LockBit ransomware is one of today’s most notorious cyber threats, having evolved to become one of the most sophisticated and dangerous groups on the world stage. With a Ransomware-as-a-Service (RaaS) model, LockBit allows affiliates to carry out attacks effectively, mainly targeting large companies and institutions.

LockBit is a ransomware variant first detected in September 2019, quickly gaining notoriety for its ability to efficiently encrypt data and demand exorbitant ransoms. Its third version, LockBit 3.0, introduced improvements to the ransomware infrastructure, making the attacks faster, harder to detect and even more devastating for victims.

Unlike other ransomware groups, LockBit focuses on large companies, exploiting vulnerabilities in security systems and implementing almost irreversible data encryption if the ransom is not paid.

How does the LockBit Group work?

The LockBit group operates on the basis of the Ransomware-as-a-Service (RaaS) model, where developers supply malicious software to affiliates, who are responsible for carrying out the attacks. These affiliates receive a significant percentage of the ransom, while the rest is handed over to the ransomware developers.

Some of the main strategies used by operators include:

  • Exploitation of vulnerabilities: Attackers use known and poorly configured vulnerabilities in IT systems, such as unpatched servers or poorly managed firewalls.
  • Targeted phishing: The group uses social engineering and spear-phishing tactics to trick employees into downloading malware or providing access credentials.
  • Data exfiltration: Before encrypting files, the LockBit group exfiltrates large volumes of data, which gives them additional negotiating power as they can threaten to leak confidential information.

A distinctive feature of LockBit 3.0 is its bug bounty programme – an unusual practice in ransomware groups – where they offer rewards to anyone who finds flaws in their own software, increasing the robustness of their operations.

Recent Global Impact Data

According to Cybersecurity Ventures’ Ransomware Report 2024, ransomware as a whole is expected to cause global damage totalling approximately 265 billion dollars by 2031, with LockBit being responsible for a significant portion of recent attacks. In 2023, LockBit was involved in more than 40 per cent of all ransomware incidents reported globally.

Chainalysis’ cyber intelligence unit reported that in 2022 LockBit accumulated around $91 million in ransom payments, with the average ransom payment being $1.5 million per victim. In addition, a Sophos study showed that, on average, LockBit attacks result in 21 days of downtime for affected companies, causing huge operational losses.

Evolution of LockBit Ransomware

LockBit ransomware is widely known in the cybersecurity world for its rapid evolution and the various versions that have introduced improvements and more sophisticated tactics. Since its first appearance in 2019, LockBit has undergone a series of significant updates, with each new version making the ransomware more powerful, efficient and difficult to combat.

LockBit 1.0: The Beginning (2019)

The original version of LockBit, released in September 2019, was one of the first to use the “self-propagation” technique, where the ransomware moves laterally within the network, quickly infecting other connected devices and servers. Some notable features of LockBit 1.0 include:

  • Self-propagation via SMB: Ransomware exploits vulnerabilities in the Server Message Block (SMB) protocol to move laterally across a network.
  • Fast encryption: Since its first version, LockBit has stood out for its ability to encrypt data quickly, minimising the response window for security teams.
  • Focus on large companies: The first version of LockBit was aimed at large organisations, taking advantage of vulnerabilities in corporate networks.

This first version already indicated the seriousness of the group, with successful attacks on large corporations, but it didn’t offer more advanced features like those introduced in later versions.

LockBit 2.0: Refinement and Double Threat (2021)

In June 2021, the group launched LockBit 2.0, which brought a series of improvements and made ransomware one of the most dominant threats on the world stage. Among the significant improvements in this version are:

  • Ransomware-as-a-Service (RaaS) model: LockBit 2.0 formalised its RaaS model, allowing affiliate operators to use the ransomware in exchange for a percentage of the ransoms. This expanded the operator base and increased the frequency of attacks.
  • Double extortion: Introduced the double extortion technique, in which attackers not only encrypt data, but also exfiltrate confidential information. The threat of disclosing this data creates additional pressure for the victim to pay the ransom.
  • Optimised encryption speed: LockBit 2.0 has become one of the fastest ransomwares, capable of encrypting entire networks in minutes, drastically reducing the response time of IT teams.
  • Improved negotiation interface: Version 2.0 has also improved the negotiation process between victims and ransomware operators, with dedicated payment sites and direct communication.

The enhancements to LockBit 2.0 made this version especially effective against companies that were not prepared to deal with data exfiltration, since the loss of critical or confidential information could result in irreparable damage to reputation and operations.

LockBit 3.0 (LockBit Black): The Technological Breakthrough (2022)

Launched in early 2022, LockBit 3.0, also known as LockBit Black, is the latest and most advanced version of this ransomware. With significant improvements, LockBit 3.0 not only continued with the double extortion and RaaS tactics, but also innovated in several areas, such as incorporating bug bounty programmes for those who find flaws in the ransomware. The main new features of LockBit 3.0:

  • Bug Bounty Programme: For the first time in the history of ransomware, LockBit 3.0 introduced a bug bounty programme, where hackers offer rewards to anyone who finds vulnerabilities in their own software, improving the effectiveness and security of the operation.
  • Selective encryption: Unlike previous versions, LockBit 3.0 has the ability to selectively encrypt critical files, speeding up the process and prioritising the most valuable data.
  • Anti-analysis protection: Advanced evasion techniques have been introduced to avoid detection by security solutions, making analysing ransomware more difficult for cybersecurity experts.
  • Improved speed: Encryption and lateral movement within networks have become even faster and more efficient, aiming to maximise the impact before any mitigation response is possible.
  • Ransom personalisation: LockBit 3.0 allows operators to personalise ransom demands, making the extortion process more specific to each victim, which increases the effectiveness of negotiations.

