LockBit, one of the most notorious ransomware gangs in the world, has proven to be far more resilient than many had hoped. Despite a high-profile takedown in early 2024, the group has begun staging a troubling comeback — evolving its tactics, rebuilding its infrastructure, and continuing to target victims globally.
What Is LockBit?
LockBit is a cybercriminal group operating under the “ransomware-as-a-service” (RaaS) model. This means they create ransomware software and lease it to affiliates — other criminals — who then use it to carry out attacks. LockBit collects a cut of the ransom payments, while the affiliate retains the rest.
LockBit’s ransomware encrypts the victim’s data and demands payment to restore access. More dangerously, it also uses a “double extortion” tactic: if victims don’t pay, LockBit threatens to publish the stolen data on leak sites hosted on the dark web.
A Global Threat
By 2022, LockBit had become the most prolific ransomware group in the world, responsible for a staggering 44% of all known ransomware incidents. Between January 2020 and May 2023, LockBit was linked to over 1,700 attacks in the U.S. alone, with approximately $91 million in ransom payments made.
Unlike nation-state actors such as Lazarus Group or APT29, LockBit has always been financially motivated. While their software first appeared on Russian-language forums, the group has publicly denied links to any government, including Russia — although their operations align with areas where cybercrime enforcement is weak or nonexistent.
The February 2024 Takedown
In February 2024, law enforcement agencies from around the world — including Europol, the FBI, and the UK’s NCA — joined forces to seize LockBit’s infrastructure. Their onion sites were replaced with seizure banners, and significant intelligence was gathered about the group’s affiliates and operations.
This blow appeared to cripple the group. Many believed LockBit had been permanently dismantled.
The Comeback: What’s Happening Now?
Unfortunately, the reports of LockBit’s demise were premature. Here’s how they’re making a comeback:
1. New Infrastructure and Rebranded Leak Sites
Shortly after the takedown, new dark web sites claiming to be “LockBit 3.0” began appearing. The group is suspected of rebuilding its infrastructure using decentralized hosting and newer anonymity tools, possibly incorporating parts of I2P (Invisible Internet Project) to avoid detection.
2. Modified Ransomware Builds
Security researchers have identified new samples of LockBit ransomware variants in the wild — slightly modified to avoid detection, but with the same core functionality. These updates show the group is still actively developing its toolkit.
3. Recruiting New Affiliates
Despite law enforcement pressure, LockBit is reportedly recruiting again. Advertisements targeting disgruntled affiliates of other now-defunct ransomware groups are circulating on underground forums. LockBit is offering high payout ratios and updated affiliate portals.
4. Leveraging Insider Threats
Some incidents suggest LockBit is targeting insiders at victim organizations — offering employees a share of the ransom in exchange for helping deploy malware internally. This bypasses traditional perimeter defenses and drastically increases attack success rates.
5. Fake LockBit Attacks
To muddy the waters, some copycat groups have launched ransomware attacks using LockBit’s leaked source code, branding themselves as LockBit. This makes it harder for defenders to identify genuine LockBit attacks, giving the real group cover to reestablish itself.
The Stakes Going Forward
LockBit’s resurgence is a reminder that ransomware is not going away — it’s adapting. Organizations must treat ransomware not just as a malware issue, but as a full-spectrum threat involving phishing, social engineering, insider threats, and gaps in backup strategies.
Recommendations:
- Implement strong endpoint protection and regularly patch systems.
- Use network segmentation to limit lateral movement.
- Adopt a zero-trust architecture wherever feasible.
- Backup critical data regularly — and test restoration procedures.
- Train staff on phishing and social engineering.
- Monitor dark web activity for early signs of compromise or extortion.
LockBit’s return isn’t just a cybersecurity concern — it’s a wake-up call. If a global task force can’t permanently dismantle this operation, it’s proof that defenders must be faster, smarter, and more proactive than ever before.
Hi, this is a comment.
To get started with moderating, editing, and deleting comments, please visit the Comments screen in the dashboard.
Commenter avatars come from Gravatar.