LockBit: A Threat Profile

Aliases  

• ABCD ransomware  
• LockBit 2.0   
• LockBit Black (3.0)  
• LockBit Green  
• LockBit 5.0

Profiling  

Threat Actor Type: Ransomware-as-a-Service (RaaS) with global affiliate network.  

Figure 1: Key operator of LockBit, Dmitry Yuryevich Khoroshev.

Demographics:   

• Key Operator: Dmitry Yuryevich Khoroshev (“LockBitSupp”) 
• Russian national, born 17 April 1993.   
• Aliases: Dmitrii Yuryevich Khoroshev, Dmitriy Yurevich, “LockBitSupp.” 
• Subject of U.S. federal indictment and international sanctions. 

Affiliate Structure:   

• Lite Panel ($777 fee): Entry-level access for newer, or inexperienced affiliates.
• Full Panel: Higher-tier affiliates with more advanced capabilities. 

Communications and Infrastructure 

Figure 2: LockBit affiliate rules.

• TOX messenger IDs. 
• Dedicated onion sites for negotiations and data leaks. 
• Social media accounts (Twitter/X) used for announcements and publicity. 

Expertise:   

• Highly automated ransomware deployment   
• Sophisticated affiliate program to expand reach   
• Consistent targeting of virtualization environments (especially VMware ESXi)   

Motivation  

• Primary driver: Financial gain 
  • After hacking LockBit’s infrastructure, law enforcement obtained 30,000 Bitcoin addresses used for managing the group’s profits from ransom payments…..More than 500 of these addresses are active on the blockchain and received over $125 million (at current Bitcoin value) between July 2022 and February 2024. 
• Secondary driver: Notoriety​ 
  • Publicly stated ambition from Khoroshev on a DarkWeb Hacker Forum: “The ultimate goal is to attack 1 million companies. If my goal was money, I would have retired a long time ago.” 

Timeline  

2019–2020 – Threat Actor Emergence 

• LockBit ransomware emerges as a Ransomware-as-a-Service (RaaS) offering. 
• Gains recognition for its double extortion tactics (data theft combined with encryption). 

2021–2022 – Rise to notoriety  

• LockBit rises to prominence, surpassing groups like Conti after Conti’s dissolution. 
• Releases LockBit 2.0 and 3.0, providing affiliates with customizable ransomware builds. 
• Conducts major campaigns against healthcare, government, manufacturing, and critical infrastructure. 

2023 – Continued Operations 

• Law enforcement begins ramping up joint efforts against RaaS ecosystems, identifying LockBit as one of the most prolific ransomware operations globally. 
• LockBit leaks data from several high-profile organizations, including Royal Mail, Continental, and financial firms. 

February 2024 – Operation Cronos 

• An international law enforcement coalition (Europol, FBI, NCA UK, and others) launches Operation Cronos. 
• LockBit’s dark web leak site is seized and replaced with a takedown banner. 
• Authorities obtain internal data, affiliate panels, negotiation logs, and decryption keys for some victims. 
• Affiliates and operators are unmasked, with arrests made in multiple jurisdictions. 

May 7, 2024 – Identity Exposure 

• Law enforcement confirms the identity of “LockBitSupp” as Dmitry Yuryevich Khoroshev, a Russian national.  
• The U.S. issues federal indictment and sanctions, publishing detailed personal information including passports, emails, and aliases. 

May 7, 2025 – Database Leak 

• An unknown individual leaks a MySQL database from LockBit’s infrastructure. 

Current Status (as of Sept 2025)

Despite major disruptions from Operation Cronos and internal leaks, LockBit has resurfaced with a technically refined variant: LockBit 5.0. This version includes advanced cross-platform support for Windows, Linux, and VMware ESXi, showing the group’s continued ability to evolve even as its reputation declines.

• No high-profile breaches have yet been attributed to LockBit 5.0.
• Leak infrastructure remains online, with the familiar “Chat with Support” portal intact.
• Affiliates appear hesitant, but the tooling is more capable than ever. Security teams should treat LockBit 5.0 as a credible threat.

