Inside LockBit: Technical, Behavioral, and Financial Anatomy of a Ransomware Empire

TL;DR

This paper provides a comprehensive analysis of LockBit ransomware, detailing its technical evolution, behavioral tactics, negotiation strategies, and financial laundering patterns, revealing its sophisticated and resilient criminal infrastructure.

Contribution

It offers the first detailed reconstruction of LockBit's technical, behavioral, and financial operations using leaked data, mapping tactics to MITRE ATT&CK and analyzing ransom payment flows.

Findings

LockBit has evolved significantly since 2019, with increased technical hardening.

Negotiation chat analysis reveals a consistent interaction playbook.

Ransom payments are split between retained profits and laundering through exchanges.

Abstract

LockBit has evolved from an obscure Ransomware-as-a-Service newcomer in 2019 to the most prolific ransomware franchise of 2024. Leveraging a recently leaked MySQL dump of the gang's management panel, this study offers an end-to-end reconstruction of LockBit's technical, behavioral, and financial apparatus. We recall the family's version timeline and map its tactics, techniques, and procedures to MITRE ATT&CK, highlighting the incremental hardening that distinguishes LockBit 3.0 from its predecessors. We then analyze 51 negotiation chat logs using natural-language embeddings and clustering to infer a canonical interaction playbook, revealing recurrent rhetorical stages that underpin the double-extortion strategy. Finally, we trace 19 Bitcoin addresses related to ransom payment chains, revealing two distinct patterns based on different laundering phases. In both cases, a small portion of the ransom is immediately split into long-lived addresses (presumably retained by the group as profit and to finance further operations) while the remainder is ultimately aggregated into two high-volume addresses before likely being sent to the affiliate. These two collector addresses appear to belong to distinct exchanges, each processing over 200k BTC. The combined evidence portrays LockBit as a tightly integrated criminal service whose resilience rests on rapid code iteration, script-driven social engineering, and industrial-scale cash-out pipelines.