LockBit unlocked: the rise, evolution, and global impact of ransomware’s most prolific syndicate

Welcome reader to a 🔒 pro subscriber-only deep dive 🔒.

Brought to you by:

👉 Cypago - Cyber governance, risk management, and continuous control monitoring in a single platform

🧠 Ridge Security - The AI-powered offensive security validation platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Get lifetime access to our deep dives, weekly cyber intel podcast report, premium content, AI Resume Builder, and more — all for just $799. Corporate plans are now available too.

Executive Summary

LockBit has established itself as the world's most prolific ransomware-as-a-service (RaaS) operation, responsible for thousands of attacks globally since its emergence in 2019. Through multiple versions (1.0, 2.0, 3.0, and 4.0), LockBit has demonstrated sophisticated technical capabilities and business acumen in the cybercriminal ecosystem. Its RaaS model, where a core team develops malware while affiliates conduct attacks for a revenue share, has enabled rapid scaling and targeting across sectors including government, healthcare, manufacturing, and critical infrastructure.

LockBit's technical sophistication includes comprehensive tactics spanning the entire attack chain: exploiting remote access, phishing for initial entry, stealthy lateral movement, and "double-extortion" via data leaks. By 2022, LockBit accounted for 20-30% of all ransomware incidents in many regions, with over 1,600 victims publicly named through early 2023. Law enforcement mounted significant operations, including "Operation Cronos" in February 2024, which temporarily disrupted the group's infrastructure. A subsequent breach in May 2025 exposed internal operations and affiliate data, providing unprecedented intelligence.

For CISOs, LockBit's persistence presents substantial business and regulatory risks. Organizations face average breach costs of $4.45 million (excluding ransom payments), while governments increasingly sanction ransomware entities. Comprehensive defense strategies require multi-layered approaches: technical controls, network segmentation, immutable backups, and detailed incident response plans.

1. Introduction

Since emerging in late 2019, LockBit has evolved into what law enforcement authorities describe as "the world's most harmful cybercrime group." The syndicate's rapid rise stems from its technical innovation, effective RaaS business model, and adaptability to countermeasures. Where many ransomware groups have disappeared after law enforcement actions, LockBit has demonstrated remarkable resilience.

LockBit's RaaS model has democratized ransomware attacks by providing criminals with access to sophisticated malware and extortion infrastructure. This franchise-like approach enables a small core team to leverage numerous affiliates, expanding LockBit's reach far beyond what a single group could achieve. By mid-2023, LockBit had become the most widely deployed ransomware strain worldwide, causing billions in damages across sectors.

This paper provides a comprehensive analysis of LockBit's evolution, tactics, and global impact through mid-2025. We examine how the malware has progressed through four major versions, how its affiliate program operates, and what tactics affiliates employ. We then analyze victimology trends and major incidents, followed by recent law enforcement actions and intelligence leaks. Finally, we discuss business implications and provide strategic recommendations for strengthening organizational resilience.

2. Evolution of LockBit: From "ABCD" to LockBit 4.0

2.1 Origins and Early Development (2019-2020)

LockBit's origins trace to a ransomware variant known as "ABCD" first observed in September 2019. By January 2020, this code evolved into "LockBit 1.0," marking the beginning of the syndicate's branded operations. LockBit 1.0 focused on:

• Fast file encryption prioritizing speed to complete attacks before detection

• Automated network propagation to maximize infection spread

• Windows-focused targeting with specific avoidance of Russian-language systems

• Affiliate-based distribution model from inception

During this early period, LockBit established its presence on Russian-language cybercrime forums, recruiting initial affiliates and building operational infrastructure.

Subscribe to CybersecurityHQ Newsletter to unlock the rest.