The Locked Tower: LockBit

← Home·Gallery·Techniques

Threat Intelligence Tarot

Major Arcana · 16

Criminal (Russia-linked, global affiliates)

G0114

★★★★★

risk 5/5

✦ The Locked Tower ✦

LockBit

LockBit 3.0 · LockBit Black · ABCD ransomware (early)

ManufacturingProfessional servicesHealthcareGovernment

Active since ~2019 · Ransomware extortion, Affiliate revenue maximization, Double/triple extortion

The most professional ransomware operation ever built: a dark web affiliate portal, a customer service desk, bug bounties for its own malware. The Locked Tower ran ransomware-as-a-business with KPIs and contractor relationships.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1486

Data Encrypted for Impact

Impact

T1078

Valid Accounts

Initial Access

T1021.001

Remote Desktop Protocol

Lateral Movement

T1562.001

Disable or Modify Tools

Defense Evasion

T1068

Exploitation for Privilege Escalation

Privilege Escalation

T1548.002

Bypass User Account Control

Privilege Escalation

Notable Operations

◆Most prolific ransomware group 2022-2024
◆Royal Mail UK attack (2023)
◆Boeing data leak (2023)
◆Operation Cronos law enforcement takedown (2024)

Defenses

▸
MFA on all remote access including RDP and VPN
CIS Control 6 ↗
▸
EDR with ransomware behavioral detection
CIS Control 10 ↗
▸
Privileged access management limiting lateral movement
CIS Control 5 ↗
▸
Network segmentation to limit ransomware blast radius
CIS Control 12 ↗

Reversed: Their Weakness

Operation Cronos in 2024 seized LockBit's infrastructure, published its affiliate list, and posted the gang leader's photo on their own dark web site. The Tower fell - but the affiliates scattered to rebuild elsewhere.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Reaper Next →The Plague

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.