LockBit Ransomware Resurgence Confirmed with New 5.0 Variant Targeting Global Organizations

Confirmed Return of Notorious Ransomware Operation

Security researchers have confirmed the operational return of the LockBit ransomware group after months of speculation about its comeback. According to reports from Check Point Research, the cybercriminal organization has reemerged with new victims identified since late summer 2025, marking a significant resurgence following law enforcement actions against the group in early 2024.

Confirmed Return of Notorious Ransomware Operation
Global Attack Pattern Emerges
New LockBit 5.0 Variant Deployed
Rebuilt Affiliate Program and Infrastructure
Updated Extortion Tactics
Historical Context and Law Enforcement Actions

Global Attack Pattern Emerges

The research branch of cybersecurity firm Check Point has identified at least a dozen organizations hit by LockBit-branded ransomware attacks during September 2025. Analysts suggest the attacks span multiple continents, including Western Europe, the Americas, and Asia, indicating the group’s infrastructure and affiliate network have been successfully reactivated.

Security researchers noted that both Windows and Linux systems have been compromised, which they describe as “a clear sign that LockBit’s infrastructure and affiliate network are once again active.” This cross-platform targeting demonstrates the group’s continued adaptability and technical capabilities despite previous disruptions., according to industry reports

New LockBit 5.0 Variant Deployed

According to the report published on October 23, approximately half of the observed victims were infected with the new LockBit 5.0 variant, while the remaining targets were hit with the LockBit 3.0 version, also known as LockBit Black. The LockBit 3.0 builder tools were leaked in 2022, allowing cybercriminals without direct links to the core group to utilize the ransomware.

The latest version, internally codenamed ‘ChuongDong,’ represents what analysts suggest is a significant evolution of the group’s encryptor family. LockBit 5.0 reportedly introduces multiple updates designed to enhance efficiency, security, and stealth capabilities, though specific technical details remain under analysis.

Rebuilt Affiliate Program and Infrastructure

Sources indicate that LockBit officially announced its return on underground forums at the beginning of September, unveiling LockBit 5.0 to mark the group’s sixth anniversary. The announcement included calls for new affiliates to join the revamped operation., according to according to reports

The threat group has reportedly overhauled its affiliate panel with an improved management interface featuring individualized credentials. According to the report, prospective affiliates must deposit approximately $500 in Bitcoin to access the control panel and encryptors, a model analysts suggest is aimed at maintaining exclusivity and vetting participants.

Updated Extortion Tactics

The Check Point researchers noted that updated ransom notes now identify themselves as LockBit 5.0 and include personalized negotiation links. Victims reportedly face a 30-day deadline before stolen data is published, maintaining the double-extortion tactics that have become standard among sophisticated ransomware operations.

Historical Context and Law Enforcement Actions

This confirmed resurgence comes over a year after the LockBit ransomware group was disrupted by Operation Cronos, a global law enforcement effort that dismantled portions of the group’s infrastructure in early 2024. The operation represented a significant setback for one of the most prolific ransomware groups active in recent years.

Security professionals continue to monitor the situation as the group reestablishes its operations. The return of LockBit underscores the persistent challenges in combating cybercrime networks despite coordinated international law enforcement efforts.