Review and sign transactions from a single secure screen with Ledger Flex™

Discover now

Up your Web3 game

Ledger Academy Quests

  • Test your knowledge
  • Earn POK NFTs
Play now See all quests

LockBit Ransomware

Jun 19, 2025 | Updated Jun 19, 2025
LockBit ransomware is a subclass of malicious software designed to block user access to data on computer systems until they pay a ransom.

What Is LockBit Ransomware?

Ransomware is a malicious software that locks an individual’s computer device, prompting them to pay some sort of ransom to regain access. LockBit is one such ransomware variant. But what exactly is LockBit ransomware?

Originally known as ABCD ransomware, LockBit ransomware encrypts victims’ data or files on infected computer systems, allowing the cyberattackers to demand ransom payment in exchange for decryption. The attackers also threaten to leak the data to the public if their demands are not met.

The cybercriminals behind this ransomware share the same name – LockBit. The group offers it as a ransomware-as-a-service (RaaS) application. The affiliates can use it to perform ransomware attacks in exchange for a cut of ransom revenue, subscription fees, or upfront payment.

Cyberattacks using Lockbit code first appeared in September 2019, where it renamed files with a “.abcd” extension. Later versions adopted the “.lockbit” file extension, giving it its latest moniker. Its associated attacks often target enterprises and organizations rather than individuals. In addition, they often demand payment in the form of cryptocurrencies.

How Does It Work?

The attackers first identify organizations or enterprises whose operations will be greatly affected by the disruption. This is aimed at exerting pressure on the victims, forcing them to concede to the attacker’s demands.

They then use phishing emails, software vulnerabilities, or stolen credentials to gain access to the target’s computer systems. The attackers may also recruit disgruntled employees, who are paid to launch the attack from the inside or offer account credentials.

Once the attackers have gained access, they use tools like Windows PowerShell and Server Message Block (SMB) to spread and identify high-value targets. The ransomware also self-propagates, meaning that it spreads on its own, throughout the system undetected to find additional accessible hosts.

Moreover, the malware is programmed to gain account privileges using post-exploitation tools. Such access allows attackers to disable security programs and recovery tools in preparation to encrypt targeted files. 

During the encryption stage, a ransomware payload encrypts the files with a note in every folder requesting ransom. This restricts the victim from regaining access to their computer systems, leaving ransom payment as the only viable option.

Other versions of the malware are deployed to exfiltrate targeted files to an external server. The exfiltration allows the hackers to extort victims, often threatening to publish sensitive information on a leak site if they do not comply.

Sweeping The Floor

Sweeping the floor is the practice of buying multiple NFTs in bulk at or near the floor price of an NFT collection.

Full definition

Limit Order

A limit order is an instruction to buy or sell an asset or security at a specific price level.

Full definition

USDT

USDT, or Tether, is a stablecoin pegged to the value of the US dollar, designed to maintain a consistent price. 

Full definition

Own your crypto future

Stay informed with security tips, updates, and exclusive offers from Ledger

Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time. Learn more

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.