharged in custody, residing in Russia beyond the practical reach of Western extradition. His continued freedom is the single most significant limitation of Operation Cronos’s long-term impact.
Did the Takedown Work? LockBit’s Resurgence in 2025
The honest answer is: partially, temporarily.
Operation Cronos disrupted LockBit’s operational infrastructure and dealt a reputational blow, visibly reducing affiliate confidence in the weeks immediately following the seizure. Attack volume dropped. Several affiliates publicly defected to competing ransomware programs, including ALPHV and RansomHub. The law enforcement messaging plastered across LockBit’s own infrastructure was a humiliation the group could not easily reverse.
But within weeks, LockBit had rebuilt. New infrastructure was stood up. The leak site returned. LockBitSupp published a lengthy statement on cybercrime forums attributing the breach to his personal failure to patch a known PHP vulnerability, a remarkably transparent post-mortem for a criminal organization, and announced the continuation of operations under LockBit 3.0 while development of LockBit 4.0 accelerated.
By mid-2024, LockBit was once again appearing in threat intelligence reports as an active operation. By late 2024 and into 2025, attack activity had resumed at levels approaching pre-Cronos volume. The development and deployment of LockBit 5.0 in 2025 confirmed that the group had not only survived the takedown but had used the intervening period to advance its technical capabilities.
The resurgence exposed a fundamental limitation of infrastructure-focused takedown operations against RaaS groups: when the developers remain free, the knowledge, code, and criminal relationships that constitute the real value of the operation remain intact. Seizing servers disrupts. It does not destroy.
LockBit Ransomware Activity: December 2025 Update
As of December 2025, LockBit remains an active and evolving threat. Attack volume through the second half of 2025 confirmed sustained affiliate activity across North America, Europe, and the Asia-Pacific region, with healthcare, manufacturing, legal services, and financial institutions remaining primary target verticals.
The October 2025 announcement of a formal operational alliance between LockBit, Qilin, and DragonForce introduced a new strategic dimension, shared infrastructure, coordinated targeting, and potentially cross-pollinated tooling between three of the most active ransomware operations currently in circulation. The implications of that alliance are addressed in detail in the following section.
What December 2025 makes clear is that, for all its operational success, Operation Cronos did not end LockBit. It reshaped it. The group that exists today is more cautious about operational security, more selective about public-facing infrastructure, and more collaborative in its approach to sustaining attack capacity, lessons learned directly from the most significant law enforcement action ever taken against it.
The LockBit Alliance, Qilin and DragonForce (October 2025)
The ransomware landscape has always been competitive. Groups rise, splinter, rebrand, and collapse with regularity. What happened in October 2025 was different. Three of the most active ransomware operations in the world, LockBit, Qilin, and DragonForce, announced a formal operational alliance, a development that threat intelligence analysts had theorized about. Still, few expected to see it formalized so explicitly. The implications for enterprise security are significant and not yet fully understood.
What Is the LockBit, Qilin, DragonForce Ransomware Alliance?
The LockBit–Qilin–DragonForce alliance is a formal cooperation agreement among three distinct ransomware-as-a-service operations, each bringing distinct technical capabilities, affiliate networks, and target specializations to the partnership.
LockBit needs no introduction at this point in the guide. It brings brand recognition, the most developed affiliate infrastructure in the ransomware ecosystem, a proven multi-platform encryption capability, and years of accumulated operational knowledge, including, notably, the hard lessons learned from Operation Cronos about what not to do with centralized infrastructure.
Qilin, also tracked under the name Agenda, is a Golang-based ransomware operation that emerged in 2022 and built a particular reputation for targeting healthcare and critical infrastructure. Its cross-platform capabilities, with confirmed support for ESXi and Linux, made it one of the more technically sophisticated operations outside the top tier. By 2025, Qilin had established a consistent attack tempo and a mature affiliate program, positioning it as a credible partner rather than a junior participant in any cooperative arrangement.
DragonForce is the newest of the three to reach significant operational scale, but its growth trajectory through 2024 and into 2025 was steep. Originally associated with hacktivism before pivoting fully to financially motivated ransomware operations, DragonForce built a reputation for aggressive double and triple extortion tactics, combining encryption with data theft and, in some documented cases, direct harassment of victim employees and customers as additional pressure mechanisms. DragonForce also notably made its ransomware builder available to other criminal actors in early 2024, demonstrating a willingness to operate as both an infrastructure provider and an attacker. This posture made it a natural fit for an alliance model.
