The LockBit ransomware group has returned with a new variant, LockBit 5.0, targeting organizations worldwide following disruptions from Operation Cronos in early 2024. In September 2025, researchers identified a dozen victims across Western Europe, the Americas, and Asia, with the new version involved in half of the attacks. Check Point Research confirms active extortion efforts using this multi-platform threat.
LockBit's comeback began subtly but gained momentum in 2025. In May 2025, the group's administrator, LockBitSupp, posted on the RAMP forum: “We always rise up after being hacked.” By August, he announced that the group was “getting back to work.” The official return came at the beginning of September 2025, when LockBitSupp declared the operation's revival on underground forums and started recruiting new affiliates.
This resurgence followed Operation Cronos, a law enforcement effort in early 2024 that disrupted the group. Despite the takedown, LockBit's mature infrastructure, reputation, and affiliate network allowed for quick recovery. The new LockBit 5.0 variant, internally called “ChuongDong,” supports Windows, Linux, and ESXi systems, enabling attacks on hybrid and virtualized environments. About 80% of observed attacks in September targeted Windows, while 20% focused on ESXi and Linux.
Technical upgrades in LockBit 5.0 include stronger anti-analysis mechanisms to hinder forensics, optimized encryption to shorten defender response times, and randomized 16-character file extensions for better evasion. The affiliate control panel now offers enhanced management with individual credentials. New affiliates must deposit around $500 in Bitcoin to access tools. Ransom notes specify LockBit 5.0 and provide personalized negotiation links with a 30-day deadline before data publication.
September's dozen victims mark the start of what may be a larger campaign, as underground activity continues into October. This highlights the resilience of ransomware-as-a-service models against enforcement actions. Organizations face the need for defenses covering network perimeters, endpoints, and multi-platform detection to counter such threats.