In addition, LockBit 3.0 has strengthened its anonymity measures, using sophisticated cryptography to protect itself from being traced by security authorities. This new level of sophistication has consolidated LockBit as one of the most dangerous ransomwares in circulation.

Version comparison

FeaturesLockBit 1.0LockBit 2.0LockBit 3.0 (Black)
Release Year201920212022
RaaS modelNoYesYes
CryptographyQuickFaster and more efficientSelective and even faster
Double ExtortionNoYesYes
Programa de recompensas por fallosNoNoYes
Anti-Analysis ProtectionbasicAppreciatedAdvanced
Lateral movementVia SMBVia SMB and RDPMore efficient and invisible
Trading InterfaceBasicAppreciatedInterface but avançada

LockBit ransomware continues to evolve at an alarming rate, with each version bringing improvements that make the attacks faster, harder to prevent and more devastating. Starting with LockBit 1.0, the group quickly became a dominant force with LockBit 2.0, adopting double extortion and a RaaS model that attracted countless affiliates. With LockBit 3.0 (LockBit Black), they redefined sophistication in ransomware, introducing selective encryption, bug bounty programmes and enhanced protections against detection.

Protecting yourself against LockBit and its variants requires robust cyber security measures, such as regular backups, network segmentation, intrusion detection and the creation of incident response plans. Keeping up to date with the LockBit group’s latest tactics is crucial to mitigating the damage and minimising the risks. If you’ve been affected by a Lockbit ransomware attack, you can count on our solutions to decrypt ransomware files, contact our experts now.

Frequently Asked Questions AboutRansomware Recovery

Every day, ransomware attacks get
better and better. After a successful
attack attempt, ransomware quickly
maps the user’s most important files to
begin encryption. Microsoft Office files,
databases, PDFs and design are among
its main targets.

Yes, yet the ransomware is designed not to be identified by the firewall, so it can infiltrate the company’s internal system and disable defenses, move laterally, and alter backup routines.

Get Expert Help to Decrypt Files ›

The user can identify the ransomware action, even if the system cannot identify it, the malware uses the system’s own resources for the encryption process, and may be slow to respond to user requests.

The file extensions are changed, a specific extension is added that mentions the attacker group. Stay tuned for these signs.

Yes, it is possible. But there is a risk that some files will be corrupted. Once you identify the ransomware action on the system, disconnect the device from the internet, this will break the group communication with the malware, some ransomware can continue encryption even without internet access.

You can also initiate antivirus countermeasures to isolate the malware and delete it, if the antivirus has not been disabled by the ransomware.

Stopping the encryption is extremely difficult, the ransomware is designed to disable any system or user countermeasures, decreasing the chances of the process being interrupted.

Get Expert Help to Decrypt Files ›

The attacks usually happen when there is a drop in the flow of users in the system, which happens on weekends and holidays, during the early hours of the morning, making these dates suitable for attacks.

Get Expert Help to Decrypt Files ›

There are numerous encryption algorithms, but the most widely used are RSA [Rivest-Shamir-Adleman]-2048 and AES [Advanced Encryption Standard].

Get Expert Help to Decrypt Files ›

First of all, keep calm, criminals count on the victim’s desperation. Follow these tips:

  • Isolate the affected device – The ransomware can move laterally through the system and reach other devices, so it is important to isolate its field of action.
  • Verify backup – If the backup has not been reached by the ransomware, data can be quickly restored without major problems.
  • Avoid contact with criminals – Criminals use psychological tactics to extort as much money as possible in the shortest possible time, the fact that the victim is emotionally involved with the incident makes him an easy target.
  • Don’t negotiate with the criminals – The group gives no guarantee that the decryption key will be released after the ransom is paid, you have to take only the criminals’ word for it. Besides the payment will fund the group for further attacks.
  • Contact government authorities – The government has agencies that specialize in combating cyber attacks, which will investigate the case.
  • Contact a company that specializes in decrypting Ransomware files – RansomHunter is able to decrypt ransomware files without the need for the decryption key, their solutions are an option to paying the ransom.

Get Expert Help to Decrypt Files ›

After the first contact and sending of the data we will diagnose the files to check the extent of the damage caused by ransomware, with this we can project the duration of the process and provide the budget.

After the client approves the budget, we start the decryption process, for this we have exclusive software that can, with the help of our specialists, reconstruct the data.

After the end of the process we will do a double check so that the client can verify the integrity of the recovered files.

Payment is only made after delivery of the files and validation of the same by the client.

Get Expert Help to Decrypt Files ›

We AreAlways Online

Fill in the form and we will make contact to you to start the decrypt of your files.
Always at your disposal, 24×7

The Latest Insights From Our Experts