The infamous LockBit ransomware group has resurfaced with renewed vigor, just months after suffering disruption during Operation Cronos. According to Check Point Research, the group is already making headlines by successfully extorting new victims, with a resurgence that raises alarms among cybersecurity experts.
In September 2025, research from Check Point identified around a dozen organizations as victims of this revitalized operation. Notably, six of these were affected by the new LockBit 5.0 variant, referred to internally as "ChuongDong." This latest wave of attacks spans multiple regions, including Western Europe, the Americas, and Asia, and it targets both Windows and Linux systems, showcasing the expansive reach of LockBit's affiliate network.
"LockBit is back in operation and already extorting new victims," noted a representative from Check Point Research. This assertion confirms that LockBit's infrastructure has been reactivated, leading to a broad variety of attacks.
"LockBit is back in operation and already extorting new victims,"
The comeback was officially announced at the start of September when LockBit revealed its new version on underground forums, further calling for new affiliates to join their operations. Speculations about the effectiveness and capabilities of LockBit 5.0 abound, as it has evolved significantly from its predecessors.
The attacks executed by LockBit 5.0 are diverse in their focus, with about 80% aimed at Windows environments and 20% targeting ESXi and Linux systems. The rapid rise in active victims underscores a well-established Ransomware-as-a-Service (RaaS) model, which has effectively re-engaged its affiliate base in a short period.
Career Journey
Career Journey
Career Journey
Before its disruption in early 2024, LockBit was the dominant player in the RaaS sector, accounting for a significant portion of data-leak site postings. "We always rise up after being hacked," stated LockBitSupp, the group's administrator, as he hinted at a potential return following their temporary setback. His persistence paid off; by August 2025, he boldly announced the group's re-entering the field, an assertion that has quickly become a reality.
"We always rise up after being hacked,"
Race Results
Race Results
This resurgence has not been without challenges. While LockBit has regained its footing on the RAMP forum, other communities, like XSS, have remained hesitant about allowing RaaS advertisements. LockBitSupp's recent attempt to re-establish presence in the XSS forum resulted in a failed community vote. "This episode highlights a key tension in today’s underground scene," noted an analyst, emphasizing the dynamic environment and the caution among platforms regarding large ransomware players like LockBit.
"This episode highlights a key tension in today’s underground scene,"
LockBit 5.0 introduces several technical and operational enhancements aimed at improving its effectiveness and stealth. Key updates include randomized 16-character file extensions intended to avoid detection, faster encryption processes, and robust anti-analysis mechanisms that complicate forensic investigations. Such updates reflect LockBit’s commitment to staying ahead of cybersecurity defenses.
Additionally, the group has overhauled its affiliate control panel, which now includes individualized credentials for an enhanced management interface. To become part of this exclusive network, affiliates must make an initial deposit of approximately $500 in Bitcoin, a tactic used to vet participants effectively.
Impact and Legacy
As LockBit 5.0 raises the stakes in the ransomware landscape, it poses serious questions for impacted organizations and those responsible for cybersecurity. These developments underscore an ongoing battle between cybercriminals and security measures. With multiple regions vulnerable to its attacks, LockBit emphasizes the need for increased vigilance and advanced protective technologies in combating ransomware.
In conclusion, the return of LockBit signals a turning point in the ongoing challenges posed by ransomware. Cybersecurity experts advise organizations affected by such threats to fortify their defenses and remain informed on current trends. The latest developments from LockBit 5.0 are likely to fuel ongoing discussions about the effectiveness of RaaS operations and the strategies necessary to confront them.
