Skip to content

🇷🇺 LockBit

Threat-actor battle card · maintained from public sources · last updated 2026-06-22 · also known as LockBit 5.0, ABCD (origin)

CategoryRansomware-as-a-Service
AttributionRussia-affiliated (Russian-language system avoidance)
First seen2019 (as ABCD); LockBit 5.0 Sept 2025
StatusActive (rebuilt post-takedown)
Rank#1
Recent victims · last ~9d33
All-time victims311
Primary targetsCross-sector, Critical infrastructure, Virtualization (ESXi)

Overview

LockBit emerged in 2019 (initially "ABCD") and industrialised RaaS at scale before Operation Cronos seized its infrastructure in February 2024. It rebuilt within weeks; LockBit 5.0 was announced on the RAMP forum in September 2025 (the group's six-year anniversary) and a Christmas-themed 5.0 DLS launched December 2025, quickly posting 100+ alleged victims. Reported to have formed a formal alliance with Qilin and DragonForce. Currently rebuilt to a top-tier position (163 victims in Q1 2026); active again in June 2026.

Tradecraft

  • Cross-platform 5.0: Windows, Linux and ESXi variants; randomized 16-character extensions; Russian-language system avoidance.
  • Windows binary uses heavy obfuscation/packing, DLL reflection, ETW patching and security-service termination.
  • Social engineering: impersonating IT/help-desk via Microsoft Teams to push remote-access tools (Quick Assist).
  • Refreshed affiliate incentive model to re-recruit operators post-disruption.

Notable recent victims

  • Central Romana Corporation (Dominican Republic, agribusiness)
  • Shougang Hierro Perú (mining)
  • DaikyoNishikawa (Japan, automotive parts); Sierra Vista Hospital (US healthcare)

Assessment

A resilient brand that survived a global takedown and rebuilt via its affiliate network. The ESXi focus and Teams-based help-desk social engineering are the headline risks; the Qilin/DragonForce alliance bears watching for shared tooling.

Sources

🗂️ Attacks & victims

All disclosed victims attributed to this actor, newest first.

June 2026

Jun 20 sierravistahospital.com LockBit Ransomware · healthcare · US 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-language system avoidance) · #1 active · 311 total · disclosed 5d ago · Sources: ransomware.live DLS
Jun 19 DaikyoNishikawa Corporation LockBit Ransomware · automotive parts · Japan 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-language system avoidance) · #1 active · 311 total · disclosed 6d ago · Sources: ransomware.live DLS
Jun 19 Como Furniture Enterprises Co., Ltd. LockBit Ransomware · manufacturing · Taiwan 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-language system avoidance) · #1 active · 311 total · disclosed 6d ago · Sources: ransomware.live DLS
Jun 11 Central Romana Corporation LockBit Ransomware · agribusiness · Dominican Republic 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-language system avoidance) · #1 active · 311 total · disclosed 14d ago · Sources: ransomware.live DLS / FalconFeeds
Jun 11 Shougang Hierro Perú S.A.A. LockBit Ransomware · mining · Peru 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-language system avoidance) · #1 active · 311 total · disclosed 14d ago · Sources: ransomware.live DLS / FalconFeeds
Jun 11 Stahlwille B.V. LockBit Ransomware · tool manufacturing · Netherlands 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-language system avoidance) · #1 active · 311 total · disclosed 14d ago · Sources: ransomware.live DLS / FalconFeeds
Jun 11 JEC Eye Hospitals and Clinics LockBit Ransomware · healthcare · Indonesia 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-language system avoidance) · #1 active · 311 total · disclosed 14d ago · Sources: FalconFeeds
Jun 11 Colégio Santo Inácio LockBit Ransomware · education · Brazil 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-language system avoidance) · #1 active · 311 total · disclosed 14d ago · Sources: FalconFeeds
Jun 11 LBR Engineering and Consulting LockBit Ransomware · engineering · Brazil 🟥 Claimed (leak-site) · 🇷🇺 Russia-affiliated (Russian-language system avoidance) · #1 active · 311 total · disclosed 14d ago · Sources: FalconFeeds

← All threat actors · Full victim database →