Home/Threat Actor/LockBit Operators
Threat Actor

LockBit Operators

lockbit_operators · russia_speaking_cybercrime · active since 2019

LockBit Operators (LockBit / LockBitSupp / Bitwise Spider / Storm-0506 / Syrphid / G1004) is the longest-running modern ransomware-as-a-service operation in the publicly-tracked record , active from September 2019 through approximately February 2024 (Operation Cronos disruption) with continued substantially- degraded residual operations subsequently, operating from Russia and adjacent post-Soviet states, with pre-disruption documented compromise of more than two thousand organizations globally and estimated ransom collection exceeding five hundred million US dollars across LockBit 1.0 - 2.0/Red - 3.0/Black - Green - Linux/ESXi/macOS variant evolution including the operationally-mature bug-bounty program offering up to $1M USD for vulnerabilities in the LockBit codebase.

with the strongest formal-attribution profile of any ransomware-as-a-service operation in the publicly-tracked record grounded in two operationally consequential 2024 Western law-enforcement actions: (1) Operation Cronos (February 19-20, 2024), coordinated UK NCA + FBI + Europol + ten-country (UK, US, Australia, Canada, Finland, France, Germany, Japan, Sweden, Switzerland, Netherlands) operation seizing 34 servers, taking control of the LockBit leak site, seizing 200 cryptocurrency wallets, recovering 1000+ decryption keys, and producing 2 arrests (Poland, Ukraine), the most operationally consequential international counter- ransomware action in the publicly-tracked record.

(2) May 7, 2024 US DOJ indictment of Dmitry Yuryevich Khoroshev (Russian national, born April 17, 1993, resident of Voronezh) as LockBit administrator "LockBitSupp" with 26 counts including conspiracy to commit fraud, extortion, and computer intrusion accompanied by US Treasury OFAC + UK + Australian joint sanctions designations and $5M USD US State Department Rewards for Justice reward for information leading to arrest.

high-profile documented victims including Boeing (Oct 2023), ICBC US financial services subsidiary (Nov 2023, disrupting US Treasury markets), Royal Mail UK (Jan 2023), TSMC supplier Kinmax (June 2023), Continental AG (Aug 2022), Accenture (Aug 2021), City of Oakland (Feb 2023), and Foxconn Baja California (May 2022).

russia_speaking_cybercrime confidence: high 36 aliases
Sigma rules202 YARA rules61 Live IOCs15 CVEs exploited20

Profile

LockBit Operators (also tracked as LockBit, LockBitSupp, Bitwise Spider, Storm-0506, Syrphid, and MITRE ATT&CK G1004) is the longest-running modern ransomware-as-a-service operation in the publicly-tracked record, active from September 2019 (initially under the "ABCD ransomware" naming) through approximately February 2024 (Operation Cronos disruption) with continued substantially-degraded residual operations subsequently. The cluster operated from Russia and adjacent post-Soviet states. Pre-disruption operations represent one of the most prolific ransomware operations in the publicly-tracked record with documented compromise of more than two thousand organizations globally and estimated ransom collection exceeding five hundred million US dollars.

The cluster has the strongest formal-attribution profile of any ransomware-as-a-service operation in the publicly-tracked record grounded in two operationally consequential 2024 Western law- enforcement actions: First, Operation Cronos (February 19-20, 2024), the most operationally consequential international counter-ransomware action in the publicly-tracked record. Coordinated UK National Crime Agency, FBI, Europol, and ten-country law-enforcement operation seized thirty-four servers across multiple jurisdictions, took control of the LockBit leak site (which law-enforcement subsequently operated for public-information and victim-engagement purposes including releasing decryption keys to past victims), seized two hundred cryptocurrency wallets, recovered approximately one thousand decryption keys offered to past victims, and produced two arrests (Poland and Ukraine). The operation substantially degraded LockBit operational capability though did not fully eliminate operations.