Together, the three groups represent a consolidation of affiliate talent, technical tooling, and attack infrastructure that collectively exceeds what any single operation could maintain independently in the post-Cronos environment.
Timeline of the Alliance, October 8, 2025
The alliance was publicly announced on October 8, 2025, through communications distributed across dark web forums and threat actor channels monitored by the threat intelligence community. The announcement was notable for its specificity, rather than vague statements of solidarity common in the cybercriminal underground. The October 8 communication outlined structural elements of the cooperation, including shared infrastructure arrangements, mutual affiliate referral agreements, and coordinated operational security protocols designed to distribute risk across the three groups in ways that complicate law enforcement targeting.
The timing was not accidental. The announcement came approximately eighteen months after Operation Cronos, long enough for LockBit to have demonstrably rebuilt and for all three groups to have assessed each other’s operational resilience. It also followed a period of significant disruption across the broader ransomware ecosystem, including the collapse of ALPHV/BlackCat and sustained law enforcement pressure on multiple other operations, leaving a pool of experienced, displaced affiliates actively seeking stable platforms to work with.
By formalizing the alliance in October 2025, the three groups were signaling to that affiliate community that they represented the most stable and capable infrastructure available, and that they were strong enough to consolidate rather than compete.
What This Means for Enterprise Threat Exposure
For security teams and enterprise risk managers, the LockBit–Qilin–DragonForce alliance represents a qualitative shift in the ransomware threat environment, not merely a quantitative one.
The most immediate implication is an expanded attack surface. Each of the three groups has demonstrated strength in different sectors and geographies. An alliance that pools affiliate networks and potentially shares targeting intelligence means that organizations which previously fell outside the typical victim profile of any single group now face credible exposure from a combined operation with broader reach.
The second implication is infrastructure resilience. One of the key vulnerabilities Operation Cronos exploited was LockBit’s reliance on centralized infrastructure, which, once identified and seized, disrupted the entire operation simultaneously. A distributed alliance model, where infrastructure, tooling, and affiliate relationships are spread across three independent but cooperating organizations, is substantially harder to disrupt with a single coordinated action. Targeting one node no longer takes down the network.
The third, and perhaps most strategically significant, implication is the cross-pollination of capabilities. If the alliance involves genuine technical collaboration, shared tooling, combined development resources, or mutual access to each group’s most advanced capabilities, the result could be ransomware variants that combine LockBit’s encryption architecture, Qilin’s cross-platform targeting, and DragonForce’s extortion escalation tactics into attacks more damaging than any of the three groups could mount independently.
For organizations assessing their dark web exposure and ransomware readiness, the October 2025 alliance is a clear signal that the threat environment has structurally changed. The era of tracking ransomware groups as independent, competing actors is giving way to something more organized, more resilient, and considerably harder to disrupt through the law enforcement strategies that defined the previous chapter.
LockBit Ransomware Decryptors and Recovery Options
Recovery from a LockBit ransomware attack is one of the most technically and operationally complex challenges an organization can face. The encryption architecture is deliberately designed to make independent decryption impossible without the attacker’s private key, and the pre-encryption routine, which systematically destroys shadow copies, turns off backup services, and removes standard recovery pathways, ensures that the most accessible routes to restoration are eliminated before the victim even knows the attack has occurred.
That said, recovery options do exist. They are limited, version-dependent, and, in some cases, contingent on circumstances outside the victim’s control, but understanding what is available and what is not is the essential first step in any post-incident response.
Is There a Free LockBit Decryptor? (No More Ransom)
The most important source of legitimate, free decryption tools for ransomware victims is the No More Ransom portal, a public-private initiative operated in partnership with Europol, the Dutch National Police, and a coalition of cybersecurity companies. Following Operation Cronos in February 2024, law enforcement agencies recovered over 1,000 decryption keys from LockBit’s seized infrastructure and made them available through the No More Ransom platform.
This was a genuine and meaningful outcome for victims whose encryption keys were stored on the servers seized during the operation. For those individuals and organizations, free decryption became possible for the first time, a direct, practical consequence of the law enforcement action that no ransom payment could have produced faster or more reliably.
