Chances are you’ve been hearing about something called LockBit ransomware recently. As a small business owner, it’s so important to understand cybersecurity threats like this. LockBit is one of the most aggressive and dangerous ransomware variants out there right now. 

Ransomware is a type of malware that encrypts files on a device or network. The attackers demand a ransom payment in cryptocurrency to unlock the files. If the ransom isn’t paid, the files remain encrypted and inaccessible. 

LockBit first appeared in September 2019 but has evolved rapidly since then. In the first half of 2023, 57% of LockBit victims were small businesses!

The good news is that by understanding how LockBit works and taking preventative measures, you can help keep your business safe from attack. Let’s break it down!

Lockbit Ransomware as a Service

How LockBit Ransomware Works

LockBit uses what’s known as a “double extortion” strategy. First, it encrypts a victim’s files so they can’t be accessed. But it also steals copies of sensitive data before encrypting. 

The LockBit gang then threatens to publish the stolen data on their leak site if the ransom isn’t paid. This puts extra pressure on victims to pay up to avoid having their data exposed publicly.

Like other ransomware, LockBit is usually delivered through phishing emails with infected attachments or links. Once opened, the ransomware installs and begins communicating with the attacker’s command and control servers. 

The encryption process starts, using strong algorithms to lock files. Encrypted files are given the extension “.lockbit”.  

The ransom note is saved in each affected folder, with payment instructions provided on the dark web. The note warns victims not to rely on backups or file recovery, since the gang claims they’ll leak stolen data if the ransom goes unpaid.

LockBit Ransom Note Screenshot

Notable LockBit Variants and Versions

LockBit developers release new versions relatively quickly to add new features and stay ahead of security protections. Here are some notable variants:

  • LockBit 1.0: The original version from 2019.
  • LockBit 2.0: Added features like Windows domain spreading, anti-analysis, and anti-detection.
  • LockBit 3.0 (a.k.a. LockBit Black): Launched in 2021 with ransomware-as-a-service model, allowing more threat actors to use LockBit code.
  • LockBit Green: Introduced in 2023 designed to target cloud-based services

The rapid evolution of LockBit reflects the professionalization of cybercriminals. They invest heavily in new capabilities to infect more victims.

High-Profile LockBit Ransomware Attacks

Since 2021, LockBit has been tied to a string of high-impact ransomware attacks. Some recent victims include:

These examples illustrate how aggressive and far-reaching LockBit attacks have become. No organization is immune from the threat.

The LockBit Gang Behind the Threat

LockBit is believed to operate as a ransomware-as-a-service model. The core developers sell access to the ransomware code through a dark web affiliate program.

This enables a broader network of cybercriminals to carry out attacks globally using the LockBit brand. Affiliates receive a cut of any ransom payments extracted from victims.

Researchers believe the LockBit operation is based in Eastern Europe and Russian-speaking. The ransomware code is constantly updated to add new evasion capabilities that help avoid detection. 

In 2023, the CISA announced that LockBit had extorted $91 million in 1,700 U.S. attacks. This highlights the immense profits driving ransomware-as-a-service models.

Protecting Against LockBit Ransomware Attacks

So, how can you protect your business from a LockBit attack? Here are key best practices every small business should follow:

  • Train employees on phishing prevention: Most attacks rely on phishing emails, which is critical. Educate staff on identifying phishing red flags.
  • Patch and update software regularly: LockBit exploits security flaws in outdated software. Keep everything updated to eliminate vulnerabilities.
  • Use strong passwords: Enforce password complexity and regular rotation to prevent brute-force attacks. 
  • Back up data regularly: Maintain offline backups that can be restored if encrypted by ransomware. Test restoration too!
  • Limit access and permissions: Only provide employees access to systems and data needed for their roles.  
  • Use endpoint detection and response (EDR) tools: EDR can spot ransomware behavior early and stop encryption.
  • Configure a firewall: Firewalls restrict traffic and help prevent malware or hackers from infiltrating your network.
  • Disable RDP connections: Remote Desktop Protocol connections increase exposure to ransomware. Disable if not needed.

How Cybersecurity Awareness Training Can Help

Lastly, investing in cybersecurity awareness training for your staff is hugely beneficial. Engaging online courses teach employees how to spot and avoid ransomware threats through real-world simulations.

The courses cover topics like phishing, passwords, malware, physical security, mobile security, and handling sensitive data. 

Users are immersed in interactive stories and exercises that build long-term habits and reflexes. Cybersecurity awareness training reduces human error and makes your business resilient against ransomware like LockBit. 

Living With Cybersecurity Threats

The reality is that cybersecurity threats like ransomware are not going away. As a business owner, you can’t eliminate risk. But what you can do is take proactive, preventative steps to minimize your vulnerabilities. 

By understanding threats like LockBit, following cybersecurity best practices, and investing in awareness training, you’ll have the right foundation to operate securely in today’s digital landscape. Stay vigilant out there!

Ready to join the Village?

Keep up to date on the latest cybersecurity awareness training and resources.


The LockBit ransomware advisory warns organizations about the threat posed by this aggressive strain of ransomware.

LockBit is believed to originate from a Russian-speaking cybercriminal group based out of Eastern Europe.

LockBit exploits security vulnerabilities in unpatched software and targets organizations with weak cybersecurity postures.

LockBit has successfully compromised and extorted hundreds of organizations around the world.

The LockBit ransomware operation likely emerged from an Eastern European, Russian-speaking cybercriminal organization.

LockBit publishes stolen victim data on its dark web leak site if ransom demands are not met.

The initial cause of a LockBit ransomware attack is typically a user opening a malicious email attachment or link.

The core LockBit ransomware developers are thought to be based in Russia or another Eastern European country. 

Major companies hacked by LockBit include Accenture, New Bedford, Zegna, MTA, and the Scottish EPA.

LockBit spreads through phishing emails, unpatched systems, RDP connections, and affiliates deploying the ransomware.

Similar Posts