Operator dossier

lockbit3 is a ransomware operator currently active on public leak sites. Darkfield has indexed 2,016 public victims claimed by this operator between June 29, 2022 and December 5, 2025. LockBit 3.0, also known as LockBit Black, is a prominent ransomware-as-a-service operation that emerged in June 2022 as the third major iteration of the LockBit ransomware family, operating with primarily financial motivations and becoming one of the most prolific ransomware groups globally. The group is believed to operate from Russia or former Soviet states, functioning as a sophisticated RaaS platform that recruits affiliates to conduct attacks while the core group maintains the ransomware infrastructure and negotiates with victims. LockBit 3.0 employs multiple initial access vectors including exploitation of remote desktop protocols, vulnerable VPN appliances, and phishing campaigns, utilizing a fast-encrypting ransomware payload that can complete network-wide encryption in minutes while implementing triple extortion tactics that include data theft, encryption, and threats to leak stolen information on their dedicated leak site called "LockBit Black Blog." The group has claimed responsibility for attacks against thousands of organizations worldwide, with notable victims including major corporations and critical infrastructure entities across their primary target countries of the United States, France, United Kingdom, Germany, and Italy, focusing heavily on business services, technology, manufacturing, healthcare, and government sectors. Despite law enforcement disruptions including Operation Cronos in February 2024 which temporarily seized their infrastructure and websites, LockBit has demonstrated resilience by quickly rebuilding their operations and continuing to recruit new affiliates and victims.

Most-targeted sectors

Business Services170 victims
Technology74 victims
Manufacturing67 victims
Healthcare56 victims
Government54 victims
Not Found46 victims

Most-affected countries

US283 victims
FR77 victims
GB67 victims
DE56 victims
IT47 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

lockbit3

2,016 victims indexed · first seen 4 years ago · last activity 6 months ago

2,016

Victims indexed

#2 of 356 tracked operators

3y 6m

Active period

Jun 2022 → Dec 2025

Countries hit

top US · 283

At a glance

Status: active
First seen: 4 years ago
Last activity: 6 months ago
Onion sites: 57 known endpoints
Primary sector: Business Services · 170 hits

About

LockBit 3.0, also known as LockBit Black, is a prominent ransomware-as-a-service operation that emerged in June 2022 as the third major iteration of the LockBit ransomware family, operating with primarily financial motivations and becoming one of the most prolific ransomware groups globally. The group is believed to operate from Russia or former Soviet states, functioning as a sophisticated RaaS platform that recruits affiliates to conduct attacks while the core group maintains the ransomware infrastructure and negotiates with victims. LockBit 3.0 employs multiple initial access vectors including exploitation of remote desktop protocols, vulnerable VPN appliances, and phishing campaigns, utilizing a fast-encrypting ransomware payload that can complete network-wide encryption in minutes while implementing triple extortion tactics that include data theft, encryption, and threats to leak stolen information on their dedicated leak site called "LockBit Black Blog." The group has claimed responsibility for attacks against thousands of organizations worldwide, with notable victims including major corporations and critical infrastructure entities across their primary target countries of the United States, France, United Kingdom, Germany, and Italy, focusing heavily on business services, technology, manufacturing, healthcare, and government sectors. Despite law enforcement disruptions including Operation Cronos in February 2024 which temporarily seized their infrastructure and websites, LockBit has demonstrated resilience by quickly rebuilding their operations and continuing to recruit new affiliates and victims.

References

3 links

External sources curated by the MISP threat-intel community.

Timeline

24 months

2023-07-01T00:00:00+00:002025-12-01T00:00:00+00:00

Top countries

🇺🇸 US

283

🇫🇷 FR

🇬🇧 GB

🇩🇪 DE

🇮🇹 IT

🇮🇳 IN

🇧🇷 BR

🇨🇦 CA

US dossier →FR dossier →GB dossier →DE dossier →

Top sectors

Business Services

170

Technology

Manufacturing

Healthcare

Government

Not Found

Transportation/Logistics

Agriculture and Food Production

Business Services dossier →Technology dossier →Manufacturing dossier →Healthcare dossier →

MITRE ATT&CK

18 techniques · 10 tactics

Tactics

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact

Techniques

T1566.001Spearphishing Attachment
T1190Exploit Public-Facing Application
T1078Valid Accounts
T1059.001PowerShell
T1059.003Windows Command Shell
T1053.005Scheduled Task
T1543.003Windows Service
T1055Process Injection
T1562.001Disable or Modify Tools
T1070.004File Deletion
T1003.001LSASS Memory
T1021.001Remote Desktop Protocol
T1021.002SMB/Windows Admin Shares
T1083File and Directory Discovery
T1005Data from Local System
T1041Exfiltration Over C2 Channel
T1486Data Encrypted for Impact
T1489Service Stop

Detection · YARA rules

2 rules

Lockbit2_Jul21
YARA rule from ATR/Trellix: ransomware/RANSOM_Lockbit2.yar
source: ATR/Trellix
to
YARA rule from ATR/Trellix: ransomware/RANSOM_Lockbit2.yar
source: ATR/Trellix

Recent victims

Loading…

Onion infrastructure

57 known

http://lbb2llze7ab4rnq4jumsy4ihsqzpuysaofpz2e43foocwmrzsokumqid.onion
http://lbb47q2f7nzeatj6mxppuk7bhnvwu23mf6pfuywxcz57dwnzl6z3ksqd.onion
http://lbb5cnqexve2wg6acbfyohkzeijflpqmgijx5ksyvu4aljv27r2lgiid.onion
http://lbb6ud2vyf23z4hw6fzskr5gru7eftbjfbd6yzra3hzuqqvjy63blqqd.onion
http://lbbchnkrhkjtltjunmqsbw32bbblsd5bd2pqywtt2bex4bjmo5ry2iqd.onion
http://lbbellr6aq4kuchzy44pmimszfd4di4fslez765ux4kse3o4lxcnpgid.onion
http://lbbfsazjqqwvtq2ckhm53kfmvsy7c6sdci3uy6qui4lv66aeef7hhpad.onion
http://lbbgv7wsi6bpguvjbu6omdgwzllqm5tvdo65do2q7vw4er7aqrnjmtad.onion
http://lbbjmbkvw3yurmnazwkbj5muyvw5dd6y7hyxrus23y33qiqczclrnbyd.onion
http://lbbk5lfftmhhu2qtahhg4wpnxw4bmtzoy5mu7g4jwyfyeyqoe3vpl4yd.onion
http://lbbov7weoojwnqytnjqygmglkwtim5dvyw3xvoluk5ostz75ofd6enqd.onion
http://lbbp2rsfcmg5durpwgs22wxrdngsa4wiwmc4xk6hgmuluy6bvbvvtlid.onion
+ 45 more endpoints

Source

Updated 6 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time lockbit3 posts a victim.

Add lockbit3 to your watchlist — Pro pings you within 5 minutes of any new lockbit3 leak-site post, Telegram callout, or affiliate-rebrand inference.