{"id":"https://openalex.org/W7123559691","doi":"https://doi.org/10.1109/ecrime66972.2025.11327742","title":"Inside LockBit: Technical, Behavioral, and Financial Anatomy of a Ransomware Empire","display_name":"Inside LockBit: Technical, Behavioral, and Financial Anatomy of a Ransomware Empire","publication_year":2025,"publication_date":"2025-11-04","ids":{"openalex":"https://openalex.org/W7123559691","doi":"https://doi.org/10.1109/ecrime66972.2025.11327742"},"language":null,"primary_location":{"id":"doi:10.1109/ecrime66972.2025.11327742","is_oa":false,"landing_page_url":"https://doi.org/10.1109/ecrime66972.2025.11327742","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 APWG Symposium on Electronic Crime Research (eCrime)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5017040306","display_name":"Felipe Casta\u00f1o","orcid":"https://orcid.org/0000-0001-9341-5544"},"institutions":[{"id":"https://openalex.org/I4210092551","display_name":"Vicomtech","ror":"https://ror.org/0023sah13","country_code":"ES","type":"facility","lineage":["https://openalex.org/I4210092551"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Felipe Casta\u00f1o","raw_affiliation_strings":["Vicomtech (BRTA),Digital Security Department,Donostia/San Sebastian,Spain"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Vicomtech (BRTA),Digital Security Department,Donostia/San Sebastian,Spain","institution_ids":["https://openalex.org/I4210092551"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5122991658","display_name":"Constantinos Patsakis","orcid":null},"institutions":[{"id":"https://openalex.org/I154757721","display_name":"University of Piraeus","ror":"https://ror.org/02qs84g94","country_code":"GR","type":"education","lineage":["https://openalex.org/I154757721"]}],"countries":["GR"],"is_corresponding":false,"raw_author_name":"Constantinos Patsakis","raw_affiliation_strings":["University of Piraeus,Department of Informatics,Piraeus,Greece"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Piraeus,Department of Informatics,Piraeus,Greece","institution_ids":["https://openalex.org/I154757721"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5067556242","display_name":"Francesco Zola","orcid":"https://orcid.org/0000-0002-1733-5515"},"institutions":[{"id":"https://openalex.org/I4210092551","display_name":"Vicomtech","ror":"https://ror.org/0023sah13","country_code":"ES","type":"facility","lineage":["https://openalex.org/I4210092551"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Francesco Zola","raw_affiliation_strings":["Vicomtech (BRTA),Digital Security Department,Donostia/San Sebastian,Spain"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Vicomtech (BRTA),Digital Security Department,Donostia/San Sebastian,Spain","institution_ids":["https://openalex.org/I4210092551"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5013675709","display_name":"Fran Casino","orcid":"https://orcid.org/0000-0003-4296-2876"},"institutions":[{"id":"https://openalex.org/I55952717","display_name":"Universitat Rovira i Virgili","ror":"https://ror.org/00g5sqv46","country_code":"ES","type":"education","lineage":["https://openalex.org/I55952717"]}],"countries":["ES"],"is_corresponding":false,"raw_author_name":"Fran Casino","raw_affiliation_strings":["Universitat Rovira i Virgili,Dept. of Computer Engineering and Mathematics,Catalonia,Spain"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Universitat Rovira i Virgili,Dept. of Computer Engineering and Mathematics,Catalonia,Spain","institution_ids":["https://openalex.org/I55952717"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.75287394,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"13"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12519","display_name":"Cybercrime and Law Enforcement Studies","score":0.5169000029563904,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12519","display_name":"Cybercrime and Law Enforcement Studies","score":0.5169000029563904,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11838","display_name":"Crime, Illicit Activities, and