Ransomware continues to be one of the most disruptive cyber‑threats in 2025. Well‑resourced groups like LockBit operate as ransomware‑as‑a‑service (RaaS) platforms, renting their malware to affiliates and sharing profits. This blog presents a clear overview of ransomware, traces LockBit from its early days to the latest LockBit 5.0, explores statistics that underscore the threat’s scale, and closes with practical defenses.
Understanding Ransomware
Ransomware is malicious software that encrypts a victim’s files, systems or both and demands payment to decrypt them. Modern families use “double extortion”; they exfiltrate sensitive data and threaten to publish it unless a ransom is paid. Beyond the immediate loss of access to critical systems, victims often suffer operational downtime, lost revenues and reputational harm.
RaaS groups like LockBit provide ready‑made encryption tools, command‑and‑control panels and leak sites to affiliates. This business model lowers the barrier to entry for criminals and widens the pool of attackers.
The LockBit Timeline – From ABCD to 5.0
LockBit’s history shows continuous innovation and resilience. Key developments include:
- ABCD Ransomware to LockBit (Sept 2019 – Jan 2020) – The group originally appeared as ABCD ransomware, then launched the first LockBit‑branded malware on Russian‑language forums in January 2020. It adopted a RaaS model, splitting proceeds with affiliates.
- LockBit 2.0/LockBit Red (June 2021) – In June 2021, LockBit released version 2.0, sometimes called LockBit Red, which emphasized double extortion and faster encryption. SentinelOne’s analysis notes that the group introduced the StealBit exfiltration tool and later released Linux variants targeting VMware ESXi servers. LockBit 2.0 quickly became a leading threat, using tools such as Cobalt Strike and leveraging vulnerabilities to spread laterally.
- LockBit Linux‑ESXi Locker 1.0 (Oct 2021) – LockBit expanded into Linux/VMware environments with a specialized ESXi encryptor, enabling affiliates to cripple virtualization infrastructure.
- LockBit 3.0/LockBit Black (March–June 2022) – In early 2022, LockBit unveiled version 3.0, also called LockBit Black. According to SentinelOne, the new version debuted a bug‑bounty program for people to report vulnerabilities, introduced support for Zcash payments, and improved management and anti‑analysis features. It also saw the builder tools leaked in September 2022, allowing untrusted actors to spin off their own versions. LockBit 3.0 continues to use AES‑256 and ECC encryption and practices triple extortion (data theft, encryption and threats of DDoS or harassment).
- LockBit Green (January 2023) – Intelligence agencies note that LockBit introduced a Green variant incorporating code from the disbanded Conti ransomware. This version further strengthened obfuscation and encryption techniques.
- Expansion to macOS (April 2023) – Researchers detected LockBit builds targeting macOS systems, highlighting the group’s willingness to attack new platforms.
- Operation Cronos and LockBit takedown (Feb 2024) – An international task force led by the UK’s National Crime Agency seized more than 30 LockBit servers, over 200 cryptocurrency accounts and released a hundred decryption keys to victims. The operation, dubbed Cronos, disrupted LockBit’s infrastructure and exposed its StealBit tool. Authorities estimate that LockBit extorted $90–110 million from roughly 3,000–3,500 victims before the takedown.
- LockBit 4.0 (LockBit‑NG‑Dev) – Evidence uncovered during Operation Cronos suggested that LockBit was working on an unreleased 4.0 variant known as LockBit‑NG‑Dev. This code base would later inform the design of LockBit 5.0.
- LockBit 5.0 (Sept 2025) – Following the disruption, the group resurfaced with LockBit 5.0. Trend Micro’s analysis indicates that the new version includes Windows, Linux and ESXi encryptors using heavy obfuscation, DLL‑reflection payload loading and anti‑forensics techniques. Key features include randomized 16‑character file extensions and routines to avoid systems configured for Russian language or geolocation. The group announced the release on its sixth anniversary, showing that LockBit 5.0 is an evolution of the 4.0 code base.
LockBit’s Impact and Global Reach
The scale of LockBit’s operations is sobering:
- 1,700 U.S. victims and $91 million in ransom payments – The 2023 CISA advisory reported that LockBit attacks accounted for 18–23% of ransomware incidents across Australia, Canada and New Zealand and 16% of reported incidents against U.S. state, local and tribal governments. Since 2020, U.S. authorities estimate approximately 1,700 LockBit incidents with around $91 million in ransom payments.
- Thousands of worldwide attacks – Hive Pro’s research notes that before Operation Cronos, LockBit had inflicted harm on 3,000–3,500 organizations. Its variants have been used to compromise manufacturing, technology, education and engineering sectors, as well as small and medium businesses.
