By using website you agree to our use of cookies as described in our cookie policy. Learn More


NordLocker Report Highlights LockBit’s Increased Ransomware Attacks, Changing Targets

Notorious ransomware gang surpassed its own record in February 2023.

Note: TDWI’s editors carefully choose press releases related to the data and analytics industry. We have edited and/or condensed this release to highlight key information but make no claims as to its accuracy.

The Notorious LockBit ransomware group has broken its cyberattack record, carrying out 101 attacks in one month, according to research by NordLocker. In February 2023, the most active ransomware group surpassed its own record and carried out the most monthly attacks since its inception in 2019. As expected, the main target was U.S. companies.

What is LockBit?

LockBit is the most active ransomware group and carries out the most attacks globally. The NordLocker report says the group has carried out more than 1,300 attacks since January 2020, but the most attacks by month occurred in February 2023. The group has doubled its monthly attack record compared to previous months.

The LockBit ransomware group first appeared in September 2019, and since 2021 has quickly become one of the most notorious cyberattack groups in the world. Although the exact origins of the group are not known, it is alleged to have links to Russia.

In just a few months, the group managed to increase its attacks to an average of 60 per month in 2022. In comparison, the second most active group, AlphaVM (Blackcat), carries out an average of 16 attacks per month, which is more than four times fewer than LockBit. Last year, the Federal Bureau of Investigation (FBI) released several warnings about this group and was investigating their activities.

LockBit Targets Shifting

The majority of victims are private and public U.S. companies. Last year, the primary targets were companies in the construction, finance, and technology industries. However, experts have noticed LockBit’s shift to targeting companies in real estate.

“Although some industries are more lucrative for ransomware gangs, no company is completely safe from these ransomware attacks, regardless of their size or industry. In fact, just recently, the Canadian book and music retailer Indigo fell victim to LockBit but refused to pay the group’s ransom,” says Darius Borisas, head of business development for NordLocker.

How Businesses Can Protect Themselves

Borisas explains that by definition, ransomware is a type of malware that restricts users’ access to their files and demands payment. However, how it does that, what kind of payment is requested, and what is encrypted differ greatly. Therefore, business owners are advised to consider implementing best practices for keeping their business protected from ransomware. The best actions to start with are the following:

  • Encourage proper file hygiene, encryption, and backups. File hygiene and backups can't stop cyberattacks, but they give the company leverage. Even if a company becomes a target for ransomware, the ability to restore data immediately will guarantee business continuity. Plus, if the files are encrypted, the information will be unreadable to hackers.
  • Encourage cybersecurity training. Investing in your employee’s knowledge is the most cost-effective way to protect your organization from ransomware because 82% of cyberattacks happen due to human error. It should be organized regularly and have a holistic approach that includes every employee.
  • Keep software updated. Most cyberattacks either use social engineering to exploit the flaws in human nature or malware utilizing outdated software. Make sure everyone at the company understands how important it is to keep software up to date.
  • Adopt zero-trust network access, meaning that every access request to digital resources by a staff member should be granted only after their identity has been appropriately verified.


Data was collected from publicly available blogs where ransomware gangs post the names of their victims and their demands. The ransomware attacks under investigation all happened between 01/01/2020 and 02/28/2023.

TDWI Membership

Get immediate access to training discounts, video library, research, and more.

Find the right level of Membership for you.