LockBit 3.0 Ransomware: Indicators of Compromise, Victims & Defense

fingerprintDossier

Active since: 2019 (3.0 variant launched 2022)
Origin / attribution: Russia-speaking RaaS affiliate network
Known aliases: LockBit Black, LockBit, LockBitSupp
Common initial access: Corporate VPN credentials, exposed RDP, Fortinet/Citrix n-day exploits, Cobalt Strike
TTPs & tradecraft: StealBit exfiltration, ESXi encryption, affiliate double-extortion with leak site 'LockBit Blog'.
Notes: Operation Cronos (Feb 2024) seized infrastructure; remnants and copycats remain active.

publicTop countries hit

United States283

France77

United Kingdom67

Germany56

Italy47

India40

Brazil39

Canada37

factoryTop sectors targeted

Business Services170

Technology74

Manufacturing67

Healthcare56

Government54

Not Found46

Transportation/Logistics29

Agriculture and Food Production23

historyRecent named victims

new blog domain lockbit 5.0

Not Found · 05 Dec 2025

hennessyfunds.com

US · Financial Services · 09 May 2025

ehlers-inc.com

US · Technology · 06 May 2025

kll-law.com

US · Business Services · 01 May 2025

arc-com.com

US · Technology · 01 May 2025

pdcm.com

US · Financial Services · 01 May 2025

tuttoperlufficio.eu

IT · Not Found · 21 Apr 2025

aqhch.com.cn

CN · Not Found · 16 Apr 2025

jackpotjunction.com

US · Hospitality and Tourism · 16 Apr 2025

aeamg.org.br

BR · Not Found · 16 Apr 2025

ende.bo

BO · Not Found · 16 Apr 2025

intelliloan.com

US · Financial Services · 13 Apr 2025

visionproducts.llc

US · Not Found · 12 Apr 2025

acimfunds.com

LU · Financial Services · 12 Apr 2025

physiciansmedicalbilling.net

US · Healthcare · 08 Apr 2025

Sourced from open leak-site monitoring · Generated 20 Apr 2026

shield_lockLockBit 3.0 defense checklist

check_circleEnforce phishing-resistant MFA on every VPN, remote desktop, email, and SaaS admin account.

check_circlePatch perimeter gear (VPN, firewall, file-transfer, hypervisor) within 72 hours of vendor advisories.

check_circleSegment ESXi management from domain accounts; disable vSphere SSH unless in use.

check_circleTier admin credentials — no shared local-admin, rotate break-glass accounts monthly.

check_circleDeploy EDR across servers & DCs; alert on Rclone, WinSCP, MegaCmd, and suspicious PowerShell.

check_circleImmutable, offline backups tested quarterly with measured RTO/RPO.

check_circleBlock outbound on unused ports; restrict egress to vetted CDNs and update servers.

check_circleHunt for dropped vulnerable drivers used to kill EDR (BYOVD patterns).

check_circleRun an annual tabletop modelled on LockBit 3.0's latest playbook.

check_circleHave an IR retainer identified before you need it.

Worried LockBit 3.0 will land on you?

We run focused VAPT, ransomware-readiness reviews, and purple-team exercises tuned to the playbook this crew actually uses.

Book a scope call