- Cross‑platform reach – The release of Linux, ESXi and macOS variants illustrates the group’s strategy to attack several environments.
These numbers highlight that LockBit is not a single strain but a continually evolving franchise with global impact.
Ransomware Statistics and Trends
Ransomware overall continues to surge in scale and cost. The FBI’s 2024 Internet Crime Complaint Center (IC3) report recorded more than 3,156 ransomware complaints and noted that ransomware remained the most pervasive threat to critical infrastructure. The report estimates $16.6 billion in cybercrime losses in 2024; the FBI distributed thousands of decryption keys to victims, preventing over $800 million in ransom payments. Reported losses specifically attributed to ransomware reached about $12.4 million, although the FBI warns that these figures are under‑reported and exclude downtime and recovery costs.
Independent analyses suggest the true economic toll is far higher. Cybersecurity Ventures projects global ransomware damage costs of $57 billion per year by 2025, rising to over $20 billion per month by 2031. Mimecast notes that 64% of organizations hit by ransomware choose not to pay, relying instead on backups and incident response. Sector‑specific impacts include:
- Healthcare: By mid‑2025, 54% of healthcare organizations reported ransomware incidents, with average ransom payments around $115,000.
- Government: About 34% of government entities were hit in 2024, facing average recovery costs of $2.83 million.
- Critical Infrastructure: Approximately 28% of attacks targeted critical infrastructure sectors like energy and transportation.
- Small and Medium Businesses: SMBs are frequent victims; 88% of incidents involve these organizations. Average ransom demands across industries reached $2.2 million in 2024.
These metrics underscore that ransomware is a systemic threat affecting organizations of all sizes.
Defending Against Ransomware
While ransomware continues to evolve, organizations and individuals can take concrete steps to reduce the risk and impact of attacks.
1. Prepare and Maintain Resilient Backups
- Offline encrypted backups – Keep recent backups disconnected from the network to prevent ransomware from encrypting them. CISA recommends maintaining offline, encrypted backups and periodically testing recovery.
- Golden images – Preserve hardened, immutable images of critical systems and applications so they can be rebuilt quickly after an incident.
2. Reduce Attack Surfaces
- Patch and update – Apply security updates promptly, especially for widely exploited vulnerabilities like ZeroLogon and PrintNightmare. LockBit has exploited these in past campaigns.
- Secure remote access – Disable unused RDP and VPN access, enforce multi-factor authentication and use network segmentation to isolate high‑value systems.
- Harden virtualization platforms – Given LockBit’s targeting of ESXi and other hypervisors, ensure management interfaces are not exposed to the internet, use unique credentials and apply vendor security advisories.
3. Implement Robust Detection and Response
- Endpoint protection and EDR – Use modern endpoint detection and response (EDR) solutions that employ behavior‑based detection to catch encryption attempts. Tools like SentinelOne’s Singularity XDR platform can detect and block LockBit variants.
- Network monitoring – Monitor for lateral movement, unusual data exfiltration and command‑and‑control traffic. LockBit affiliates often use tools such as Cobalt Strike, Empire and Metasploit.
- Incident response plan – Prepare a response playbook that includes isolating affected systems, contacting law enforcement and engaging recovery partners. Familiarize staff with how to report incidents via official portals (e.g., the FBI’s IC3 portal).
4. Educate and Train Users
- Security awareness – Train employees to spot phishing and spear‑phishing emails, which remain primary initial attack vectors for LockBit. Encourage reporting of suspicious messages.
- Simulated phishing tests – Regularly run drills to reinforce best practices and identify users needing additional training.
5. Collaborate and Share Intelligence
- Information sharing – Participate in industry ISACs and share threat intelligence. Government‑led operations like Operation Cronos highlight the power of cross‑border collaboration in dismantling ransomware gangs.
- Use official decryptors – Check repositories like the NoMoreRansom project for available decryption tools released by law enforcement.
Conclusion
Ransomware remains a profitable business model for cyber‑criminals, and LockBit is one of the most prolific and adaptive RaaS groups. Its evolution from the 2019 ABCD ransomware to the sophisticated, cross‑platform LockBit 5.0 demonstrates a commitment to innovation and a willingness to exploit new environments. While international operations have disrupted the group, the emergence of LockBit 5.0 shows that threat actors can quickly rebuild.
Understanding the timeline and capabilities of major ransomware families helps defenders prioritize controls and prepare for future developments. By adopting comprehensive prevention, detection and response measures—and by collaborating with law enforcement and peer organizations—individuals and enterprises can reduce the risk of ransomware and build resilience against this ongoing menace.