LockBit is a prominent ransomware group known for technically advanced and high impact variants. Formerly called the ABCD group, LockBit operates a Ransomware as a Service model that recruits affiliates and accelerates development through public bug bounty style programmes. The group advertises itself as the fastest encrypting ransomware in the market, a claim that attracts a large affiliate base and increases the volume of attacks. LockBit relies on double extortion, which combines data theft with file encryption to pressure victims into payment. High profile incidents have included Accenture, the Ministry of Justice in France, and Bangkok Airways.
LockBit affiliates use a broad playbook. Initial access often comes from phishing, exposed remote services, valid accounts purchased from initial access brokers, or exploitation of known vulnerabilities. Once inside a network, operators perform discovery, move laterally, and escalate privileges using living off the land binaries and common admin tools. Many intrusions include the theft of credentials, the disabling of security software, and the removal of backups or shadow copies to maximise impact. LockBit variants support Windows, Linux, and VMware ESXi, which allows encryption across mixed environments. The operation maintains a leak site for publishing stolen data and manages negotiations through structured playbooks. Organisations can reduce risk by enforcing multi factor authentication, hardening remote access, patching exposed services, segmenting critical assets, monitoring for data exfiltration, and continuously validating controls against real attacker techniques.