S2W Threat Intelligence Center Releases Threat Group Profiling Report.
This report provides an in-depth threat intelligence analysis on the LockBit threat group, offering a high-level profiling of the actors involved.
✅ Report Title:
Threat Group Profiling: LockBit
✅ Executive Summary:
LockBit initially emerged as ABCD Ransomware in September 2019, and by late December 2019, it was rebranded as LockBit, using the .lockbit file extension.
- LockBit 1.0: September 2019 – June 2021
- LockBit 2.0: June 2021 – June 2022
- LockBit 3.0: June 2022 – December 2024
- LockBit 4.0: December 2024 – Present
LockBit operates a Ransomware-as-a-Service (RaaS) model, supplying ransomware tools to affiliates. Additionally, it provides a custom-built Stealer tool via its affiliate panel.
- Ransomware Variants: LockBit Red, LockBit Black, LockBit Green, LockBit Linux
- Stealer Tool: StealBit
The initial intrusion methods used for the distribution of LockBit ransomware include Phishing, Vulnerability Exploitation, Watering Hole Attacks, and External Remote Services.
- Phishing: Disguised phishing emails, including fake copyright infringement and job application lures, used to spread LockBit ransomware.
- Vulnerability Exploitation: Targeting multiple known 1-day vulnerabilities in unpatched systems.
- Watering Hole Attacks: Injecting SocGholish malware into legitimate websites to deliver additional malicious payloads.
- External Remote Services: Gaining initial access through brute-force attacks on vulnerable RDP and VPNs or using credentials purchased from Initial Access Brokers (IABs).
Due to its long history since 2019, LockBit has been linked to multiple other ransomware and affiliate groups.
- Related Ransomware Groups: BlackMatter, BlackCat, Conti
- Affiliate Groups: Ghost Group, National Hazard Agency, DEV-0401, Evil Corp
📌 What are the key issues between LockBit 3.0 and 4.0?
(2024-12-19) LockBit 4.0 update released.
(2024-10-02) Operation CRONOS: Law enforcement arrests LockBit developers, money launderers, and infrastructure operators; publicly discloses the identities of 18 Evil Corp members.
(2024-07-19) LockBit shares new contact details via Telegram and its leak site.
(2024-05-07) LockBitSupp’s identity and some affiliate surnames are exposed.
(2024-05-05) Another LockBit leak site domain seized.
(2024-02-22) Sophos reports exploitation of ScreenConnect vulnerabilities by LockBit.
(2024-02-19) Operation CRONOS: Law enforcement agencies from 11 countries issue a joint advisory against LockBit ransomware.
(2023-11-21) CISA warns that LockBit exploited Citrix Bleed vulnerabilities in an attack on Boeing.
(2023-04-16) MalwareHunterTeam detects the first macOS version of LockBit ransomware.
(2023-01-27) VX-Underground identifies LockBit Green ransomware, derived from Conti’s codebase.
(2022-06-26) LockBit 3.0 update released.
Further details on the LockBit timeline and attack techniques are available in the full report.
✅ Recommended Threat Detection and Mitigation Actions:
Since its formal branding as LockBit in 2020, multiple ransomware groups have emerged using the leaked LockBit Black builder, making it difficult to distinguish between actual affiliates and script kiddies leveraging the leaked builder. (This highlights the need for tools to differentiate between legitimate and unauthorized LockBit variants.)
LockBit has consistently adopted and modified existing ransomware code, such as LockBit Black and LockBit Green, raising concerns that it may continue integrating other ransomware group’s source code to develop future variants.
For a detailed analysis and recommended countermeasures, please refer to the full report.
🧑💻 Report Author: S2W TALON (Updated. 2025-01-31)
👉 Contact us: https://s2w.inc/en/contact
*The full report is available upon request.