LockBit ransomware has emerged as the dominant threat in the ransomware landscape [1], surpassing Conti as the most active ransomware gang [5]. This article provides a detailed description of LockBit’s operations, targets [2] [4] [5], and impact [1], highlighting the rise in attacks on the healthcare and manufacturing industries.


In the first quarter [5], LockBit had 226 disclosed victims [5], with the manufacturing [3], technology [5], education [5], and public sectors being the most targeted industries [5]. The finance sector also experienced a 40% increase in victims compared to the previous quarter [5]. LockBit operates as a Ransomware-as-a-Service (RaaS) affiliate model [4], utilizing various attack vectors such as Remote Desktop Protocol (RDP) access [4], phishing [4], and credential stuffing [4]. Exploits and vulnerabilities are also exploited to compromise systems [4].

The healthcare sector has seen a significant increase in ransomware attacks, with 66% of organizations being hit in 2021, up from 34% in 2020 [5]. Healthcare organizations are also the most likely to pay the ransom [5], with 61% admitting to doing so [5]. LockBit is responsible for a notable surge in victims in the manufacturing industry, accounting for 41% of attacks in this sector. Additionally, the healthcare industry has also experienced a rise in victims, primarily targeted by LockBit along with the ALPHV ransomware group.

Ransomware attacks [4], like the recent Colonial Pipeline incident [4], have led to fuel supply shortages and ongoing issues in Ireland’s national health service [4]. LockBit operators encrypt and lock systems [4], demanding payment for a decryption key [4]. They may also steal confidential data and threaten to leak or sell it on the dark web [4]. Ransomware attacks are projected to cost $265 billion worldwide by 2031 [4].

LockBit affiliates target mission-critical systems [4], exfiltrate data [4], and encrypt files with AES keys [4]. Backups are deleted [4], and a ransom note with a link to a .onion website is displayed [4]. The ransom is typically requested in Bitcoin (BTC) [4], with LockBit affiliates asking for an average of $85,000 per victim [4], with a percentage going to the RaaS operators [4]. Organizations with reported revenue up to $50 million are most vulnerable to these attacks. Furthermore, financial services organizations have witnessed a 50% increase in impacted organizations year over year [1]. The retail industry ranks third in terms of the number of ransomware victims per industry [1].

LockBit and ALPHV are ransomware outfits that have caused havoc by exploiting newly disclosed vulnerabilities before organizations can apply fixes [6]. Examples of such vulnerabilities include the PaperCut vulnerabilities and vulnerabilities in VMware’s ESXi servers [6]. Most of the victims in Akamai’s dataset were small to midsize businesses [6], with manufacturing companies being the most targeted [6], followed by healthcare entities and financial services firms [6].

It is worth noting that the use of Zero-Day and One-Day vulnerabilities has contributed to a 143% increase in total ransomware victims between Q1 2022 and Q1 2023 [3]. LockBit has infected thousands of devices worldwide [4], with victims primarily in the software and services sector [4]. Many businesses experience a second ransomware attack after paying the initial ransom [4]. Ransomware remains the top cybersecurity threat [4].


LockBit ransomware has become a significant threat [1] [2], targeting various industries and causing substantial financial and operational damages. The healthcare sector [2] [3] [5], in particular, has been heavily impacted, with organizations facing increased attacks and being more likely to pay the ransom. Mitigating these attacks requires a comprehensive approach, including robust cybersecurity measures, employee training, and timely patching of vulnerabilities. As ransomware attacks continue to evolve and grow in sophistication, organizations must remain vigilant and proactive in their defense strategies to protect against this ongoing cybersecurity threat.


[1] https://www.darkreading.com/attacks-breaches/akamai-research-rampant-abuse-of-zero-day-and-one-day-vulnerabilities-leads-to-143-increase-in-victims-of-ransomware
[2] https://www.ir.akamai.com/news-releases/news-release-details/akamai-research-rampant-abuse-zero-day-and-one-day
[3] https://continuityinsights.com/ransomware-groups-have-evolved-their-tactics
[4] https://www.zdnet.com/article/a-deep-dive-into-the-operations-of-the-lockbit-ransomware-group/
[5] https://venafi.com/blog/ransomware-trends-show-lockbit-most-active-new-tactics-healthcare-hit-hard/
[6] https://www.darkreading.com/threat-intelligence/ransomware-victims-surge-as-threat-actors-pivot-to-zero-day-exploits