Skip to content
MalwareWiki

Ransomware

LockBit

aka ABCD ransomware · LockBit Black · LockBit Green

A ransomware-as-a-service operation that became the most deployed ransomware strain worldwide, known for fast encryption, an affiliate model, and double extortion.

LockBit launched in September 2019 (originally "ABCD" ransomware) and grew into the dominant ransomware-as-a-service (RaaS) brand, responsible for a large share of global ransomware attacks between 2022 and 2024. Its operators recruited affiliates who carried out intrusions and split the ransom.

Why it dominated

  • Speed — LockBit consistently benchmarked among the fastest encryptors, shortening defenders' response window.
  • Affiliate tooling — a polished affiliate panel, StealBit exfiltration tool, and even a bug-bounty program.
  • Double extortion — stolen data was published on a leak site if victims refused to pay.

Major versions

The codebase evolved through several generations; the most significant is documented separately as LockBit 3.0.

Takedown

In February 2024, Operation Cronos — an international effort led by the UK NCA and Europol — seized LockBit's infrastructure, affiliate panel, and decryption keys. Incident timelines for specific LockBit victims are tracked on Cyber Breaches. For the encryptor's internals and anti-analysis tricks, see the Reverse Engineering Hub.