The critical limitation is scope. The keys recovered during Operation Cronos represent a fraction of the total keys generated across LockBit’s operational history. Keys associated with attacks conducted before the seized servers were stood up, after they were taken down, or on infrastructure that was not part of the seizure remain unavailable. The No More Ransom portal is always the correct first stop for any LockBit victim. Still, the realistic probability of finding a matching key depends entirely on when and how the attack occurred.
LockBit 2.0 Decryptor: What’s Available
LockBit 2.0 decryption tools have been available through multiple channels since the broader law enforcement investigation into LockBit began yielding results. The No More Ransom portal hosts LockBit 2.0 decryptor tools sourced from recovered keys, and several cybersecurity vendors have published technical analyses that have enabled partial decryption in specific circumstances.
The practical reality for most LockBit 2.0 victims, however, is that tool availability does not guarantee successful decryption. A working decryptor requires a matching key, and unless that specific key was recovered and made available, the tool is non-functional for that victim’s encrypted files. Organizations that retained encrypted file sets in cold storage following a LockBit 2.0 attack should periodically check the No More Ransom portal, as additional keys are occasionally added as investigations progress and new seizures occur.
For LockBit 2.0 removal, rather than decryption, the malware binary can be identified and removed from live systems using standard endpoint detection and response tooling. Removal stops the encryption process if caught mid-execution and eliminates the malware’s persistence mechanisms, but it does not restore already-encrypted files. Removal and decryption are separate problems requiring separate solutions.
LockBit 3.0 (Black) Recovery, Current Status
LockBit 3.0 recovery is considerably more complex than LockBit 2.0, reflecting both the architectural advances of LockBit Black and the randomized encryption key generation that makes bulk decryption tools less applicable.
Some LockBit Black decryption keys were recovered during Operation Cronos and are available through No More Ransom, but coverage is limited and version-specific. The randomized file extension behavior of LockBit Black, where each victim environment receives a unique extension rather than the standard .lockbit marker, means that victims must correctly identify their variant before applying any recovery tool, as misapplication can cause additional file corruption.
For organizations without a matching recovered key, the recovery pathway from LockBit 3.0 typically depends on one of three scenarios: intact offline or immutable backups that predate the attack and were not accessible to the ransomware during execution; partial file recovery through forensic analysis of unencrypted file fragments or shadow copy remnants that survived despite deletion attempts; or, in rare cases, vulnerabilities in the encryption implementation that researchers have identified and developed partial decryptors for.
The third scenario is uncommon and should not be relied upon as a recovery strategy. LockBit Black’s AES-RSA encryption architecture has no known cryptographic weaknesses that enable systematic decryption without the private key. Any tool claiming to decrypt LockBit Black without a recovered key should be treated with significant skepticism. In many documented cases, tools distributed under this premise on cybercrime forums or low-quality download sites are themselves malware.
How to Remove LockBit Ransomware, Step by Step
Removing LockBit ransomware from an infected environment is a structured process that must be executed carefully to avoid reinfection, evidence destruction, or incomplete remediation. The following steps reflect the current incident response best practices for LockBit infections across versions.
The priority is isolation. Any system confirmed or suspected to be infected should be immediately disconnected from the network, physically if necessary, to prevent lateral spread. LockBit’s self-propagation capabilities mean that every minute a compromised system remains connected to the network is time the ransomware can use to reach additional targets.
Before any remediation activity begins, preserve forensic evidence. Take memory dumps of live systems where possible, capture network logs, and image affected drives before wiping or restoring. This evidence is essential for understanding the full scope of the intrusion, identifying the initial access vector, and supporting any law enforcement engagement or insurance claim.
Next, identify the variant. The file extension, ransom note format, and behavioral IOCs present on the system should be cross-referenced against known LockBit version signatures to determine which variant is present. This affects both the removal approach and the recovery options available.
With the variant identified, run a reputable endpoint security tool that can detect and remove LockBit binaries and associated artifacts. Multiple vendors, including Kaspersky, Malwarebytes, and others, maintain detection signatures for LockBit across versions. Removal should be performed in a clean boot environment, where possible, to prevent active malware processes from interfering with remediation.
