LockBit - SparTech Software

LockBit is a ransomware-as-a-service (RaaS) operation that emerged in 2019 and quickly became one of the most prolific and damaging ransomware groups globally. Its business model relies on leasing ransomware infrastructure—malware, payment portals, and leak sites—to affiliates, who then carry out attacks and share ransom proceeds with the core group. LockBit’s double-extortion tactics, encrypting data and threatening public leaks, have targeted sectors including healthcare, education, and critical infrastructure.

By 2022, LockBit was responsible for 44% of all ransomware incidents worldwide and was the most widely deployed ransomware variant, according to U.S. government agencies. In the U.S. alone, LockBit was used in about 1,700 attacks from 2020 to 2023, with $91 million paid in ransoms. Its cumulative ransom demands have reached into the hundreds of millions of dollars.

Glossary: SafePay ransomware group
SafePay is an cybercrime group first documented in late 2024, quickly establishing itself as a significant threat in the ransomware landscape. The group is notable for its rapid deployment and aggressive tactics, targeting organizations across multiple sectors including business services, retail, education, manufacturing, government, and healthcare.
Should you pay the ransomware demands now or a class-action lawsuit later? The decision is not as simple as you may think.
AT&T agreed to a $177 million settlement to resolve class action lawsuits stemming from two major data breaches, far greater than the estimated $800 thousand ransomware demand. So why did AT&T choose to refuse the cybercriminals' demands?
Why are once-dominant ransomware gangs collapsing at such a rapid pace?
The ransomware landscape is experiencing unprecedented turbulence in 2025, characterized by the rapid collapse of once-dominant groups, hostile takeovers, and internal betrayals. This upheaval has exposed deep instability within the cybercriminal ecosystem, as major ransomware-as-a-service (RaaS) outfits such as RansomHub, LockBit, Everest, and BlackLock have faced abrupt shutdowns, operational failures, and even public defacements of their dark web infrastructure. What brought these powerful groups to their knees?
Ransomware Turf War: DragonForce Targets UK Retail Giants Amid Escalating Feud with RansomHub
In the ever-evolving landscape of cybercrime, a new rivalry is reshaping the ransomware ecosystem. DragonForce, a group with roots in hacktivism, has rapidly transformed into a formidable ransomware-as-a-service (RaaS) cartel, recently launching high-profile attacks on prominent UK retailers including Marks & Spencer (M&S), Harrods, and the Co-op. This surge in activity coincides with a public and aggressive turf war against rival group RansomHub.
SparTech Software – Cybersecurity News Bytes (July 22, 2025 1:21 PM)

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC

Related