LockBit ransomware operation functions with a Ransomware-as-a-Service (RaaS) model where recruited affiliates conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to many unconnected affiliates in operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs).

This Cybersecurity Advisory details observed activity in LockBit ransomware incidents and provide recommended mitigations to enable network defenders to proactively improve their organization’s defenses against this ransomware operation.