Skip to main content

Operator dossier

lockbit2 is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 1,002 public victims claimed by this operator between September 9, 2021 and June 28, 2022. LockBit, also known as LockBit 2.0, is a financially motivated ransomware-as-a-service operation that emerged in September 2021 as an evolution of the original LockBit group, quickly establishing itself as one of the most prolific and aggressive ransomware operations globally. The group is believed to operate from Russia or former Soviet states, following the typical RaaS model where the core developers provide the ransomware tools and infrastructure to affiliate operators who conduct the actual attacks in exchange for a percentage of ransom payments. LockBit primarily gains initial access through compromised Remote Desktop Protocol credentials, exploitation of public-facing applications, and phishing campaigns, employing a triple extortion model that combines file encryption, data theft with threatened publication on their leak site, and increasingly includes threats to contact victims' customers and business partners directly. The group has been responsible for over 1,000 documented victim organizations, with particularly heavy targeting of entities in Italy, Germany, France, Canada, and Australia across critical infrastructure sectors including healthcare, financial services, and government organizations. Notable incidents include attacks on major healthcare systems, manufacturing companies, and government entities, with the group consistently ranking among the top ransomware threats in law enforcement and cybersecurity reporting throughout 2022 and 2023. Despite ongoing international law enforcement pressure and sanctions, including disruption attempts by agencies such as the FBI and Europol, LockBit continues to operate actively with regular updates to their ransomware variants and recruitment of new affiliates.

Most-affected countries

Recent disclosures by lockbit2

Most recent 150 of 1,002 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for lockbit2

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

lockbit2

1,002 victims indexed · first seen 5 years ago · last activity 4 years ago

1,002
Victims indexed
#12 of 364 tracked operators
9m
Active period
Sep 2021 → Jun 2022
10
Countries hit
top IT · 29

At a glance

Status
inactive
First seen
5 years ago
Last activity
4 years ago
Onion sites
5 known endpoints

About

LockBit, also known as LockBit 2.0, is a financially motivated ransomware-as-a-service operation that emerged in September 2021 as an evolution of the original LockBit group, quickly establishing itself as one of the most prolific and aggressive ransomware operations globally. The group is believed to operate from Russia or former Soviet states, following the typical RaaS model where the core developers provide the ransomware tools and infrastructure to affiliate operators who conduct the actual attacks in exchange for a percentage of ransom payments. LockBit primarily gains initial access through compromised Remote Desktop Protocol credentials, exploitation of public-facing applications, and phishing campaigns, employing a triple extortion model that combines file encryption, data theft with threatened publication on their leak site, and increasingly includes threats to contact victims' customers and business partners directly. The group has been responsible for over 1,000 documented victim organizations, with particularly heavy targeting of entities in Italy, Germany, France, Canada, and Australia across critical infrastructure sectors including healthcare, financial services, and government organizations. Notable incidents include attacks on major healthcare systems, manufacturing companies, and government entities, with the group consistently ranking among the top ransomware threats in law enforcement and cybersecurity reporting throughout 2022 and 2023. Despite ongoing international law enforcement pressure and sanctions, including disruption attempts by agencies such as the FBI and Europol, LockBit continues to operate actively with regular updates to their ransomware variants and recruitment of new affiliates.

Timeline

10 months
2021-09-01T00:00:00+00:00 · 1712021-10-01T00:00:00+00:00 · 1002021-11-01T00:00:00+00:00 · 962021-12-01T00:00:00+00:00 · 622022-01-01T00:00:00+00:00 · 482022-02-01T00:00:00+00:00 · 952022-03-01T00:00:00+00:00 · 1362022-04-01T00:00:00+00:00 · 1312022-05-01T00:00:00+00:00 · 992022-06-01T00:00:00+00:00 · 64
2021-09-01T00:00:00+00:002022-06-01T00:00:00+00:00

Top countries

🇮🇹 Italy
29
🇩🇪 Germany
26
🇫🇷 France
14
🇨🇦 Canada
11
🇦🇺 Australia
9
🇧🇷 Brazil
8
🇨🇭 Switzerland
8
🇧🇪 Belgium
8

MITRE ATT&CK

16 techniques · 10 tactics

Tactics

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1078Valid Accounts
  • T1059Command and Scripting Interpreter
  • T1053Scheduled Task/Job
  • T1543Create or Modify System Process
  • T1055Process Injection
  • T1562Impair Defenses
  • T1027Obfuscated Files or Information
  • T1003OS Credential Dumping
  • T1021Remote Services
  • T1083File and Directory Discovery
  • T1560Archive Collected Data
  • T1041Exfiltration Over C2 Channel
  • T1486Data Encrypted for Impact
  • T1490Inhibit System Recovery

Detection · YARA rules

2 rules
  • Lockbit2_Jul21

    YARA rule from ATR/Trellix: ransomware/RANSOM_Lockbit2.yar

    source: ATR/Trellix

  • to

    YARA rule from ATR/Trellix: ransomware/RANSOM_Lockbit2.yar

    source: ATR/Trellix

Recent victims

Loading…

Onion infrastructure

5 known
  • http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion
  • http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion
  • http://oyarbnujct53bizjguvolxou3rmuda2vr72osyexngbdkhqebwrzsnad.onion
  • http://yq43odyrmzqvyezdindg2tokgogf3pn6bcdtvgczpz5a74tdxjbtk2yd.onion
  • http://zqaflhty5hyziovsxgqvj2mrz5e5rs6oqxzb54zolccfnvtn5w2johad.onion

Source

Updated 4 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time lockbit2 posts a victim.

Add lockbit2 to your watchlist — Pro pings you within 5 minutes of any new lockbit2 leak-site post, Telegram callout, or affiliate-rebrand inference.