Ransomware Profile: LockBit


LockBit is a strain of ransomware that blocks users from accessing infected systems until the requested ransom payment has been made. It has been highly active since it emerged in September 2019 and has impacted thousands of organizations around the world. Many of LockBit’s attack functions are automated, making it one of the most efficient ransomware variants on the market.

What is LockBit?

LockBit is a ransomware variant that encrypts files using AES encryption and demands a large ransom (typically high five-figures) for their decryption. Whereas most modern strains of ransomware are manually operated, LockBit’s processes are largely automated, which allows the ransomware to propagate and infect other hosts with minimal human oversight after the initial point of compromise.

LockBit operates under the ransomware-as-a-service (Raas) business model, whereby ransomware developers lease their ransomware to affiliates who receive a portion of ransom payments received from the attacks they carry out.

Double extortion, in which threat actors use stolen data to pressure victims into paying the ransom, has become standard procedure among most ransomware groups and LockBit is no exception.

The history of LockBit

LockBit was first observed in September 2019. It was originally known as ABCD ransomware due to the .abcd file extension that older versions of the ransomware would append to encrypted files. In later versions, the file extension was changed to .LockBit.

In May 2020, LockBit began working with Maze in what some referred to as a “ransomware cartel”. It is believed that the two groups shared tactics and resources, with LockBit using Maze’s leak site to publish stolen files. LockBit went on to launch its own leak site in September 2020.

In August 2020, INTERPOL warned of a spike in LockBit attacks on medium-sized companies in the Americas as part of its Cybercrime: Covid-19 Impact report (Note: link starts PDF download).

In June 2021, LockBit launched LockBit 2.0 along with an advertising campaign to recruit new affiliates.

Since LockBit was first discovered, there have been 9,955 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files. We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 39,976 LockBit incidents since the ransomware’s inception.

LockBit’s affiliate program

As is the case with other RaaS operations, affiliates keep 70 to 80 percent of the proceeds of attacks with the balance being retained by LockBit’s developers.

In an attempt to recruit affiliates, the developers have benchmarked LockBit’s encryption performance against multiple other types of ransomware. LockBit also claims to offer the fastest data exfiltration on the market through StealBit, a data theft tool that can allegedly download 100 GB of data from compromised systems in under 20 minutes.

LockBit Encryption Speed Comparison Table

LockBit Download Speed Comparison Table

LockBit ransom note

After the encryption process is complete, LockBit drops a ransom note called “Restore-My-Files.txt” in all infected directories and changes the desktop wallpaper on the target system. The note contains instructions on how to make payment and warns the victim to avoid using third-party decryption software and recovery services. The ransom note also contains a link to a payment portal where victims can “Chat with support” and access a one-time free decryption to verify that the attackers have a legitimate copy of the decryption key.

Below is a sample LockBit ransom note:

All your important files are encrypted!


Any attempts to restore your files with the thrid-party software will be fatal for your files!



There is only one way to get your files back:


1) Through a standard browser(FireFox, Chrome, Edge, Opera)

| 1. Open link [REDACTED]

| 2. Follow the instructions on this page


2) Through a Tor Browser – recommended

| 1. Download Tor browser – hxxps://www.torproject.org/ and install it.

| 2. Open link in TOR browser – [REDACTED]

This link only works in Tor Browser!

| 3. Follow the instructions on this page


### Attention! ###


# [REDACTED] may be blocked. We recommend using a Tor browser to access the site

# Do not rename encrypted files.

# Do not try to decrypt using third party software, it may cause permanent data loss.

# Decryption of your files with the help of third parties may cause increased price(they add their fee to our).

# Tor Browser may be blocked in your country or corporate network. Use hxxps://bridges.torproject.org or use Tor Browser over VPN.

# Tor Browser user manual hxxps://tb-manual.torproject.org/about

Who does LockBit target?

LockBit targets organizations of all sizes, from small businesses to corporate enterprises. Industries most heavily impacted by LockBit include software and services, commercial and professional services, transportation, manufacturing, and consumer services.

Before the encryption process begins, LockBit verifies the location of the compromised system. If the system is determined to reside in the Commonwealth of Independent States, the ransomware automatically aborts. This is likely to avoid gaining the attention of law enforcement authorities in that region.

How does LockBit spread?

As noted earlier, LockBit attacks are largely automated, allowing threat actors to operate with a high level of efficiency and progress from initial access to ransomware execution in a matter of hours. For context, most ransomware groups will spend days or even weeks in the target network before executing the ransom payload.

The LockBit attack chain begins by gaining access to the target network, typically via compromised remote desktop protocol, phishing campaigns, credential stuffing or exploiting known security vulnerabilities. The malware then prepares the target environment by disabling security services, dropping keyloggers, deleting shadow copies and enumerating all accessible directors and network shares. Prior to encryption, high-value data is exfiltrated to hosting services such as MEGA’s cloud storage platform. The stolen data is used as additional leverage to coerce victims into paying the ransom.

Once the exfiltration process is complete, attackers generate a unique LockBit sample from the LockBit management panel, which is accessible to all affiliates. This sample is then manually executed inside the target system, encrypting the victim’s files and delivering the ransom note.

As LockBit operates as a RaaS and can be distributed by many different affiliates, the exact anatomy of an attack can vary from incident to incident.

Major LockBit attacks

How to protect the network from LockBit and other ransomware

The following practices may help organizations reduce the risk of a LockBit incident.

How to remove LockBit and other ransomware

LockBit uses encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool.

Victims of LockBit should be prepared to restore their systems from backups, using processes that should be defined in the organization’s incident response plan. The following actions are recommended:

Identify and strengthen vulnerabilities to reduce the risk of a repeat incident.

How Emsisoft can help you

The ransom is not the only expense you’ll have to pay should you get hit by ransomware like LockBit. Downtime, legal, credit monitoring, and data recovery (or permanent data loss) are just some of the other associated costs that come with a ransomware attack.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial


Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next