Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ LockBit

🇷🇺LockBit

🇷🇺 LockBit is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: Criminal. We map 14 detection use cases to this actor across 52 MITRE ATT&CK techniques, with 7 threat-intel articles citing them. Active in our corpus from 2025-12-11 to 2026-06-11.

crit 6high 1
View full actor card → All threat actors
14Use cases
7Articles
52Techniques
9IOCs

Known aliases

LockBitLockBit 2.0LockBit 3.0LockBit BlackLockBit GreenLockBit 5.0

Top techniques

T1190 · Exploit Public-Facing ApplicationT1486 · Data Encrypted for ImpactT1021.002 · SMB/Windows Admin Shares

All other tracked techniques

T1003 · OS Credential DumpingT1003.001 · LSASS MemoryT1005 · Data from Local SystemT1014 · RootkitT1027 · Obfuscated Files or InformationT1027.002 · Software PackingT1027.005 · Indicator Removal from ToolsT1027.009 · Embedded PayloadsT1037.001 · Logon Script (Windows)T1048 · Exfiltration Over Alternative ProtocolT1052.001 · Exfiltration over USBT1055 · Process InjectionT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1068 · Exploitation for Privilege EscalationT1070.004 · File DeletionT1071 · Application Layer ProtocolT1071.001 · Web ProtocolsT1071.004 · DNST1098.001 · Additional Cloud CredentialsT1102 · Web ServiceT1105 · Ingress Tool TransferT1133 · External Remote ServicesT1140 · Deobfuscate/Decode Files or InformationT1195.002 · Compromise Software Supply ChainT1200 · Hardware AdditionsT1204.001 · Malicious LinkT1204.002 · Malicious FileT1204.004 · Malicious Copy and PasteT1218 · System Binary Proxy ExecutionT1219 · Remote Access ToolsT1489 · Service StopT1490 · Inhibit System RecoveryT1528 · Steal Application Access TokenT1539 · Steal Web Session CookieT1543.003 · Windows ServiceT1555.003 · Credentials from Web BrowsersT1562.001 · T1562.001T1562.004 · T1562.004T1562.006 · T1562.006T1562.009 · T1562.009T1566 · PhishingT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1566.004 · Spearphishing VoiceT1567 · Exfiltration Over Web ServiceT1569.002 · Service ExecutionT1657 · Financial Theft

Detection use cases (14)

LockBit (Bitwise Spider) GPO-driven mass deployment from SYSVOL with Defender tampering AI · profile SΣDD LockBit recovery destruction + backup service stop chain prior to encryption AI · profile SΣDD Beaconing — periodic outbound to small set of destinations Internal Network connections to article IPs / domains Internal Asset exposure — vulnerability matches article CVE(s) Internal Remote service execution — PsExec / SMB lateral movement Internal OAuth consent / suspicious app grant Internal Phishing-link click correlated to endpoint execution Internal Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Internal PowerShell encoded / obfuscated command Internal Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal Trusted vendor binary / installer launching unusual children Internal

Threat-intel articles (7)

crit The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm · 2026-06-11
crit UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign · 2026-06-08
crit IT threat evolution in Q1 2026. Mobile statistics · 2026-05-18
crit What the ransom note won’t say · 2026-04-20
crit EDR killers explained: Beyond the drivers · 2026-03-19
crit Naming and shaming: How ransomware groups tighten the screws on victims · 2026-02-12
high Black Hat Europe 2025: Reputation matters – even in the ransomware economy · 2025-12-11

Tracked indicators

Domains (1)

business-data-leaks.com

IP addresses (8)

174.169.162.62 176.120.22.127 192.236.146.173 192.236.147.131 192.236.147.138 192.236.154.158 193.141.60.212 64.94.84.97

CVEs (7)

CVE-2024-55591 CVE-2025-32433 CVE-2025-33073 CVE-2026-11645 CVE-2026-20131 CVE-2026-20230 CVE-2026-23479