After confirming malware removal, thoroughly audit the environment before reconnecting to the network or restoring from backup. The initial access vector must be identified and closed. Credentials used during the attack period should be rotated across the entire environment. Any persistence mechanisms, scheduled tasks, registry modifications, and new user accounts must be identified and removed.
Only at this stage should restoration from clean backups begin, with verification that backup integrity was maintained and that backup infrastructure itself was not compromised during the attack.
LockBit Black Removal Tool Options
Several reputable cybersecurity vendors offer tools and guidance specifically for removing LockBit Black, reflecting the variant’s prevalence and the volume of incidents it has been involved in.
Kaspersky has published LockBit-specific removal guidance and maintains detection capabilities for LockBit Black within its endpoint protection products. Malwarebytes similarly provides detection and removal for LockBit Black binaries across its product line. Trend Micro has published a detailed technical analysis of LockBit Black, along with removal guidance for enterprise environments. The No More Ransom portal aggregates legitimate decryption tools and should be the first point of reference for any victim seeking recovery resources.
What all credible removal tools share is a clear distinction between malware removal and file decryption; they address the former definitively and the latter only where matching recovered keys are available. Any tool that claims to both remove LockBit Black and decrypt affected files without reference to a specific recovered key should be approached with extreme caution.
The most durable protection against needing any of these tools is an architecture that prevents LockBit from reaching the encryption stage in the first place, immutable backups stored offline and outside the blast radius of a network compromise, continuous dark web monitoring for credential exposure that could enable initial access, and a patch management discipline that closes the known vulnerability pathways LockBit affiliates consistently exploit. Recovery is possible. Prevention remains considerably less costly.
How to Protect Your Organization Against LockBit
Prevention is not a guarantee against LockBit; no single control is. But the attack chain LockBit affiliates consistently follow has well-documented entry points, and closing those entry points systematically removes the majority of realistic risk. The organizations that have avoided LockBit incidents are not universally the ones with the largest security budgets. They are disproportionately the ones who executed the fundamentals with discipline and maintained visibility into exposure signals before an attack materialized.
Patch Priorities, Fortinet, Confluence, and Known Exploited Vulnerabilities
The most uncomfortable truth in LockBit prevention is that the majority of successful attacks begin with a vulnerability that had a patch available. Not a zero-day. Not classified tradecraft. A known, documented vulnerability with a fix that was not applied in time.
Fortinet products, particularly FortiOS and FortiProxy, have appeared repeatedly in LockBit attack chains, with affiliates including the MORA_001 group exploiting Fortinet firewall bugs to establish initial access in 2025 campaigns. Atlassian Confluence vulnerabilities have been similarly weaponized, with documented attack chains moving directly from Confluence exploitation to LockBit ransomware deployment within hours of initial access. These are not obscure edge cases. They are consistently exploited at scale because a meaningful number of organizations remain unpatched for weeks or months after fixes become available.
The practical priority framework is straightforward. CISA’s Known Exploited Vulnerabilities (KEV) catalog is the authoritative reference; any vulnerability listed there has been confirmed to have been exploited in the wild and should be treated as an emergency patch priority regardless of internal vulnerability scoring. Fortinet and Atlassian advisories warrant standing priority status given their documented presence in LockBit attack chains. Public-facing systems, VPNs, firewalls, collaboration platforms, and remote access infrastructure should receive patches before internal systems, given their direct exposure to threat actor reconnaissance.
Patch management alone does not constitute a complete defense, but no other control compensates effectively for unpatched perimeter vulnerabilities when an adversary systematically scans for and exploits them.
Dark Web Monitoring for Early LockBit Exposure Signals
LockBit affiliates rarely arrive at an organization’s perimeter without prior intelligence. Initial access is frequently enabled by credentials obtained through infostealer malware, purchased from dark web markets, or harvested from prior breaches that the affected organization may not be aware of. This means that in many LockBit attacks, the organization’s exposure was already present and visible on the dark web before the attack began, sometimes weeks or months earlier.
Dark web monitoring creates the possibility of intercepting that exposure window. When compromised credentials, session tokens, or internal system details belonging to an organization surface on dark web markets, in infostealer logs, or in breach compilations, a monitoring capability that identifies and alerts on that exposure allows security teams to rotate credentials, invalidate sessions, and close access pathways before they can be weaponized.
