A threat actor that uses any method available to compromise a network. These may include buying access to an already compromised network from “access brokers,” exploiting unpatched software bugs, and even paying for insider access and using exploits for previously unknown zero-day flaws. After compromising a network, LockBit uses penetration-testing tools to escalate privileges and use multiple tools to exfiltrate data (to threaten victims with a leak if they don’t pay) before encrypting files. LockBit always leaves a ransom note with instructions for how to obtain the decryption key. Also known as LockBit 2.0 and LockBit3.