LockBit ransomware [2] [3] [4] [5], specifically LockBit 3.0, is identified as the primary digital extortion threat globally [4] [5], affecting almost all industries worldwide [2] [5]. It remains the most active threat group [3], with the highest number of victims compared to other groups [3].


According to a report by ZeroFox [2] [4] [5], LockBit ransomware accounted for over a quarter of global ransomware and digital extortion attacks from January 2022 to September 2023 [2] [4] [5]. In Europe [2] [5], LockBit accounted for 30% of these attacks [2] [5], while in North America it was responsible for 25% [2]. The deployment of LockBit ransomware is now happening within one day of initial access in over half of all engagements [3], with some cases seeing ransomware unleashed within just five hours [3]. LockBit has historically been less deployed in North America but is expected to increase to 50% by the end of 2023 [5]. LockBit was particularly prevalent in Europe [5], accounting for 43.41% of attacks in Q1 2022 [5], decreasing to 28.48% in Q3 2023 [5]. However, its overall proportion of attacks is decreasing due to the diversification of the ransomware landscape [5]. Despite the decline [5], LockBit remains a significant threat to all industries globally [5].

LockBit is known for its speed of compromise and self-propagation capabilities [5]. It has been behind high-profile attacks on companies like Royal Mail [5], Boeing [5], and the Industrial and Commercial Bank of China (ICBC) [5]. The majority of victims of LockBit ransomware attacks are located in the United States [1], followed by the UK and France [1]. Industries specializing in industrial equipment [1], robotics [1], automation [1], heavy construction [1], automotive [1], electronics [1], and chemical manufacturing are frequently targeted [1]. This is because threat actors perceive the manufacturing sector as less sophisticated in cybersecurity and more likely to pay a ransom due to the potential impact on production lines [1]. Trustwave SpiderLabs also highlights the danger of supply chain attacks and the convergence of operational technology (OT) and information technology (IT) in the manufacturing sector.

LockBit affiliates have expanded their targets to include organizations in professional services, education [4] [5], and the financial sector [4] [5], focusing on those more likely to pay ransom demands [4]. The report also highlights the emergence of new and highly active threat groups such as MalasLocker, 8BASE [3], and Akira [3]. The primary initial access vectors observed in ransomware engagements are scan-and-exploit [3], stolen credentials [3], and commodity malware via phishing emails [3]. Unpatched infrastructure remains a significant factor in successful attacks [3]. The report also delves into the activities of state-sponsored threat groups from China [3], Russia [3], Iran [3], and North Korea [3], highlighting their specific targets and tactics [3]. The report emphasizes the critical need for organizations to prioritize good cybersecurity hygiene and proactive measures to stay ahead of evolving threats [3].


LockBit ransomware poses a significant threat to all industries globally [5], with its high number of victims and speed of compromise. The manufacturing sector [1], in particular [5], is targeted due to perceived vulnerabilities and potential impact on production lines. The report also highlights the emergence of new threat groups and the importance of good cybersecurity hygiene. Organizations [3] [4] [5], especially those in manufacturing, are encouraged to study the findings of the report to better understand the cyber threats they face and prioritize proactive measures to mitigate risks.


[1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-spiderlabs-report-lockbit-3-0-ransomware-vs-the-manufacturing-sector/
[2] https://aboutdfir.com/infosec-news-nuggets-12-06-2023/
[3] https://blog.knowbe4.com/ransomware-threat-report-2023
[4] https://www.infosecurity-magazine.com/news/lockbit-top-ransomware-threat/
[5] https://ciso2ciso.com/lockbit-remains-top-global-ransomware-threat-source-www-infosecurity-magazine-com/