Second, May 7, 2024 US DOJ unsealing of indictment of Dmitry Yuryevich Khoroshev (Russian national, born April 17, 1993, resident of Voronezh Russia) charged as the LockBit administrator operating under the alias "LockBitSupp" with twenty-six counts including conspiracy to commit fraud, extortion, and computer intrusion. The indictment was accompanied by US Treasury OFAC, UK Office of Financial Sanctions Implementation, and Australian Department of Foreign Affairs and Trade joint sanctions designations and a five million US dollar US State Department reward for information leading to Khoroshev's arrest. Khoroshev remains in Russia and has not been arrested or extradited.

Pre-disruption operational lifespan was characterized by sustained capability development across multiple major ransomware-variant releases
  • LockBit 1.0 (September 2019, initially as "ABCD ransomware")
  • LockBit 2.0 / Red (June 2021), introduced StealBit data- exfiltration tool for double-extortion operations.
  • LockBit 3.0 / Black (June 2022), introduced bug-bounty program (up to $1M USD for vulnerabilities in LockBit codebase, unusual among ransomware operations and an indicator of operational maturity)
  • LockBit Green (January 2023), variant based on leaked Conti codebase from May 2022 ContiLeaks exposure.
  • LockBit Linux variants (2022-2023), targeting Linux servers and VMware ESXi hypervisors common in enterprise virtualized environments.
  • LockBit macOS variant (selectively, 2023) Operationally the cluster operated a sophisticated ransomware-as- a-service affiliate program with branded marketing, technical support for affiliates, financial-management infrastructure for ransom collection and affiliate-cut distribution, and unusual operational discipline including the bug-bounty program. The LockBit operational sophistication exceeded most peer ransomware- as-a-service operations and represented industry-leading mature ransomware-business operations. High-profile documented victims across the operational lifespan include Boeing (October 2023), Industrial and Commercial Bank of China financial services US subsidiary (November 2023, disrupting US Treasury markets, operationally consequential for broader financial-system risk attention), Royal Mail UK (January 2023), TSMC supplier Kinmax Technology (June 2023), Continental AG (August 2022), Accenture (August 2021, subsequently contested by Accenture), the City of Oakland (February 2023), Foxconn Baja California (May 2022), and hundreds of additional organizations across multiple verticals. A handful of operational notes: First, the cluster represents one of the most operationally significant counter-ransomware case studies of the 2019-2024 publicly-tracked era. Operation Cronos demonstrated that sustained coordinated multi-country law-enforcement action can substantially degrade even the most operationally sophisticated ransomware operations. The post-Cronos attempted revival also demonstrated cluster resilience, LockBit administrators attempted to continue operations within days of the seizure though operations have been substantially degraded subsequently. The case provides important operational data points for ongoing counter-ransomware policy and operations. Second, the cluster's analytical profile differs from peer financially-motivated organized cyber-criminal clusters covered in this corpus in several ways: operational model (pure ransomware-as-a-service vs FIN7's broader cybercrime portfolio and Wizard Spider's multi-era TrickBot-then-ransomware operations and Scattered Spider's social-engineering-anchored operations), operational duration (longest-running modern ransomware operation at 4+ years pre-disruption), and operational sophistication (industry-leading mature ransomware-business operations including bug-bounty program). The cluster is the central reference for understanding modern ransomware-as-a- service operations. Third, the post-Cronos operational status warrants continued analytical attention. LockBit administrators publicly attempted to continue operations despite the substantial law-enforcement pressure, and continued residual operations have been documented through 2024-2025. Whether the cluster will fully reconstitute operational capability, persist as substantially-degraded operations, or eventually wind down remains analytically open. Fourth, the Khoroshev indictment + sanctions + reward combination represents one of the most operationally significant individual- operator attribution events in the publicly-tracked cyber- criminal cluster record and provides a meaningful reference for ongoing attribution-and-enforcement policy. The five million US dollar State Department reward demonstrates sustained Western policy attention to the cluster.

