LockBit Ransomware Claims 3 Victims in 24h

LockBit Ransomware Claims 3 Victims in 24h

Statistical Overview

Victim Totals

• This month: 303
• This quarter: 1848
• Year to date: 4472
• Last 24h: 8

Quarterly Breakdown

Q1: 2631 | Q2: 1848 | Q3: 0 | Q4: 0

Ransomware activity continues, with Q2 activity maintaining a pace, though slightly lower than Q1 totals. The last 24 hours show a modest victim count across multiple groups.

Introduction

Eight new ransomware victims were recorded in the last 24 hours, showing continued threat activity. LockBit remained the most active group, accounting for three incidents. Other groups, including 3AM, Krybit, Payload, Shadowbyt3s, and Stormous, added to the varied threats. Targets included manufacturing, retail, legal, energy, and media sectors, with affected organizations distributed globally.

Ransomware Summary Table

LockBit reported three victims, mainly impacting manufacturing and retail entities in Hong Kong and China. Shadowbyt3s targeted a Japanese video game and electronics company. Groups 3AM, Krybit, Payload, and Stormous each accounted for one victim. These collectively affected legal services, energy & utilities, and technology sectors in the United States, China, and Malaysia.

Victim Distribution

By Country

• China: 2
• Malaysia: 2
• Brazil: 1
• Hong Kong: 1
• Japan: 1
• United States: 1

By Industry

• Automotive Parts Distribution: 1
• Manufacturing: 1
• Renewable Energy: 1
• Retail and Distribution: 1
• Video Games and Electronics: 1
• Information Technology and Services: 1
• Intellectual Property Services: 1
• Legal Services: 1

The victim distribution shows a geographic spread, with China and Malaysia each experiencing two incidents. Brazil, Hong Kong, Japan, and the United States each had one. Industrially, ransomware operators target many sectors, from automotive parts and manufacturing to renewable energy, retail, legal services, and the video games industry.

Ransomware News

Topline

Law enforcement efforts against ransomware infrastructure and operators have had recent successes, including a crypto-laundering service takedown and a guilty plea from a Conti ransomware group member.

Campaigns & Operations

An international law enforcement operation, coordinated by the US Secret Service, IRS Criminal Investigation, Polish Police, Europol, and Eurojust, dismantled AudiA6, a crypto-laundering platform. This service laundered over EUR 336 million for various criminal groups, including ransomware operators, between 2022 and 2025. The operation arrested two administrators in Georgia and seized infrastructure. Separately, Oleksii Lytvynenko, a member of the Conti ransomware group, pleaded guilty to conspiracy to commit wire fraud. Lytvynenko admitted involvement in attacks impacting over 1,000 victims and extorting more than $150 million.

Vulnerabilities & TTPs

The AudiA6 platform used thousands of fraudulent exchange accounts, opened with stolen or purchased identities, to obscure transactions. This gave ransomware operators a rapid method for asset conversion. Lytvynenko's activities within Conti involved developing malware used in widespread attacks, showing a persistent threat from established ransomware groups and their changing tactics.

Analyst Note

These actions demonstrate ongoing international efforts to disrupt ransomware operations by targeting their technical infrastructure and the individuals involved.

Technical Takeaways

• LockBit is active, with three new victims in manufacturing and retail sectors.
• Ransomware targets are geographically varied, with incidents in Asia, Europe, and the Americas.
• Shadowbyt3s targeted a video game company in the media and entertainment sector. This shows varied impact on organizations.
• Smaller ransomware groups (3AM, Krybit, Payload, Stormous) add to the threats, each with single victim counts.
• Victim industries cover many types, from critical sectors like energy to services like legal and intellectual property. This indicates opportunistic targeting.