LockBit lists nine fresh victims across Europe despite takedown

The LockBit ransomware gang has posted nine new victims to its dark web leak site in a single day, the latest sign that one of the world's most notorious extortion brands is still operating well over a year after an international law enforcement takedown tried to shut it down. The fresh listings, dated July 11, name organizations across Europe, the Middle East, and the Caribbean, adding to a steady drumbeat of activity that has followed the group since its infrastructure was seized in early 2024.

None of the claims have been independently verified. Like all ransomware leak site entries, they are extortion posts made by the attackers themselves, designed to pressure victims into paying, and should be treated as allegations rather than confirmed breaches.

Who LockBit named

The nine victims sit almost entirely outside the United States, a contrast with the US-heavy target lists of other active crews. They span at least eight countries, including the United Kingdom, Germany, France, Spain, Italy, the Netherlands, Jordan, and the Dominican Republic. The named organizations include a British engineering firm, Bancroft Engineering, a Dutch media services company, Media Service Maastricht, a French hotel, and a hotel group in Jordan, alongside several business services and technology companies listed only by their web domains.

The mix skews toward small and mid-sized businesses in construction, hospitality, technology, and professional services, the kind of under-resourced targets that ransomware affiliates increasingly favor because they often lack mature defenses and are more likely to pay quickly.

Why LockBit still matters

LockBit was, for years, the most prolific ransomware operation on the planet, tied to thousands of attacks worldwide. In February 2024, the international Operation Cronos seized the group's servers, exposed its affiliate panel, and identified scores of affiliates, and US authorities later indicted a Russian national, Dmitry Khoroshev, as the group's alleged administrator. Despite that, the LockBit brand never fully disappeared, and the gang has continued to rebuild and post new victims.

A caution on the numbers

Security researchers have repeatedly warned that LockBit's post-takedown victim counts should be read skeptically. After Operation Cronos, investigators found the group had inflated its leak site with recycled, duplicated, and in some cases fabricated entries to project strength it no longer had. A single-day tally of nine, while notable for a supposedly crippled brand, is far smaller than the surges other crews are posting, and some listings may recycle older or unverifiable claims. IntelFusions logged a similar burst of LockBit listings last month, suggesting a low but persistent operational tempo rather than a dramatic comeback.

What defenders should do

Organizations, particularly smaller firms in the sectors LockBit is naming, should treat the group as an active threat. Priorities include enforcing multi-factor authentication on all remote access and VPN gateways, promptly patching internet-facing systems, monitoring for unusual data transfers that can signal exfiltration before encryption, and maintaining tested, offline backups so recovery does not depend on paying a ransom. Any organization that finds its name on a leak site should preserve logs, engage incident responders, and avoid contacting the attackers directly without expert guidance.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions