Fast Facts
- LockBit ransomware, after months of dormancy due to law enforcement efforts, has successfully relaunched with LockBit 5.0, targeting organizations globally across multiple platforms.
- The new variant features advanced encryption, multi-platform support (Windows, Linux, ESXi), and anti-analysis capabilities, significantly increasing its operational sophistication.
- LockBit’s Ransomware-as-a-Service model is fully active again, recruiting new affiliates with a $500 Bitcoin deposit system, leading to rapid recovery of its cybercriminal network.
- In September 2025, the group compromised at least a dozen organizations, mainly targeting Windows systems, exemplifying its resilience and continued threat to global cybersecurity.
The Issue
After a period of dormancy following the disruption efforts of early 2024, the notorious LockBit ransomware operation has made a formidable comeback, led by its administrator known as LockBitSupp. This resurgence, marked by the launch of LockBit 5.0—internal code-named “ChuongDong”—demonstrates a significant leap in technical sophistication, allowing the group to breach multiple high-profile organizations across Western Europe, the Americas, and Asia. Over September 2025, the cybercriminals successfully compromised a dozen targets, with half using the new LockBit 5.0 variant and the rest relying on the older LockBit Black, predominantly attacking Windows systems, but also targeting Linux and ESXi platforms. Check Point analysts have determined that the reactivation confirms LockBit’s successful revival of its Ransomware-as-a-Service (RaaS) model, recruiting new affiliates through underground forums while demanding modest Bitcoin deposits for access to their tools. The latest version boasts advanced encryption routines, multi-platform deployment, rapid file encryption techniques, and sophisticated anti-analysis measures designed to evade detection and forensic analysis—highlighting the group’s resilience and adaptability in maintaining its disruptive operations.
Risks Involved
The emergence of LockBit 5.0 actively targeting Windows, Linux, and ESXi environments poses a significant threat to businesses of all sizes, as it can infiltrate critical systems and disrupt operations, leading to severe financial losses, data breaches, and reputational damage. This malicious ransomware strain exploits vulnerabilities across multiple platforms, potentially locking organizations out of vital data and infrastructure, forcing costly recovery efforts, and increasing downtime. No enterprise is immune—regardless of industry or security measures—making it imperative for businesses to proactively strengthen defenses and monitor for such threats, as the consequences of an unprepared breach could be devastating and long-lasting.
Possible Next Steps
Timely remediation is critical in addressing LockBit 5.0, especially as it actively targets Windows, Linux, and ESXi environments. Rapid response minimizes damage, prevents data loss, and restores operational integrity swiftly.
Containment Measures
- Isolate affected systems from network
- Disable compromised accounts and services
Identification and Analysis
- Conduct thorough system scans for malware
- Gather forensic data to understand attack scope
Patching and Updates
- Apply latest security patches to OS and applications
- Update antivirus and anti-malware tools
Removal and Cleanup
- Remove malicious files and tools
- Reset affected credentials
Restoration and Recovery
- Restore systems from secure backups
- Verify system integrity before bringing online
Enhanced Security Practices
- Implement network segmentation
- Enable multi-factor authentication
- Conduct regular security awareness training
Stay Ahead in Cybersecurity
Discover cutting-edge developments in Emerging Tech and industry Insights.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
