Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

LockBit

51
Global rank
43 infographic chevron month
Month rank
59 infographic chevron week
Week rank
0
IOCs

LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.

Ransomware
Type
Ex-USSR
Origin
15 September, 2019
First seen
10 October, 2025
Last seen
Also known as
ABCD

How to analyze LockBit with ANY.RUN

Type
Ex-USSR
Origin
15 September, 2019
First seen
10 October, 2025
Last seen

IOCs

IP addresses
52.60.114.31
72.167.106.35
198.244.187.248
184.168.221.18
3.33.152.147
198.71.232.3
72.167.191.69
193.233.132.177
154.91.34.165
139.60.160.200
93.190.143.101
139.180.184.147
93.190.139.223
185.182.193.120
104.237.255.254
193.162.143.218
193.38.235.234
45.227.255.190
88.80.147.102
168.100.11.72
Hashes
cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1
0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335
80f2904d6b331cf689249df1c73e25eaf49a60960bccd46bb4a9816137036146
daff7ba0e08e663f81f9b13a759221cb626b0e5cf45a6b17bb4d65663023cf78
dd45e00f332737f591abb0924f61edc9eed1f5ceaa9b3e4bfbfd8ec7f9f98383
d526f8d4c268b96a76007f620e682f1fadfb3d1cc56656b63205d4d0311b97f0
0f5d71496ab540c3395cfc024778a7ac5c6b5418f165cc753ea2b2befbd42d51
93d609cf73602a21296d2f83331e01646172991f35f82a0ce1382face131391e
01046712a7b54e17c52a96c2fb097f8cf67fdb655996b4ba2c72cc00578afe3e
19ca5aa4cd62929afb255d2b38e70fd3143e3b181889e84348a5c896e577d708
676c70fdb372e71131f4fc6d42625d85b80e2cc2c37cb877bec7c69c4ded6f55
3202d841bba36aed532a63b9ef2cc25d059d6d705eff25981662e6fad12b85e9
56bd343a74fc170163b82b394209f60e4dbb71781d30482b74dc588461c4c9ee
dcbc6a5f2f02209075bf3c2249d740cb16a1ca4c9706d8e0ad8c22f19e9aed2a
05312d1c61a4c8ae14fa5a8649007a8e7e72d1e1c81e9d50bc955efac80a7ba9
7114fe65b45edd98a5048870de58d6ced78f1b437417763349a174793b054ce4
938a5b90923e233109997bc9d06de641e25649e38cf131bab9a5eb7df47e92a1
745a79a2bce5ad44a11a08abaa0b97b6849dd82177cc0dd7365f269078f6fc2d
1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770
44749a25d2dd8c65a554f0d8a260da4ef6e90eb23dfc4801b63a2c9a43f55904
Domains
adobe-us-updatefiles.digital
ms-team-connect2.com
chifacanton.phuyufact.com
ms-team-ping.com
ms-team-ping2.com
lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion
lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion
lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion
lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion
lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion
lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion
lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion
lockbitapt67g6rwzjbcxnww5efpg4qok6vpfeth7wx3okj52ks4wtad.onion
lockbitfbinpwhbyomxkiqtwhwiyetrbkb4hnqmshaonqxmsrqwg7yad.onion
lockbitsuppyx2jegaoyiw44ica5vdho63m5ijjlmfb7omq3tfr3qhyd.onion
3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
lockbitapt.uz
z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
onlinenetworkupdate.com
peaceprotectorapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
Last Seen at
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 385
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 2091
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 5043
comments 0

What is LockBit ransomware?

LockBit is a ransomware strain and also the name of the hacker group behind it. It mostly targets Windows computers, but it can also encrypt files on Linux and, more recently, MacOS machines. It's one of the biggest ransomware threats out there, making up about a third of all Ransomware-as-a-Service (RaaS) attacks.

Similar to threats such as Revil/Sodinokibi, LockBit works on a Ransomware-as-a-Service model. The main group sells access to the ransomware on underground forums, where they advertise it as the "fastest encryption software in the world." This business model, much like a franchise, has let LockBit grow its operations. Some estimates even suggest that this threat is behind 40% of all ransomware attacks.

Both large and small organizations are potential targets of a LockBit attack. For instance, in February 2023, LockBit was implicated in an incident involving Royal Mail, where the adversaries demanded a staggering $80 million ransom. However, the average demand from this group is considerably lower, around $85,000. This implies that while LockBit can be involved in high-profile attacks on large enterprises, it primarily targets small to medium-sized businesses.

LockBit, like many threats thought to originate from former USSR territories, avoids attacking victims near its likely home base. It verifies the language setting of the infected machine and aborts the attack if the setting is Russian, Romanian, Tatar, or, intriguingly, Arabic.

LockBit promotes itself as an "ethical ransomware gang." Its code of conduct restricts both the core group and its affiliates from targeting healthcare organizations, charities, or social services. Ransom demands are flexibly adjusted based on the victim, with the group typically asking for what they believe is a “fair” amount given the damage caused and the victim's ability to pay.

However, if a victim fails to meet their demands, LockBit doesn't hesitate to release the stolen sensitive data on their portal, which they host on the Tor network.

Interestingly, LockBit maintains its own website, which is rather professional-looking. This is indicative of a highly organized ransomware operation. They even run a bug bounty program — the only ransomware crew to do so.