Aliases

36
lockbitlock bitlock_bitlockbit operatorslockbit_operatorslockbit ganglockbit_ganglockbitsupplockbit supplockbit_suppbitwise spiderbitwise_spiderbitwisespiderstorm-0506storm 0506storm_0506syrphidlockbit 2.0lockbit_2_0lockbit redlockbit_redlockbit blacklockbit_blacklockbit 3.0lockbit_3_0lockbit greenlockbit_greenlockbit linuxlockbit_linuxlockbit esxilockbit_esxiabcd ransomwareabcd_ransomwareg1004atk 211atk211

Notable Campaigns

10
2024Operation Cronos, Coordinated International Disruption (February 19-20, 2024)
2024US DOJ Indictment of Dmitry Khoroshev as LockBitSupp (May 7, 2024)
2024LockBit Attempted Revival and Continued Residual Operations (February 2024 onward)
2023LockBit Green Release (January 2023)
2023CISA + FBI + Multi-State-ISAC AA23-075A LockBit Cybersecurity Advisory (March 16, 2023)
2022-2023LockBit Linux + ESXi + macOS Variants (2022-2023)
2022LockBit 3.0 (Black) Release (June 2022)
2021LockBit 2.0 (Red) Release (June 2021)
2020-2024High-Profile Victims (2020-2024)
2019ABCD Ransomware Emergence and LockBit 1.0 (September 2019)

Attribution & Reporting

Attributed by
UK National Crime Agency (NCA)FBI Cyber DivisionEuropol European Cybercrime Centre (EC3)US Department of JusticeUS Treasury OFACUK Office of Financial Sanctions ImplementationAustralian Department of Foreign Affairs and TradeAustralian Federal PoliceCanadian Centre for Cyber SecurityFrench National Cybersecurity Agency (ANSSI)German Federal Criminal Police Office (BKA)CISA (US Cybersecurity and Infrastructure Security Agency)Mandiant / Google Cloud Threat IntelligenceMicrosoft Threat Intelligence CenterCrowdStrikeRecorded Future Insikt GroupSentinelOneSophosTrend MicroKaspersky GReATGroup-IBPRODAFTCovewareHalcyonTrustwave SpiderLabsTrellixCybereasonDFIR Report
Key reporting
reportCISA + FBI + Multi-State-ISAC: AA23-075A LockBit Cybersecurity Advisory (March 16, 2023)
reportUK NCA: NCA Leads International Investigation Targeting World's Most Harmful Ransomware Group (February 20, 2024), Operation Cronos announcement
reportUS DOJ: Justice Department Disrupts Prolific LockBit Ransomware Group (February 20, 2024), Operation Cronos US announcement
reportUS DOJ: US Charges Russian National Developing and Operating LockBit Ransomware (May 7, 2024), Khoroshev indictment
reportEuropol: Law Enforcement Disrupt World's Biggest Ransomware Operation (February 20, 2024)
reportFBI: FBI and International Partners Disrupt LockBit (February 20, 2024)
reportUS Treasury OFAC: Treasury Sanctions LockBit Ransomware Administrator (May 7, 2024)
reportUS State Department Rewards for Justice: Reward Offer for Information on LockBit Leader (May 7, 2024), $5M USD reward
reportCrowdStrike: Bitwise Spider LockBit Ransomware Tracking (multiple years)
reportMicrosoft Threat Intelligence: Storm-0506 / LockBit Tracking
reportMandiant: LockBit Ransomware Operational Tracking
reportTrend Micro: Ransomware Spotlight LockBit
reportCisco Talos: LockBit 3.0 Deep Dive
reportRecorded Future Insikt Group: LockBit Ransomware Tracking (multiple years)
reportSophos: LockBit Continued Tracking
reportCoveware: LockBit Ransomware Affiliate Tracking
reportHalcyon: LockBit Operational Profile
reportPRODAFT: LockBit Detailed Operational Analysis
reportMalpedia Actor Profile: LockBit
reportMITRE ATT&CK Group G1004, LockBit

