mor3intel logo
mor3intelThreat Intelligence
DashboardVictimsGroupsCountriesStatsATT&CKRulesIOC Lookup
InstagramTelegram
5 Active Threats
Back to Dashboard

LockBit

active

Also known as: LockBit 3.0, LockBit Black

LockBit is a Ransomware-as-a-Service (RaaS) operation that has been one of the most prolific ransomware groups globally. Known for its fast encryption speed and double extortion tactics, LockBit operates an affiliate program and maintains a leak site for publishing stolen data.

First Seen

2019-09

Last Activity

2025-01

Target Regions

4 regions

Industries

5 sectors

HealthcareManufacturingFinancial ServicesGovernmentEducation
Attack Chain (MITRE ATT&CK)
Visual representation of the attack phases and techniques used by LockBit

Click on a phase to view details and MITRE ATT&CK technique IDs

Tactics & Techniques
MITRE ATT&CK mapped tactics and techniques used by this threat actor
Technique IDNameTacticDescriptionReference
T1566PhishingInitial AccessSends malicious emails with weaponized attachments or linksMITRE
T1190Exploit Public-Facing ApplicationInitial AccessExploits vulnerabilities in VPN, RDP, and web applicationsMITRE
T1059.001PowerShellExecutionUses PowerShell for payload execution and reconnaissanceMITRE
T1003OS Credential DumpingCredential AccessDumps credentials from LSASS memoryMITRE
T1486Data Encrypted for ImpactImpactEncrypts files using AES and RSA encryptionMITRE
T1490Inhibit System RecoveryImpactDeletes shadow copies and backup catalogsMITRE
Indicators of Compromise (IOCs)
Known IOCs associated with LockBit operations
TypeValueDescriptionLast SeenActions
hasha89f42c4e42a0f7d7d3e6e9f8e7f8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5dLockBit 3.0 ransomware executable2025-01-15
domainlockbit-decryptor[.]topPayment portal domain2025-01-10
ip185.220.101[.]1C2 server IP address2025-01-12
filenamelockbit.exeCommon payload filename—
filenamerestore-my-files.txtRansom note filename—

IOCs are defanged for safety. Click copy to get the clean value.

Detection Guidance
SIEM and EDR detection recommendations for identifying LockBit activity
  • 1
    Monitor for vssadmin.exe deleting shadow copies
  • 2
    Detect PowerShell execution with encoded commands
  • 3
    Alert on bcdedit.exe modifying boot configuration
  • 4
    Monitor for mass file modifications with encryption-related extensions
  • 5
    Detect credential dumping from LSASS process
  • 6
    Alert on disabling of Windows Defender or other AV
Mitigation, Containment & Recovery
Step-by-step guidance for responding to and recovering from this ransomware attack
  • 1
    Isolate affected systems from the network immediately
  • 2
    Disable RDP and remote access services
  • 3
    Block known IOCs at the firewall and proxy
  • 4
    Preserve system memory and disk images for forensics
  • 5
    Notify incident response team and management
mor3intel logomor3intel

This platform is intended for defensive cybersecurity, incident response, and recovery purposes only. Information provided is for educational and defensive use.

@mor3cod3@mor3cod3
© 2026 mor3intel