Russia-linked cybercriminal brands have emerged as leading architects of global ransomware mayhem. Central among them is LockBit, operating since 2019 as one of the most prolific ransomware-as-a-service (RaaS) outfits. Identified as a “Russia-based” group, LockBit’s software allows affiliates to deploy attacks under its brand and share in the haul.

LockBit’s Reach and Reputation:
Scale of attacks: Since 2020, LockBit has victimised over 2,500 targets worldwide—spanning critical infrastructure sectors such as healthcare, education, financial services, emergency services, and more—with estimated ransom takings exceeding $500 million.
Double extortion tactics: The group is notorious for stealing large volumes of data before encrypting systems, then threatening to leak it—maximising pressure on victims to comply.
Global footprint: LockBit has been implicated in high-profile incidents impacting Boeing, ICBC, Royal Mail, the NHS, and others.
Law Enforcement Crackdown:
Operation Cronos (Feb 2024): A coordinated international effort led by the UK’s NCA, Europol, and allied law enforcement agencies seized LockBit’s darknet sites, decrypted infrastructure, issued decryptors for victims, and exposed key affiliate data, including financial addresses.
Sanctions & indictments (May 2024):
Authorities from the U.S., UK, and Australia sanctioned and indicted Dmitry Yuryevich Khoroshev of Voronezh, Russia—aka “LockBitSupp”—for allegedly serving as LockBit’s creator, developer, and administrator since its launch. He faces over two dozen criminal charges and is subject to asset freezes and travel bans.
Behind the Alias—Khoroshev’s Role:
Operational mastermind: Khoroshev has been identified as the long-standing leader behind LockBit. Investigators say he not only built the infrastructure but also actively recruited affiliates—even rewarding some with $1,000 tattoos of the LockBit logo as tokens of loyalty.
Axios
Persistence despite disruption: Although Operation Cronos dented LockBit’s infrastructure in early 2024, the gang continued operations. By late 2024 and into 2025, researchers observed the development of new variants such as LockBit 4.0 and offshoots like SuperBlack.

Broader Russian Cybercrime Landscape:
LockBit is part of a web of Russian-speaking ransomware actors dominating today’s cybercrime ecosystem. Other major players include Clop, Conti, DarkSide, REvil, and Avaddon—each specialising in sophisticated extortion models, malware innovation, and global attacks.
Additionally, groups like Evil Corp have ties to Russian intelligence agencies and have used platforms like LockBit to expand their operations.

LockBit exemplifies the industrialisation of ransomware: a marketplace built on software, loyalty, and escalating threats. With Khoroshev under indictment—and global sanctions in place—the pressure is growing. Yet the rise of successor variants and hosting services like Zservers, which have since themselves been sanctioned, show just how agile and resilient these networks remain
