LockBit

LockBit is a <a href="/facts/Cybercriminal/cSyaFF96">cybercriminal</a> group proposing <a href="/facts/Ransomware_as_a_service/bksSpLPx">ransomware as a service</a> (RaaS). Software developed by the group (also called <a href="/facts/Ransomware/muT4jcxj">ransomware</a>) enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only <a href="/facts/Encrypt/16q29Fdv">encrypt</a> the victim's data and demand payment of a <a href="/facts/Ransom/Clb2jjff">ransom</a>, but also threaten to <a href="/facts/Internet_leak/6jKcdHGy">leak</a> it publicly if their demands are not met.
According to a joint statement by various government agencies, LockBit was the world's most prolific ransomware in 2022. It was estimated in early 2023 to be responsible for 44% of all ransomware incidents globally.
In the United States between January 2020 and May 2023, LockBit was used in approximately 1,700 ransomware attacks, with <a href="/facts/US%24/naEEDUhC">US$</a>91 million paid in ransom to hackers.
Government agencies did not formally attribute the group to any nation-state. Software with the name "LockBit" appeared on a Russian-language based cybercrime forum in January 2020. The group is financially motivated. However, in an interview on Inside Darknet, members claimed they are not Russian.
In February 2024 law enforcement agencies seized control of LockBit <a href="/facts/Dark_web/A40ffCpy">dark web</a> sites used for attacks.
 However, further attacks with LockBit ransomware were later reported, with the group attempting to perform a comeback.
In May 2025, the LockBit ransomware group's infrastructure was <a href="/facts/Breached/4UAsKMIf">breached</a> and defaced. The breach resulted in a complete data dump, exposing <a href="/facts/Bitcoin/UJvqfray">Bitcoin</a> wallet addresses, private encryption keys, internal chat logs with victims, affiliate details, and other sensitive information.

LockBit open-in-new

LockBit