To expand their reach, LockBit also released Linux-ESXI Locker version 1.0, targeting Linux hosts, particularly VMware ESXi servers.

According to Trend Micro, in terms of attack attempts, United States, India and Brazil are the top targeted countries.

[13] LockBit operators frequently gain initial access by exploiting vulnerable Remote Desktop Protocol (RDP) servers or compromised credentials purchased from affiliates.

Initial access vectors also include phishing emails with malicious attachments or links, brute-forcing weak RDP or VPN passwords, and exploiting vulnerabilities such as CVE-2018-13379 in Fortinet VPNs.

LockBit uses tools such as Mimikatz, GMER, Process Hacker, and registry edits to gather credentials, disable security products, and evade defenses.

[1] For lateral movement, LockBit spreads through SMB file-sharing connections inside networks, using credentials gathered earlier.

Other lateral movement techniques include distributing itself via compromised Group Policy objects, or using tools such as PsExec or Cobalt Strike.

[22] On November 10, 2022, the LockBit 3.0 group published on the darknet a 9.5 GB archive with stolen information on Thales contracts in Italy and Malaysia.

[23][24] In November 2022, OEHC - Office d'Équipement Hydraulique de Corse - was the victim of a cyberattack that encrypted the company's computer data.

After realizing their blunder, the hacker group stopped the attack, apologized and offered a free solution to recover the encrypted files.

In November 2022, with no response to its ransom demand, the hacker group published part of the stolen data and offered access to all of it for 50 million euros.

[30] In November 2022, the United States Department of Justice announced the arrest of Mikhail Vasiliev, a dual Russian and Canadian national, in connection with the LockBit ransomware campaign.

[37] On May 16, 2023, the hacker group claimed responsibility for attacking the Hong Kong branch of the Chinese newspaper China Daily.

[39] In June 2023, the United States Department of Justice announced criminal charges against Ruslan Magomedovich Astamirov, a Russian national, for his alleged participation in the LockBit ransomware campaign as an affiliate.

The charges allege that Astamirov directly executed at least five ransomware attacks against victims and received a portion of ransom payments in bitcoin.

Bloomberg reported that the CTC had been hacked in October, and that over the prior year Lockbit had "become the world’s most prolific ransomware group."

[48] The Register reported in late November 2023 that LockBit was facing growing internal frustrations, and that its leaders were overhauling some of its negotiation methods with victims in response to the low pay rate achieved.

[50][51] The county released a statement on the attack the following month, saying they had not paid the ransom, that it was not associated with the election process, they were not aware of any extraction of sensitive information about citizens or employees.

[50][51] In May 2024, the LockBit gang claimed responsibility for an attack on Canadian retailer London Drugs, which closed all locations across Canada.

On May 23, 2024, the company confirmed that data had been leaked by Lockbit, and that affected employees were being offered identity theft protection services.

In June 2024, the LockBit gang attacked the University Hospital Center in Zagreb, the largest medical facility in Croatia.

LockBit claimed to have exfiltrated a large number of files, including medical records and employee information, and demanded an undisclosed sum in exchange for not publishing the data.

According to Graeme Biggar, Director General of the National Crime Agency, law enforcement has "taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.

[9] Law enforcement also obtained 30,000 Bitcoin addresses used for managing the group's profits from ransom payments, which contained 2,200 BTC ($112 million USD).

[62] There was also a threat to release Fulton County documents relating to court cases involving Donald Trump if the ransom wasn't paid.

[63][64] On 21 May 2024, LockBit claimed responsibility for an attack on the corporate offices of Canadian retail chain London Drugs, demanding a payment of $25 million.