LockBit Ransomware Group Returns with New Version

• LockBit ransomware group has officially returned after being disrupted in early 2024.
• The group has launched a new variant, LockBit 5.0, and is actively recruiting affiliates.
• Multiple organizations were targeted in September 2025 with both LockBit 5.0 and LockBit Black.
• Attacks span multiple continents and affect both Windows and Linux systems.
• The group’s return signals a potential recentralization of the ransomware-as-a-service ecosystem.

What Happened

Just months after a significant disruption during Operation Cronos, the prominent LockBit ransomware group has re-established its operations. Check Point Research has confirmed the group’s return and identified new victims extorted by its revived infrastructure. This resurgence includes the unveiling of a new variant, LockBit 5.0, internally codenamed “ChuongDong.”

What’s New / Why It Matters

The rapid reappearance of LockBit highlights the resilience and adaptability of sophisticated ransomware operations. The group’s return, complete with a new encryptor and a renewed call for affiliates, poses an immediate and significant threat to organizations worldwide. LockBit’s Ransomware-as-a-Service (RaaS) model, which relies on recruiting external actors to carry out attacks, appears to have successfully reactivated its affiliate network.

This development is particularly concerning given LockBit’s previous dominance. Before its disruption, LockBit was responsible for a substantial portion of all ransomware-related data leak site postings. Its comeback could lead to a recentralization of the underground cybercrime ecosystem, consolidating power under a single, experienced threat actor.

Impact

Throughout September 2025, Check Point Research observed a dozen organizations falling victim to the revived LockBit operation. Approximately half of these victims were infected with the new LockBit 5.0 variant, while the others were targeted with LockBit Black. The attacks have a global reach, affecting entities in Western Europe, the Americas, and Asia. Importantly, the group is targeting both Windows and Linux systems, including ESXi environments, indicating a broad operational scope and a significant expansion of its attack surface.

What’s New in LockBit 5.0

LockBit 5.0 introduces several updates designed to enhance its operational capabilities, security, and stealth. Key improvements include:

• Affiliate Control Panel: An improved management interface for affiliates, featuring individualized credentials for enhanced security and access control.
• Exclusivity Model: To join, affiliates are required to deposit approximately $500 in Bitcoin for access to the control panel and encryptors. This model aims to maintain exclusivity and vet participants, potentially reducing the number of less skilled actors.
• Updated Ransom Notes: New ransom notes now explicitly identify themselves as LockBit 5.0 and include personalized negotiation links. Victims are given a 30-day deadline before their stolen data is published, a common tactic to pressure victims into payment.

How to Protect Yourself

1. Maintain Up-to-Date Systems: Ensure all operating systems, applications, and security software are patched and updated regularly to close known vulnerabilities.
2. Implement Robust Endpoint Detection and Response (EDR): Deploy advanced EDR solutions that can detect and respond to suspicious activities indicative of ransomware.
3. Strengthen Network Segmentation: Segment networks to limit the lateral movement of ransomware if an initial infection occurs.
4. Regular Data Backups: Conduct frequent, tested backups of critical data and store them offline or in an immutable manner to prevent encryption.
5. User Awareness Training: Educate employees about phishing attempts and social engineering tactics, which are common entry vectors for ransomware.
6. Security Monitoring: Enhance security monitoring capabilities to detect early signs of compromise and unusual network traffic patterns.

Techswire’s Take

The swift return of LockBit, a group previously thought to be significantly crippled, serves as a stark reminder of the persistent and evolving nature of cyber threats. Its ability to reconstitute operations and deploy new variants so quickly underscores the challenges faced by law enforcement in dismantling these global criminal enterprises. The group’s mature RaaS model and broad platform support suggest it will remain a formidable threat, demanding continuous vigilance and advanced security strategies from organizations.