LockBit is the notorious ransomware gang responsible for running one of the world's most dangerous Ransomware-as-a-Service (RaaS) platforms. Now, LockBit has reportedly returned with LockBit 5.0, a new variant of the group's ransomware that's already in active use.
In early 2024, a task force of law enforcement agencies conducted Operation Cronos, which took down several big pieces of infrastructure from the prolific ransomware group. As an RaaS provider, the group sold tools and software that affiliates could use for their own hacking operations. It was seen as a major victory at the time. Well over a year later, it seems LockBit is back and, according to a technical analysis by Trend Micro, that isn’t good news.
In early September, LockBit announced a new version of its ransomware software, LockBit 5.0. Since then, Trend Micro researchers have been looking for examples of LockBit 5.0 being used in the wild, so to speak. Not only was the company able to find examples on Windows, Linux, and ESXi (virtual machines), but its analysis of LockBit Version 5.0 showed that it’s the most advanced ransomware the group has made yet.
Mashable Light Speed
Per Trend Micro, version 5.0 shares some common elements with version 4.0, meaning it's an evolution rather than an entirely new piece of ransomware. The new version adds horrible features like a DLL reflection (the ability to load a DLL from memory), a few new anti-analysis techniques, and — for the Linux variant anyway — the ability to use the command line to target specific directories and file types. All versions also add a random 16-bit string to make getting your data back that much harder.
Once the ransomware takes control of your computer, it seems to behave the same way that prior LockBit versions did, where you get a ransom note in a text file with instructions on where to go to pay your ransom. There is also the option to “chat with support” to negotiate the ransom.
In addition to the technical details, it’s been reported that LockBit’s affiliate incentive model has been refreshed, giving bad actors even more incentive to use the software. Reportedly, the refresh was meant to recruit people back to LockBit after the service disruption caused by Operation Cronos last year.
With LockBit back in action, it joins a new generation of AI-powered ransomware that hit the market in late summer 2025, also known as PromptLock. So, if you haven’t been keeping up to speed on the latest cybersecurity threats and scams, now is a great time to refresh yourself on how to be safe on the Internet.
English
French
Spanish
Portuguese
Deutsch
Turkish
Dutch
Italiano
Russian
Romaian
Portuguese (Brazil)
Greek