Governance","score":0.334199994802475,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.016300000250339508,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/ransom","display_name":"Ransom","score":0.5307000279426575},{"id":"https://openalex.org/keywords/ransomware","display_name":"Ransomware","score":0.507099986076355},{"id":"https://openalex.org/keywords/payment","display_name":"Payment","score":0.4560999870300293},{"id":"https://openalex.org/keywords/unix","display_name":"Unix","score":0.3905999958515167},{"id":"https://openalex.org/keywords/negotiation","display_name":"Negotiation","score":0.3352000117301941},{"id":"https://openalex.org/keywords/cryptocurrency","display_name":"Cryptocurrency","score":0.33410000801086426},{"id":"https://openalex.org/keywords/timeline","display_name":"Timeline","score":0.31470000743865967},{"id":"https://openalex.org/keywords/outsourcing","display_name":"Outsourcing","score":0.3122999966144562},{"id":"https://openalex.org/keywords/secrecy","display_name":"Secrecy","score":0.30799999833106995}],"concepts":[{"id":"https://openalex.org/C2781426709","wikidata":"https://www.wikidata.org/wiki/Q1414572","display_name":"Ransom","level":2,"score":0.5307000279426575},{"id":"https://openalex.org/C2777667771","wikidata":"https://www.wikidata.org/wiki/Q926331","display_name":"Ransomware","level":3,"score":0.507099986076355},{"id":"https://openalex.org/C145097563","wikidata":"https://www.wikidata.org/wiki/Q1148747","display_name":"Payment","level":2,"score":0.4560999870300293},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.4120999872684479},{"id":"https://openalex.org/C112968700","wikidata":"https://www.wikidata.org/wiki/Q11368","display_name":"Unix","level":3,"score":0.3905999958515167},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.38679999113082886},{"id":"https://openalex.org/C199776023","wikidata":"https://www.wikidata.org/wiki/Q202875","display_name":"Negotiation","level":2,"score":0.3352000117301941},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.334199994802475},{"id":"https://openalex.org/C180706569","wikidata":"https://www.wikidata.org/wiki/Q13479982","display_name":"Cryptocurrency","level":2,"score":0.33410000801086426},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3294999897480011},{"id":"https://openalex.org/C4438859","wikidata":"https://www.wikidata.org/wiki/Q186117","display_name":"Timeline","level":2,"score":0.31470000743865967},{"id":"https://openalex.org/C46934059","wikidata":"https://www.wikidata.org/wiki/Q61515","display_name":"Outsourcing","level":2,"score":0.3122999966144562},{"id":"https://openalex.org/C2776452267","wikidata":"https://www.wikidata.org/wiki/Q1503443","display_name":"Secrecy","level":2,"score":0.30799999833106995},{"id":"https://openalex.org/C120527767","wikidata":"https://www.wikidata.org/wiki/Q3196867","display_name":"Debt","level":2,"score":0.3027999997138977},{"id":"https://openalex.org/C139043278","wikidata":"https://www.wikidata.org/wiki/Q837171","display_name":"Financial services","level":2,"score":0.30140000581741333},{"id":"https://openalex.org/C148730421","wikidata":"https://www.wikidata.org/wiki/Q141090","display_name":"Encryption","level":2,"score":0.29989999532699585},{"id":"https://openalex.org/C10138342","wikidata":"https://www.wikidata.org/wiki/Q43015","display_name":"Finance","level":1,"score":0.2906999886035919},{"id":"https://openalex.org/C202451310","wikidata":"https://www.wikidata.org/wiki/Q328554","display_name":"Accounts receivable","level":2,"score":0.2870999872684479},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.2825999855995178},{"id":"https://openalex.org/C95457728","wikidata":"https://www.wikidata.org/wiki/Q309","display_name":"History","level":0,"score":0.2777999937534332},{"id":"https://openalex.org/C181622380","wikidata":"https://www.wikidata.org/wiki/Q26911","display_name":"Profit (economics)","level":2,"score":0.27549999952316284},{"id":"https://openalex.org/C313442","wikidata":"https://www.wikidata.org/wiki/Q778556","display_name":"Persona","level":2,"score":0.27300000190734863},{"id":"https://openalex.org/C2780005421","wikidata":"https://www.wikidata.org/wiki/Q151900","display_name":"Money laundering","level":2,"score":0.2718000113964081},{"id":"https://openalex.org/C164516710","wikidata":"https://www.wikidata.org/wiki/Q1166072","display_name":"Financial transaction","level":3,"score":0.26460000872612},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.2644999921321869},{"id":"https://openalex.org/C521491914","wikidata":"https://www.wikidata.org/wiki/Q1929715","display_name":"Webometrics","level":2,"score":0.2599000036716461},{"id":"https://openalex.org/C2777179996","wikidata":"https://www.wikidata.org/wiki/Q911222","display_name":"Mistake","level":2,"score":0.25870001316070557},{"id":"https://openalex.org/C162324750","wikidata":"https://www.wikidata.org/wiki/Q8134","display_name":"Economics","level":0,"score":0.2567000091075897},{"id":"https://openalex.org/C2780378061","wikidata":"https://www.wikidata.org/wiki/Q25351891","display_name":"Service (business)","level":2,"score":0.2565999925136566},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.2563999891281128},{"id":"https://openalex.org/C54750564","wikidata":"https://www.wikidata.org/wiki/Q26643","display_name":"Commerce","level":1,"score":0.25609999895095825},{"id":"https://openalex.org/C127705205","wikidata":"https://www.wikidata.org/wiki/Q5748245","display_name":"Heuristics","level":2,"score":0.2547999918460846}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/ecrime66972.2025.11327742","is_oa":false,"landing_page_url":"https://doi.org/10.1109/ecrime66972.2025.11327742","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 APWG Symposium on Electronic Crime Research (eCrime)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.7143327593803406,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[{"id":"https://openalex.org/F4320334322","display_name":"HORIZON EUROPE Framework Programme","ror":null}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":20,"referenced_works":["https://openalex.org/W1994130174","https://openalex.org/W2524919294","https://openalex.org/W2795995661","https://openalex.org/W2909824986","https://openalex.org/W2913409763","https://openalex.org/W2955349104","https://openalex.org/W2963532866","https://openalex.org/W3009492331","https://openalex.org/W3127076682","https://openalex.org/W3127103187","https://openalex.org/W4214919535","https://openalex.org/W4322154771","https://openalex.org/W4382603213","https://openalex.org/W4402594166","https://openalex.org/W4404368844","https://openalex.org/W4409139478","https://openalex.org/W4409797216","https://openalex.org/W4411289307","https://openalex.org/W4414909445","https://openalex.org/W6903315026"],"related_works":[],"abstract_inverted_index":{"LockBit":[0,64,179],"has":[1],"evolved":[2],"from":[3,66],"an":[4,32],"obscure":[5],"Ransomware-as-a-Service":[6],"newcomer":[7],"in":[8],"2019":[9],"to":[10,55,81,103,139,157,165,167],"the":[11,25,44,59,93,123,134,144,158],"most":[12],"prolific":[13],"ransomware":[14],"franchise":[15],"of":[16,24,35,122],"2024.":[17],"Leveraging":[18],"a":[19,83,119,181],"recently":[20],"leaked":[21],"MySQL":[22],"dump":[23],"gang\u2019s":[26],"management":[27],"panel,":[28],"this":[29],"study":[30],"offers":[31],"end-to-end":[33],"reconstruction":[34],"LockBit\u2019s":[36],"technical,":[37],"behavioral,":[38],"and":[39,48,53,79,138,196],"financial":[40],"apparatus.":[41],"We":[42,69],"recall":[43],"family\u2019s":[45],"version":[46],"timeline":[47],"map":[49],"its":[50,67],"tactics,":[51],"techniques,":[52],"procedures":[54],"MITRE":[56],"ATT&CK,":[57],"highlighting":[58],"incremental":[60],"hardening":[61],"that":[62,91],"distinguishes":[63],"3.0":[65],"predecessors.":[68],"then":[70],"analyze":[71],"51":[72],"negotiation":[73],"chat":[74],"logs":[75],"using":[76],"natural-language":[77],"embeddings":[78],"clustering":[80],"infer":[82],"canonical":[84],"interaction":[85],"playbook,":[86],"revealing":[87,107],"recurrent":[88],"rhetorical":[89],"stages":[90],"underpin":[92],"double-extortion":[94],"strategy.":[95],"Finally,":[96],"we":[97],"trace":[98],"19":[99],"Bitcoin":[100],"addresses":[101,130,152,163],"related":[102],"ransom":[104,124],"payment":[105],"chains,":[106],"two":[108,150,161],"distinct":[109,168],"patterns":[110],"based":[111],"on":[112,189],"different":[113],"laundering":[114],"phases.":[115],"In":[116],"both":[117],"cases,":[118],"small":[120],"portion":[121],"is":[125,146],"immediately":[126],"split":[127],"into":[128,149],"long-lived":[129],"(presumably":[131],"retained":[132],"by":[133],"group":[135],"as":[136,180],"profit":[137],"finance":[140],"further":[141],"operations)":[142],"while":[143],"remainder":[145],"ultimately":[147],"aggregated":[148],"high-volume":[151],"before":[153],"likely":[154],"being":[155],"sent":[156],"affiliate.":[159],"These":[160],"collector":[162],"appear":[164],"belong":[166],"exchanges,":[169],"each":[170],"processing":[171],"over":[172],"200k":[173],"BTC.":[174],"The":[175],"combined":[176],"evidence":[177],"portrays":[178],"tightly":[182],"integrated":[183],"criminal":[184],"service":[185],"whose":[186],"resilience":[187],"rests":[188],"rapid":[190],"code":[191],"iteration,":[192],"script-driven":[193],"social":[194],"engineering,":[195],"industrial-scale":[197],"cash-out":[198],"pipelines.":[199]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-01-14T00:00:00"}