Operational

State sponsor

LockBit Operators is a financially-motivated organized cyber- criminal cluster, not a state-aligned cluster, operating predominantly from Russia and adjacent post-Soviet states. The cluster operated the longest-running modern ransomware-as-a- service operation in the publicly-tracked record from September 2019 through approximately February 2024 (Operation Cronos disruption) with continued substantially-degraded residual operations subsequently. The cluster has the strongest formal- attribution profile of any ransomware-as-a-service operation in the publicly-tracked record grounded in the most operationally consequential international counter-ransomware action to date: Operation Cronos (February 19-20, 2024), a coordinated UK National Crime Agency, US Federal Bureau of Investigation, Europol, and ten-country (UK, US, Australia, Canada, Finland, France, Germany, Japan, Sweden, Switzerland, plus Netherlands) law-enforcement operation that seized LockBit operational infrastructure including thirty-four servers across multiple jurisdictions, took control of the LockBit leak site (which law-enforcement subsequently operated for public-information and victim-engagement purposes), seized two hundred cryptocurrency wallets, recovered approximately one thousand decryption keys offered to past victims, and produced two arrests (Poland and Ukraine).

Subsequent operationally consequential law-enforcement action included May 7, 2024 unsealing of US DOJ indictment of Dmitry Yuryevich Khoroshev (Russian national, born April 17, 1993, resident of Voronezh Russia) charged as the LockBit administrator operating under the alias "LockBitSupp" with twenty-six counts including conspiracy to commit fraud, extortion, and computer intrusion. The Khoroshev indictment was accompanied by US, UK, and Australian sanctions designations and a five million US dollar US State Department reward for information leading to his arrest. The cluster's pre-disruption operational lifespan represents one of the most prolific ransomware operations in the publicly-tracked record with documented compromise of more than two thousand organizations globally and estimated ransom collection exceeding five hundred million US dollars.

Motivations
financial_gain, financially_motivated, cybercrime, ransomware_deployment, extortion, double_extortion, triple_extortion, ransomware_as_a_service_operations, affiliate_program_operations
Sectors
governmentstate_local_governmentfederal_governmentcritical_infrastructurehealthcarehospitalspublic_healthhigher_educationschoolsk_12_schoolsfinancial_servicesbankinginsurancemanufacturingheavy_industryautomotiveaerospacedefense_industrial_baseretailhospitalityfood_servicetransportationlogisticsshippingairlinesenergyoil_and_gasutilitieschemical_industryreal_estateconstructionlaw_firmsprofessional_servicesconsulting_firmsit_service_providersmanaged_service_providerssoftware_companiestechnologytelecommunicationsmedianews_medianon_governmental_organizationsreligious_organizations
Regions
united_statescanadaunited_kingdomgermanyfranceitalyspainnetherlandsbelgiumswedennorwaydenmarkfinlandaustralianew_zealandjapansouth_koreataiwanindiabrazilmexicosouth_africaglobal_predominantly_western

Techniques Used

60
T1003T1003.001T1003.005T1003.006T1005T1016T1018T1027T1027.002T1027.005T1027.013T1033T1036T1036.004T1036.005T1039T1041T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1059.008T1068T1070T1070.001T1070.004T1071T1071.001T1074T1074.001T1078T1078.001T1078.002T1078.003T1078.004T1082T1083T1087T1087.001T1087.002T1090T1090.002T1095T1098T1105T1112T1119T1132T1132.001T1133T1135T1140T1189T1190

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)56/60 · 93%
Analytics (MITRE CAR)29/60 · 48%
Runtime / container (Falco)7/60 · 11%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)15/60 · 25%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

3 mapped
S0002 · MimikatzS0111 · schtasksS1200 · StealBit
Other tooling / TTPs (curation, not ATT&CK-mapped):
MEGA NZMETERPRETERMSHTASHARPHOUNDSPLASHTOP ABUSESTEALBIT EXFILTRATION TOOL

CVEs Exploited

20
CVECVE-2017-0144
CVECVE-2017-11882
CVECVE-2018-13379
CVECVE-2019-0708
CVECVE-2020-1472
CVECVE-2021-22986
CVECVE-2021-26855
CVECVE-2021-31207
CVECVE-2021-34473
CVECVE-2021-34523
CVECVE-2021-34527
CVECVE-2021-40539
CVECVE-2021-44228
CVECVE-2022-26134
CVECVE-2022-30190
CVECVE-2023-0669
CVECVE-2023-22518
CVECVE-2023-27532
CVECVE-2023-3519
CVECVE-2023-4966
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin