LOCKBIT 20

RANSOMWARE

LockBit 20 primarily targets large enterprises and critical infrastructure sectors such as healthcare, manufacturing, and financial services, leveraging their extensive operational capabilities to maximize disruption and ransom demands. The group's initial access vector is often through phishing campaigns or exploiting unpatched vulnerabilities, though specific details on the exact methods remain elusive. Once inside a network, LockBit 20 employs double extortion tactics by exfiltrating sensitive data before encryption, threatening public release unless ransoms are paid. This approach distinguishes them from other ransomware actors, as they prioritize comprehensive network infiltration and data theft to exert pressure on victims.

Analyzing the technical footprint of LockBit 20 reveals a preference for critical vulnerabilities, with six CRITICAL severity CVEs in their arsenal. However, without confirmed exploitation details, it is challenging to pinpoint specific vulnerability categories like RCE or authentication bypass that they exploit. The absence of tools and malware identification limits insights into their operational sophistication but suggests a reliance on established ransomware frameworks rather than bespoke software development. Defenders should prioritize timely patching of known vulnerabilities and robust network segmentation to mitigate the risk of lateral movement within compromised networks, thereby reducing the group's ability to achieve comprehensive data exfiltration and encryption objectives.

Predicted CVEs (15) CORRELATION

How does prediction work?

Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.

CVE-2021-44228 CRITICAL Apache Software Foundation Apache Log4j2 high 10.0 CVE-2021-44228 CRITICAL Apache Software Foundation Apache Log4j2 predicted 10.0 CVE-2021-22986 CRITICAL F5 BIG-IP and BIG-IQ Centralized Management high 9.8 CVE-2023-27350 CRITICAL PaperCut NG predicted 9.8 CVE-2023-27350 CRITICAL PaperCut NG high 9.8 CVE-2025-10035 CRITICAL Fortra GoAnywhere MFT predicted 9.8 CVE-2021-22986 CRITICAL F5 BIG-IP and BIG-IQ Centralized Management predicted 9.8 CVE-2023-3519 CRITICAL Citrix NetScaler ADC predicted 9.8 CVE-2021-45046 CRITICAL Apache Software Foundation Apache Log4j predicted 9.0 CVE-2023-4966 HIGH Citrix NetScaler ADC predicted 7.5 CVE-2023-4966 HIGH Citrix NetScaler ADC high 7.5 CVE-2023-0669 HIGH Fortra Goanywhere MFT predicted 7.2 CVE-2023-0669 HIGH Fortra Goanywhere MFT high 7.2 CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 high 5.5 CVE-2020-1472 MEDIUM Microsoft Windows Server version 2004 predicted 5.5