Why LockBit remains one of the most dangerous ransomware threats

LockBit operates as a Ransomware-as-a-Service (RaaS) platform, meaning it rents out its infrastructure to affiliates who execute attacks under its banner. This model has expanded the group’s global reach, allowing it to increase the scale and diversity of attacks while staying agile through constant collaboration and code evolution. 

The 2024 cross-sectional study, ‘Ransomware Attacks and Data Breaches in US Health Care Systems’ on ransomware in health care noted that “hacking or information technology (IT) incidents became the leading cause of health care data breaches in 2017,” and that ransomware continues to account for a growing share of those incidents. Between 2010 and 2024, ransomware attacks were linked to 39% of all protected health information (PHI) breaches, a striking indication of how deeply groups like LockBit have embedded themselves into the threat landscape.

When and how LockBit emerged 

LockBit ransomware first appeared in September 2019 under the name “ABCD” ransomware, a reference to the “.abcd” file extension used in its early attacks. At the time, it was a relatively new presence in the ransomware scene. 

By 2021, the release of LockBit 2.0 introduced attacks on Linux and VMware ESXi systems, signaling a shift toward targeting enterprise environments. The 2022 release of LockBit 3.0 (LockBit Black) raised the stakes even higher by adding Distributed Denial of Service (DDoS) attacks, forming a “triple extortion” model that threatened victims with encryption, data leaks, and service disruption simultaneously. When LockBit’s builder source code was leaked that same year, other cybercriminals began deploying modified versions, extending its impact beyond the group’s direct control.

LockBit’s rise also coincided with collaborations and rivalries across the ransomware landscape. The group was linked to the so-called “ransomware cartel,” a loose alliance that included Maze and others who shared victim data and tactics. After the 2021 takedown of BlackMatter, remnants of that group’s data and operations flowed into LockBit, consolidating its dominance in the ransomware market.

In early 2024, however, LockBit’s global reign met a significant disruption. In what Attorney General Merrick Garland in the Department of Justice’s press release called a moment when authorities “took away the keys to their criminal operation,” U.S., U.K., and international law enforcement agencies coordinated a large-scale takedown of the group’s infrastructure. The operation, led by the U.K. National Crime Agency (NCA), the FBI, and the Department of Justice, seized LockBit’s public-facing websites and servers, effectively dismantling its operational backbone. Garland added, “We have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data.”

This joint effort wasn’t just about disruption; it marked a turning point in how law enforcement approaches ransomware. Deputy Attorney General Lisa Monaco described it as “another down payment on our pledge to continue dismantling the ecosystem fueling cybercrime by prioritizing disruptions and placing victims first.” The NCA and FBI have since developed decryption tools that could help hundreds of victims recover their data.

Following the operation, U.S. prosecutors unsealed indictments against two Russian nationals, Artur Sungatov and Ivan Kondratyev (known online as “Bassterlord”), accusing them of deploying LockBit against organizations in industries ranging from manufacturing and logistics to insurance and semiconductors. 

FBI Director Christopher Wray called the action “a major step in degrading the capabilities of one of the most prolific ransomware variants across the globe,” emphasizing that it demonstrated law enforcement’s “capability and commitment to defend our nation's cybersecurity.”

See also: Cyber attacks you didn't know about

A breakdown of their attack lifecycle 

• Initial access is gained through phishing emails, exploiting software vulnerabilities, or using stolen VPN/RDP credentials.
• Attackers may recruit insiders to provide account credentials or facilitate internal attacks.
• Once inside the network, LockBit deploys tools like Cobalt Strike and Mimikatz to dump credentials and escalate privileges.
• The attackers perform lateral movement using SMB, WMI, and PsExec to spread within the network.
• Security tools, backups, and system restore points are disabled or deleted to hinder recovery.
• Critical assets such as backup servers, NAS, and VMware ESXi systems are specifically targeted.
• Data exfiltration occurs by stealing sensitive files and uploading them to external servers.
• The ransomware payload is deployed to encrypt files across infected systems.
• Ransom notes with extortion demands are left in encrypted folders.
• Double extortion tactics are used.
• Some versions incorporate DDoS attacks to further pressure victims (triple extortion).
• The ransomware checks system language to avoid infecting computers in CIS countries, an evasion tactic.
• Attackers establish persistence by removing legitimate admin accounts and creating new admin accounts.
• Lateral movement and encryption often occur rapidly after initial infiltration, sometimes within hours.
• The entire attack lifecycle involves a combination of manual and automated steps, adapting to network environments and defense mechanisms.​

Why healthcare is their preferred target 

Healthcare organizations hold large amounts of sensitive PHI, including records, insurance details, and research data, that can be exploited in several ways. LockBit’s approach relies on double extortion, where attackers both encrypt files and steal data, threatening to release it publicly if payment is not made. 

Healthcare systems also face long-standing structural weaknesses. Many rely on outdated or poorly integrated technology, with medical devices and software that are difficult to patch or secure. As the study Ransomware: Minimizing the Risks warns, even smaller practices must remember that attackers view all health networks, big or small, as viable targets.

These legacy systems create openings for attackers. Combined with the sector’s dependence on third-party vendors and digital platforms, these vulnerabilities give ransomware operators multiple paths in. Staff working under pressure may also be more likely to fall for phishing attempts, providing attackers with stolen credentials or network access. As the source mentions, “all employees receive ransomware training” to help them detect when an attachment, link, or site might be malicious.

The notable LockBit attacks 

Attack on Top Aces (2024)

LockBit targeted Top Aces, a Canadian company that is the exclusive adversary air provider to the Canadian and German armed forces. The attackers leaked 44GB of stolen data and set ransom deadlines with explicit threats to publish confidential information. This attack was particularly significant because it targeted a sensitive defense contractor closely linked with national security interests, highlighting LockBit’s reach into critical infrastructure and military supply chains.​

Taiwan Semiconductor Manufacturing Company (TSMC) Attack (2023)

One of the most financially impactful LockBit attacks was on TSMC, the world’s largest semiconductor manufacturer. LockBit operators accessed company data and demanded a $70 million ransom, threatening to publish stolen sensitive information if the ransom was unpaid. This attack drew global attention due to TSMC's strategic importance in the global semiconductor supply chain, influencing manufacturing and technology sectors far beyond Taiwan. The ransom demand size and the data exposure threat made this a landmark cybersecurity incident.​

Royal Mail Attack (2023)

The UK’s largest mail delivery service, Royal Mail, suffered a LockBit ransomware attack that severely disrupted its international export services. This incident halted critical logistics operations affecting communications and supply chains across the UK and overseas. The attack underscored LockBit’s capability to disrupt essential public services and infrastructure, causing widespread operational and economic consequences.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What is cybersecurity?

Cybersecurity is the practice of protecting networks, devices, software, and data from unauthorized access, attacks, and damage. It involves measures like strong passwords, two-factor authentication, and staff training to defend against cyber threats.​

What is a cyberattack?

A cyberattack occurs when unauthorized parties exploit weaknesses in software or hardware to gain unauthorized access, steal, alter, or destroy data. Motives include financial gain, espionage, cyber terrorism, or digital vandalism.​

What are common types of cyber threats?

Common threats include malware (viruses, ransomware, spyware), phishing emails that trick users into revealing sensitive info, business email compromise hacks, and ransomware demanding payment to restore access to systems.