LockBit Ransomware and Data Exfiltration: Inside the Most Prolific Ransomware Operation

The LockBit Double Extortion Model

LockBit operated as a ransomware-as-a-service (RaaS) platform, recruiting affiliates who conducted the actual attacks using LockBit's ransomware tools, negotiation infrastructure, and leak site. The business model was built on double extortion: affiliates would first exfiltrate sensitive data from the victim's network, then deploy LockBit's encryption payload. Victims faced two simultaneous demands — pay to decrypt their files, and pay to prevent publication of stolen data. LockBit's leak site featured a countdown timer for each victim, creating public pressure and media attention that accelerated payment decisions. Affiliates typically retained 75-80% of ransom payments, with the remainder going to the LockBit developers.

• Step 1: Initial access — typically via phishing, RDP brute force, or purchased credentials
• Step 2: Lateral movement and privilege escalation across the victim network
• Step 3: Data exfiltration — sensitive files transferred to attacker-controlled infrastructure
• Step 4: Ransomware deployment — LockBit 3.0 encrypts files across the network
• Step 5: Ransom demand with dual leverage — decryption key AND data deletion
• Step 6: Leak site countdown — public pressure if payment deadline is missed

Major LockBit Victims and Data Exfiltration

LockBit's victim list reads like a Fortune 500 directory. Boeing confirmed a LockBit attack in November 2023 that resulted in data publication on the leak site after the company refused to pay. ICBC — the Industrial and Commercial Bank of China, the world's largest bank by assets — was hit in November 2023, disrupting US Treasury market settlements. Royal Mail was attacked in January 2023, halting international mail services for weeks. Each of these attacks followed the same pattern: data exfiltration first, encryption second, with the stolen data serving as the primary extortion lever when victims had robust backup and recovery capabilities.

• Boeing (November 2023): Aerospace data published after non-payment; 43GB leaked
• ICBC (November 2023): US Treasury operations disrupted; ransom reportedly paid
• Royal Mail (January 2023): International mail halted for weeks; LockBit demanded $80M
• Zaun/UK MoD (August 2023): Defence contractor data including military site perimeter security
• Bangkok Airways (2021): 200GB+ passenger data exfiltrated and published
• Continental AG (2022): 40TB of automotive engineering data stolen

Operation Cronos: The Takedown

On February 20, 2024, Operation Cronos — coordinated by the UK National Crime Agency, FBI, Europol, and law enforcement agencies from 10 countries — seized LockBit's dark web infrastructure, obtained over 1,000 decryption keys, and arrested several affiliates. The operation revealed that LockBit had lied to victims: even after ransom payment, LockBit had not deleted stolen data as promised. Law enforcement found full copies of victim data on seized servers, proving that paying the ransom never guaranteed data deletion. Despite the takedown, the LockBit administrator (known as LockBitSupp) attempted to relaunch operations within days, demonstrating the resilience of decentralised ransomware operations.

Why Traditional Security Fails Against LockBit

LockBit affiliates used a wide range of initial access methods — phishing, RDP brute force, exploiting known vulnerabilities, and purchasing credentials from access brokers. No single preventive control could block all entry vectors. Once inside, affiliates used legitimate system administration tools for lateral movement, making detection difficult. The critical failure point in most LockBit incidents was not initial access — it was the inability to detect and block the data exfiltration phase that occurred between access and encryption. BlackFog's anti-data exfiltration technology operates at exactly this phase, blocking unauthorised outbound data transfers regardless of how the attacker gained entry or what tools they use internally.

Frequently Asked Questions