LockBit operates as a Ransomware-as-a-Service (RaaS) platform, meaning it rents out its infrastructure to affiliates who execute attacks under its banner. This model has expanded the group’s global reach, allowing it to increase the scale and diversity of attacks while staying agile through constant collaboration and code evolution.
The 2024 cross-sectional study, ‘Ransomware Attacks and Data Breaches in US Health Care Systems’ on ransomware in health care noted that “hacking or information technology (IT) incidents became the leading cause of health care data breaches in 2017,” and that ransomware continues to account for a growing share of those incidents. Between 2010 and 2024, ransomware attacks were linked to 39% of all protected health information (PHI) breaches, a striking indication of how deeply groups like LockBit have embedded themselves into the threat landscape.
LockBit ransomware first appeared in September 2019 under the name “ABCD” ransomware, a reference to the “.abcd” file extension used in its early attacks. At the time, it was a relatively new presence in the ransomware scene.
By 2021, the release of LockBit 2.0 introduced attacks on Linux and VMware ESXi systems, signaling a shift toward targeting enterprise environments. The 2022 release of LockBit 3.0 (LockBit Black) raised the stakes even higher by adding Distributed Denial of Service (DDoS) attacks, forming a “triple extortion” model that threatened victims with encryption, data leaks, and service disruption simultaneously. When LockBit’s builder source code was leaked that same year, other cybercriminals began deploying modified versions, extending its impact beyond the group’s direct control.
LockBit’s rise also coincided with collaborations and rivalries across the ransomware landscape. The group was linked to the so-called “ransomware cartel,” a loose alliance that included Maze and others who shared victim data and tactics. After the 2021 takedown of BlackMatter, remnants of that group’s data and operations flowed into LockBit, consolidating its dominance in the ransomware market.
In early 2024, however, LockBit’s global reign met a significant disruption. In what Attorney General Merrick Garland in the Department of Justice’s press release called a moment when authorities “took away the keys to their criminal operation,” U.S., U.K., and international law enforcement agencies coordinated a large-scale takedown of the group’s infrastructure. The operation, led by the U.K. National Crime Agency (NCA), the FBI, and the Department of Justice, seized LockBit’s public-facing websites and servers, effectively dismantling its operational backbone. Garland added, “We have also obtained keys from the seized LockBit infrastructure to help victims decrypt their captured systems and regain access to their data.”
This joint effort wasn’t just about disruption; it marked a turning point in how law enforcement approaches ransomware. Deputy Attorney General Lisa Monaco described it as “another down payment on our pledge to continue dismantling the ecosystem fueling cybercrime by prioritizing disruptions and placing victims first.” The NCA and FBI have since developed decryption tools that could help hundreds of victims recover their data.
Following the operation, U.S. prosecutors unsealed indictments against two Russian nationals, Artur Sungatov and Ivan Kondratyev (known online as “Bassterlord”), accusing them of deploying LockBit against organizations in industries ranging from manufacturing and logistics to insurance and semiconductors.
FBI Director Christopher Wray called the action “a major step in degrading the capabilities of one of the most prolific ransomware variants across the globe,” emphasizing that it demonstrated law enforcement’s “capability and commitment to defend our nation's cybersecurity.”
See also: Cyber attacks you didn't know about
Healthcare organizations hold large amounts of sensitive PHI, including records, insurance details, and research data, that can be exploited in several ways. LockBit’s approach relies on double extortion, where attackers both encrypt files and steal data, threatening to release it publicly if payment is not made.
Healthcare systems also face long-standing structural weaknesses. Many rely on outdated or poorly integrated technology, with medical devices and software that are difficult to patch or secure. As the study Ransomware: Minimizing the Risks warns, even smaller practices must remember that attackers view all health networks, big or small, as viable targets.
These legacy systems create openings for attackers. Combined with the sector’s dependence on third-party vendors and digital platforms, these vulnerabilities give ransomware operators multiple paths in. Staff working under pressure may also be more likely to fall for phishing attempts, providing attackers with stolen credentials or network access. As the source mentions, “all employees receive ransomware training” to help them detect when an attachment, link, or site might be malicious.
LockBit targeted Top Aces, a Canadian company that is the exclusive adversary air provider to the Canadian and German armed forces. The attackers leaked 44GB of stolen data and set ransom deadlines with explicit threats to publish confidential information. This attack was particularly significant because it targeted a sensitive defense contractor closely linked with national security interests, highlighting LockBit’s reach into critical infrastructure and military supply chains.
One of the most financially impactful LockBit attacks was on TSMC, the world’s largest semiconductor manufacturer. LockBit operators accessed company data and demanded a $70 million ransom, threatening to publish stolen sensitive information if the ransom was unpaid. This attack drew global attention due to TSMC's strategic importance in the global semiconductor supply chain, influencing manufacturing and technology sectors far beyond Taiwan. The ransom demand size and the data exposure threat made this a landmark cybersecurity incident.
The UK’s largest mail delivery service, Royal Mail, suffered a LockBit ransomware attack that severely disrupted its international export services. This incident halted critical logistics operations affecting communications and supply chains across the UK and overseas. The attack underscored LockBit’s capability to disrupt essential public services and infrastructure, causing widespread operational and economic consequences.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
Cybersecurity is the practice of protecting networks, devices, software, and data from unauthorized access, attacks, and damage. It involves measures like strong passwords, two-factor authentication, and staff training to defend against cyber threats.
A cyberattack occurs when unauthorized parties exploit weaknesses in software or hardware to gain unauthorized access, steal, alter, or destroy data. Motives include financial gain, espionage, cyber terrorism, or digital vandalism.
Common threats include malware (viruses, ransomware, spyware), phishing emails that trick users into revealing sensitive info, business email compromise hacks, and ransomware demanding payment to restore access to systems.