LockBit's bug bounty program LockBit ransomware website offers a bug bounty program

However, the reliability of LockBit's crew promises leaves much to be desired, unsurprisingly. A notable instance of this occurred when the crew issued a challenge on a popular cybersecurity forum, Xss [.] is, offering to pay $1,000 to anyone bold enough to permanently tattoo the ransomware's logo.

Some individuals ill-advisedly participated and were subsequently tricked. The LockBit crew publicly revealed all of their Bitcoin wallets shortly after this audacious marketing stunt concluded.

LockBit ransomware version history

Since its initial detection in 2019, LockBit has undergone several iterations to enhance its malicious capabilities.

The first significant update, known as LockBit 2.0 or LockBit Red, was released in mid-2021. The next substantial upgrade occurred in June 2023. This version, referred to as LockBit 3.0 or LockBit Black, introduced the ability to accept additional parameters for specific operations in lateral movement, as well as the capability to reboot into Safe Mode.

Additionally, if an affiliate doesn't have access to a passwordless LockBit 3.0 ransomware, then providing a password parameter becomes essential during the ransomware's execution.

As of this writing, researchers suspect that LockBit is on the verge of its most significant shift in target selection since its initial detection. Researchers have discovered what they believe to be test versions of encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs. These encryptors contain references to VMware ESXi and a list of Windows file extensions and folders, all of which are out of place on a macOS device. Furthermore, the code crashes due to a buffer overflow bug, suggesting it is still a work in progress.

LockBit's public representative later confirmed that a macOS encryptor is indeed under active development. Given these findings, it appears probable that a new major version of LockBit will be released soon, capable of targeting a significantly broader range of devices.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

LockBit ransomware technical details

Once LockBit secures its initial foothold in a system, it typically launches its operations via the command line. It accepts file paths or directory parameters to selectively encrypt targets. In certain scenarios, this ransomware can also carry out its attack via scheduled tasks or using the post-exploitation tool, PowerShell Empire.

LockBit also uses tools like Mimikatz to gather additional credentials, widening its potential impact. To evade detection, it employs GMER, PC Hunter, or Process Hacker to disable security products. Additionally, it's been observed disabling Windows Defender by altering Group Policy settings.

In addition, LockBit employs tools like Network Scanner, Advanced Port Scanner, and AdFind for discovery purposes. It uses these to enumerate connected machines, aiming to find Domain Controllers or Active Directory servers — high-value targets for ransomware deployment.

The ransomware facilitates lateral movement within the network by self-propagating via SMB connections using acquired credentials. Tools like PsExec or Cobalt Strike are occasionally used for this task.

Data is often exfiltrated using cloud storage tools like MEGA or FreeFileSync, or through the StealBit malware. Following exfiltration, the ransomware payload initiates an encryption routine, affecting both local and network data. LockBit employs AES for file encryption, with the AES key subsequently encrypted using RSA. A classic indicator of a LockBit attack is the replacement of the desktop wallpaper with a ransom note and an insider or affiliate recruitment statement.

LockBit ransomware execution

In the initial phase of its operation, LockBit implements privilege escalation. Following this, the now-elevated process executes a sequence of data recovery exceptions with the assistance of built-in Windows tools. Subsequently, it clears the logs, and then the software commences the file encryption process.

LockBit's process tree LockBit 1.0 process tree looks wild

It's important to note that LockBit ransomware exists in multiple active versions, and the sample we've analyzed is LockBit 1.0. Differences might be encountered when dealing with LockBit 3.0 or LockBit Black, as it is otherwise known.

LockBit ransomware distribution

LockBit ransomware employs an array of tactics and tools to infiltrate systems, typically leveraging affiliates who purchase access to targets from other cybercriminals. This access is often gained through phishing attacks, exploiting vulnerable applications, or brute-forcing Remote Desktop Protocol (RDP) accounts.

Initial access is commonly accomplished via compromised servers or RDP accounts, with insecure RDP or VPN credentials typically procured from affiliates or obtained through brute-force attacks. In some instances, LockBit takes advantage of vulnerabilities such as Fortinet VPN’s CVE-2018-13379.

LockBit ransomware: conclusions

Given its prevalence, LockBit ranks as a high-priority ransomware threat for cybersecurity professionals. It indiscriminately targets both small businesses and large corporations, provided the attackers deem the potential victim to be fair game.

Most concerning is LockBit's recent development of a MacOS encryptor. This evolution could position LockBit as the first major ransomware operation to heavily target Apple devices. This shift could be particularly lucrative, as some Apple users mistakenly believe they are inherently protected from malware on MacOS and may not maintain the same level of vigilance as those operating on Windows or Linux systems.

Considering LockBit's attack history and our analysis of this threat, it's highly probable that it will remain a significant player in the ransomware landscape. Analyze LockBit in ANY.RUN to establish a robust defensive framework and counter this threat.

HAVE A LOOK AT

Phorpiex screenshot
Phorpiex
phorpiex
Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Xeno RAT screenshot
Xeno RAT
xenorat
Xeno RAT is an open-source malware mainly distributed through drive-by downloads. The core capabilities of this threat include remote control, keystroke logging, webcam and microphone access. Equipped with advanced utilities, such as Hidden Virtual Network Computing and Socks5 reverse proxy, Xeno RAT is most frequently used in attacks against individual users.
Read More
Play Ransomware screenshot
Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
Ramnit screenshot
Ramnit
ramnit
Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.
Read More