The signals most relevant to LockBit risk specifically include employee credentials appearing in infostealer malware logs, a primary access vector for RDP-based initial access, VPN credentials surfacing in dark web markets, and organizational mentions appearing in ransomware affiliate forums where targeting decisions are discussed. Each of these signals, detected early, represents an intervention opportunity that no longer exists once an affiliate has established a foothold.
This is where continuous, automated dark web monitoring provides disproportionate value relative to its cost. A single intercepted credential set that would have enabled initial access represents a return on investment that no retrospective incident response engagement can match.
Incident Response Checklist if LockBit Is Detected
Speed is the defining variable in a LockBit incident. The gap between first detection and full encryption can be measured in hours, and every minute of uncontrolled spread increases the scope of damage and the complexity of recovery. A pre-prepared response posture, where roles, authorities, and actions are defined before an incident occurs, is the difference between a contained event and an organization-wide catastrophe.
If LockBit ransomware activity is detected or credibly suspected, the immediate priorities are isolation, preservation, and identification, in that order.
Isolate affected systems from the network immediately, without waiting for confirmation of the full scope. The cost of isolating a system that turns out to be unaffected is trivial. The cost of leaving an infected system connected while the scope assessment is underway is not. Disable VPN access, segment affected network zones, and notify your internet service provider and upstream network providers if exfiltration traffic is suspected to be in progress.
Preserve forensic evidence before any remediation begins. Memory dumps, network logs, and disk images captured at this stage are irreplaceable for understanding the attack chain, identifying the initial access vector, and supporting law enforcement engagement. Evidence destroyed in premature remediation efforts cannot be recovered.
Identify the variant and scope. Cross-reference file extensions, ransom note format, and behavioral indicators against known LockBit signatures to determine which version is present. Enumerate affected systems across the environment before beginning any recovery activity; partial remediation that leaves infected systems undiscovered leads to reinfection.
Engage your incident response retainer or external IR firm, notify law enforcement, the FBI’s Internet Crime Complaint Center (IC3) in the United States, or the relevant national agency in other jurisdictions, and begin the insurance notification process in parallel. These engagements should proceed simultaneously, not sequentially.
Do not pay a ransom without exhausting legitimate recovery options first. Check the No More Ransom portal for available decryptors. Assess backup integrity and availability. Engage legal counsel before making any payment decision, given the sanctions exposure associated with payments to designated threat actors.
How DeXpose Detects LockBit-Related Threat Activity
DeXpose’s dark web monitoring and threat intelligence platform is built around the principle that the most valuable security intelligence arrives before an attack, not after. For LockBit specifically, where initial access is frequently enabled by credentials and data that surface on the dark web ahead of deployment, early signal detection is the highest-leverage intervention available.
DeXpose monitors across the dark web sources most relevant to LockBit-related threat activity: infostealer malware logs where employee credentials are sold and traded, dark web markets where access to compromised corporate environments is listed, ransomware group leak sites including those associated with LockBit and its alliance partners Qilin and DragonForce, and threat actor forums where targeting discussions and affiliate communications occur.
When an organization’s assets, employee credentials, domain data, session tokens, and internal system references appear in these sources, DeXpose generates actionable alerts that give security teams the context they need to respond: what was exposed, where it appeared, how recently, and what the realistic threat implications are. This is not raw data delivery. It is intelligence structured for decision-making.
For organizations that want to understand their current LockBit-related exposure before committing to a full monitoring deployment, DeXpose’s Free Dark Web Report at dexpose.io/free-darkweb-report/ provides an immediate snapshot of whether your organization’s data appears in dark web markets, infostealer logs, or known breach sources, the same data sources LockBit affiliates use to identify and qualify targets. It takes minutes to run and provides a concrete baseline from which to assess risk and prioritize response.
In a threat environment where LockBit has survived law enforcement takedowns, formed cross-group alliances, and continued to evolve its technical capabilities through 2025 and into 2026, the question for any organization is not whether the threat is real. It is whether your visibility into your own exposure is sufficient to intercept it before it arrives.