Figure 3: ESXi LockBit variant options

Tactics & Techniques 

Initial Access 

• Exploit Public-Facing Application — T1190 
• Phishing / Spearphishing — T1566 
• Valid Accounts — T1078 

Execution 

• Command and Scripting Interpreter — T1059.003 
• System Services: Service Execution — T1569.002 

Persistence & Privilege Escalation 

• Boot or Logon Autostart Execution — T1547 
• Abuse Elevation Control Mechanism — T1548 

Defense Evasion 

• Impair Defenses: Disable/Modify Tools — T1562.001 
• Indicator Removal: Clear Event Logs — T1070.001 

Credential Access 

• OS Credential Dumping (LSASS / Mimikatz) — T1003 / T1003.001 

Lateral Movement 

• Remote Services (RDP, SMB shares) — T1021.001 / T1021.002 

Exfiltration 

• Exfiltration to Cloud Storage (rclone, MEGA) — T1567.002 

Impact 

• Data Encrypted for Impact (includes VMware/ESXi) — T1486 

Victim Experience 

1. Victim experiences ransomware attack via LockBit affiliate and receives payment and communications instructions via Ransomware note  
2. Note contains uniquely generated “Decryption” ID, associated with that specific Ransomware event  
3. Upon visiting one of the “onion” links, the victim will be presented with a type of “verification” portal, where they will input their unique Decryption ID and solve a captcha (in order to prevent DDoS/Bot attacks from competitors) 
4. Once verified through the provided portal, the Victim will initiate communication with the LockBit actor, who will provide further payment instructions, conduct negotiations, and even provide certain levels of technical support to secure the requested funds. 
5. If the Victim fails to reach whatever satisfactory negotiations requirements within a given timeframe, the LockBit actor will begin posting seized company data within the Data Leak Site (DLS) section of their webpage 

Figure 4: LockBit onion links.

Defensive Recommendations Against LockBit   

• Enforce multi-factor authentication (MFA) on all remote access points   
• Monitor VMware ESXi for unusual CLI activity (shutdowns, snapshots deletions, encryption commands)   
• Patch all known exploited vulnerabilities immediately   
• Apply network segmentation to limit initial compromise and/or lateral movement   
• Maintain offline, regularly tested backups of critical systems and virtual machines   

References  

CBC/Radio Canada. (2023, February 2). Intelligence Agency says Ransomware Group with Russian ties poses “an enduring threat” to Canada | CBC news. CBCnews. https://www.cbc.ca/news/politics/cse-lockbit-threat-1.6734996 

CISA. (2023, June 14). Understanding Ransomware Threat Actors: LockBit | CISA. 

Www.cisa.gov. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-165a 

DiMaggio, J. (2024, May 7). Ransomware Diaries Volume 5: Unmasking LockBit. Analyst1. https://analyst1.com/ransomware-diaries-volume-5-unmasking-lockbit-2/ 

Ionut Ilascu. (2024, February 23). LockBit ransomware gang has over $110 million in unspent bitcoin. BleepingComputer. https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-has-over-110-million-in-unspent-bitcoin/ 

Law enforcement disrupt world’s biggest ransomware operation. (2024, February 20). Europol. https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation 

Lockbit 4.0 ransomware. (2025). Broadcom.com. https://www.broadcom.com/support/security-center/protection-bulletin/lockbit-4-0-ransomware 

Mann, B. (2025, September 25). LockBit 5.0 Ransomware Surfaces With Support for Windows, Linux, and ESXi. CyberInsider. https://cyberinsider.com/lockbit-5-0-ransomware-surfaces-with-support-for-windows-linux-and-esxi/

Trend Micro Research. (2024, May 7). Ransomware Spotlight: LockBit – Security News. Www.trendmicro.com. https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit 

U.S. Charges Russian National with Developing and Operating LockBit Ransomware. (2024, May 7). Justice.gov. https://www.justice.gov/archives/opa/pr/us-charges-russian-national-developing-and-operating-lockbit-ransomware