Get up to $90 of BTC for one week only.

Bitcoin boost

Up your Web3 game

Ledger Academy Quests

  • Test your knowledge
  • Earn POK NFTs
Play now See all quests

LockBit Ransomware

Jun 19, 2025 | Updated Jun 19, 2025
LockBit ransomware is a subclass of malicious software designed to block user access to data on computer systems until they pay a ransom.

What Is LockBit Ransomware?

Ransomware is a malicious software that locks an individual’s computer device, prompting them to pay some sort of ransom to regain access. LockBit is one such ransomware variant. But what exactly is LockBit ransomware?

Originally known as ABCD ransomware, LockBit ransomware encrypts victims’ data or files on infected computer systems, allowing the cyberattackers to demand ransom payment in exchange for decryption. The attackers also threaten to leak the data to the public if their demands are not met.

The cybercriminals behind this ransomware share the same name – LockBit. The group offers it as a ransomware-as-a-service (RaaS) application. The affiliates can use it to perform ransomware attacks in exchange for a cut of ransom revenue, subscription fees, or upfront payment.

Cyberattacks using Lockbit code first appeared in September 2019, where it renamed files with a “.abcd” extension. Later versions adopted the “.lockbit” file extension, giving it its latest moniker. Its associated attacks often target enterprises and organizations rather than individuals. In addition, they often demand payment in the form of cryptocurrencies.

How Does It Work?

The attackers first identify organizations or enterprises whose operations will be greatly affected by the disruption. This is aimed at exerting pressure on the victims, forcing them to concede to the attacker’s demands.

They then use phishing emails, software vulnerabilities, or stolen credentials to gain access to the target’s computer systems. The attackers may also recruit disgruntled employees, who are paid to launch the attack from the inside or offer account credentials.

Once the attackers have gained access, they use tools like Windows PowerShell and Server Message Block (SMB) to spread and identify high-value targets. The ransomware also self-propagates, meaning that it spreads on its own, throughout the system undetected to find additional accessible hosts.

Moreover, the malware is programmed to gain account privileges using post-exploitation tools. Such access allows attackers to disable security programs and recovery tools in preparation to encrypt targeted files. 

During the encryption stage, a ransomware payload encrypts the files with a note in every folder requesting ransom. This restricts the victim from regaining access to their computer systems, leaving ransom payment as the only viable option.

Other versions of the malware are deployed to exfiltrate targeted files to an external server. The exfiltration allows the hackers to extort victims, often threatening to publish sensitive information on a leak site if they do not comply.

Open Source

Open source is a principle between developers who believe in creating, sharing, and modifying data freely for public use. Transparency and free participation are often the goal.

Full definition

Hard Fork

A hard fork is a significant change that permanently splits a blockchain into two different networks when the nodes fail to reach a consensus.

Full definition

Delisting

Delisting is the act or process of removing digital assets, securities, or stocks from a trading exchange.

Full definition

Own your crypto future

Stay informed with security tips, updates, and exclusive offers from Ledger

Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time. Learn more

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.