Final Thoughts
LockBit has survived arrests, infrastructure seizures, internal leaks, and one of the most coordinated law enforcement operations ever mounted against a ransomware group. It has emerged from each setback more cautious, more technically capable, and more structurally resilient than before. The October 2025 alliance with Qilin and DragonForce confirmed what the recovery from Operation Cronos already suggested: this is not a group in decline.
For organizations, the takeaway is equally clear. LockBit’s attack chain has documented entry points, its pre-attack signals are detectable, and its most common initial access vectors are preventable. The gap between organizations that get hit and those that don’t is rarely capability. It’s visibility.
Know your exposure before LockBit’s affiliates do. That window, however brief, is where the outcome is decided.
Frequently Asked Questions (FAQ’s)
What is LockBit ransomware?
LockBit is a ransomware-as-a-service operation that encrypts victims’ files using a hybrid AES-RSA algorithm and demands payment for decryption. First appearing in 2019, it became the world’s most prolific ransomware group, responsible for more confirmed attacks than any other operation in history.
Who is behind the LockBit ransomware group?
The U.S. Department of Justice has publicly identified Russian national Dmitry Yuryevich Khoroshev, known online as LockBitSupp, as the group’s primary administrator and developer. He remains indicted but at large in Russia, beyond the reach of Western extradition.
What encryption does LockBit use?
LockBit encrypts files using AES-256 symmetric encryption for speed, then secures each unique AES key with RSA-2048 asymmetric encryption. This hybrid architecture makes decryption without the attacker’s private key computationally infeasible.
Is there a free decryptor for LockBit ransomware?
Yes, in limited cases. Following Operation Cronos in 2024, law enforcement recovered over 1,000 decryption keys that are now available through the No More Ransom portal at nomoreransom.org. However, coverage is partial; only victims whose specific keys were on seized servers can benefit.
What happened to LockBit after the 2024 takedown?
Operation Cronos in February 2024 seized LockBit’s infrastructure and exposed its internal data, but the group rebuilt within weeks. By mid-2024, it had resumed operations, and by 2025, it had released LockBit 5.0 and formed a formal alliance with Qilin and DragonForce, demonstrating resilience rather than collapse.
What is LockBit Black?
LockBit Black is the common name for LockBit 3.0, released in June 2022. It introduced modular architecture, advanced anti-analysis evasion, intermittent encryption for speed, and a ransomware bug bounty program, making it the most technically sophisticated LockBit variant until the 2025 iterations.
What is LockBit 5.0?
LockBit 5.0 is the group’s most current active variant, emerging in 2025 with enhanced anti-forensics capabilities, improved cross-platform targeting, and refined affiliate tooling designed for cloud and hybrid infrastructure environments. It represents the group’s continued technical development following Operation Cronos.
What is the LockBit–Qilin–DragonForce alliance?
Announced on October 8, 2025, it is a formal operational cooperation agreement between three major ransomware-as-a-service groups. The alliance involves shared infrastructure, mutual affiliate referral arrangements, and coordinated operational security, creating a more resilient and harder-to-disrupt ransomware ecosystem than any single group could maintain independently.
How does LockBit ransomware spread?
LockBit spreads primarily through exploitation of unpatched vulnerabilities in Fortinet and Atlassian Confluence products, compromised RDP credentials obtained via infostealer malware, and targeted phishing campaigns. Once inside a network, it moves laterally at high speed using built-in self-propagation capabilities before deploying encryption.
What companies has LockBit attacked?
LockBit’s confirmed victims include Accenture, Boeing, ICBC, and the Royal Mail, among thousands of others across healthcare, finance, manufacturing, legal services, and government. Australia’s national cyber agency confirmed LockBit was responsible for the largest share of ransomware incidents in the country between April 2022 and March 2023.
How do I remove LockBit 2.0 ransomware?
Isolate the infected system from the network immediately, then use a reputable endpoint security tool, such as Kaspersky or Malwarebytes, to detect and remove the LockBit binary from a clean boot environment. Removal eliminates the malware but does not decrypt files; check the No More Ransom portal separately for available LockBit 2.0 decryption keys.
What are LockBit’s IOCs?
Key LockBit indicators of compromise include encrypted file extensions such as .lockbit or randomized alphanumeric extensions in LockBit Black, ransom note files in every affected directory, vssadmin commands deleting shadow copies, termination of backup and security processes before encryption, and outbound network traffic associated with StealBit data exfiltration.
