Forensic investigations of machines attacked by LockBit affiliates show that threat groups will often first try to identify “mission-critical” systems including NAS devices, backup servers, and domain controllers.