LockBit leads ransomware operations this summer, with Threatpost data showing the group executing more attacks than any competitor. Two splinter factions derived from the defunct Conti ransomware operation follow as secondary threats.
LockBit's dominance reflects both operational scale and infrastructure resilience. The group maintains active command-and-control networks, negotiation channels, and leak sites. Conti's fragmentation into successor groups dilutes but does not eliminate the threat. Former Conti operators integrated into LockBit and rival organizations, preserving tactics and targeting patterns established under the original banner.
Defenders should prioritize detection of LockBit's known initial access vectors. The group exploits unpatched edge devices, weak credentials, and misconfigured cloud storage. Network segmentation limits lateral movement. Multi-factor authentication blocks credential-based entry. Backup isolation prevents encryption from cascading across critical systems.
Threat intelligence on LockBit leak site activity indicates financial services, healthcare, and manufacturing remain primary targets. Ransom demands average $2-20 million depending on victim organization size and operational disruption tolerance. Organizations that maintain offline backups and incident response playbooks reduce payment leverage considerably.