Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

LockBit 5.0: concrete signs of a possible rebirth?

Pietro Melillo : 11 September 2025 07:25

The ransomware landscape continues to be characterized by dynamics of adaptation and resilience. Even when an international operation seems to spell the end for a criminal group, experience shows us that the disappearance is often only temporary.

This is the case of LockBit, one of the most prolific and structured gangs of the last five years, whose saga seemed to have ended with Operation Cronos in February 2024. Today, however, new evidence from the dark web is fueling speculation that it’s returning under a new guise: LockBit 5.0.

LockBit: From Undisputed Dominance to Apparent Decline

Over the years, LockBit has represented a benchmark for the criminal ecosystem, thanks to its Ransomware-as-a-Service (RaaS) approach, its widespread affiliate network, and constant innovation in encryption and propagation techniques. The introduction of data leak sites (DLS) as a pressure tool has made LockBit a true cybercrime icon.

Sponsorizza la prossima Red Hot Cyber Conference!

Il giorno Lunedì 18 maggio e martedì 19 maggio 2026 9 maggio 2026, presso il teatro Italia di Roma (a due passi dalla stazione termini e dalla metro B di Piazza Bologna), si terrà la V edizione della la RHC Conference. Si tratta dell’appuntamento annuale gratuito, creato dalla community di RHC, per far accrescere l’interesse verso le tecnologie digitali, l’innovazione digitale e la consapevolezza del rischio informatico. Se sei interessato a sponsorizzare l'evento e a rendere la tua azienda protagonista del più grande evento della Cybersecurity Italiana, non perdere questa opportunità. E ricorda che assieme alla sponsorizzazione della conferenza, incluso nel prezzo, avrai un pacchetto di Branding sul sito di Red Hot Cyber composto da Banner più un numero di articoli che saranno ospitati all'interno del nostro portale. Quindi cosa stai aspettando? Scrivici subito a [email protected] per maggiori informazioni e per accedere al programma sponsor e al media Kit di Red Hot Cyber.



Supporta RHC attraverso:
  1. L'acquisto del fumetto sul Cybersecurity Awareness
  2. Ascoltando i nostri Podcast
  3. Seguendo RHC su WhatsApp
  4. Seguendo RHC su Telegram
  5. Scarica gratuitamente "Dark Mirror", il report sul ransomware di Dark Lab

Se ti piacciono le novità e gli articoli riportati su di Red Hot Cyber, iscriviti immediatamente alla newsletter settimanale per non perdere nessun articolo. La newsletter generalmente viene inviata ai nostri lettori ad inizio settimana, indicativamente di lunedì.

With Operation Cronos, which culminated in the seizure of numerous infrastructures and the compromise of affiliated panels, the group seemed destined for definitive decline. However, as already analyzed in the previous article, residual traces of activity and signals scattered across the dark web suggested a possible reorganization.

The emergence of LockBit 5.0

In the last few hours, an image has emerged that seems to confirm this hypothesis: an authentication screen for a new DLS linked to the LockBit brand. Unlike traditional portals, which are freely accessible to maximize the coercive effect on victims, this new infrastructure requires the insertion of a private key to access its contents.

This choice introduces new elements and opens up different interpretative scenarios:

  • an attempt to increase operational secrecy, reducing exposure to researchers and law enforcement;
  • a logic of selecting interlocutors, limiting access to trusted partners or affiliates;
  • or a rebranding experiment, useful for testing new ways of managing exfiltrated data.

An Evolving Ecosystem: AI and Automation

The resurgence of LockBit must be seen in the context of a broader evolution. Several ransomware groups are experimenting with new attack techniques, integrating automation, advanced evasion modules, and more aggressive double-extortion strategies.

In this context, the debate on the use of artificial intelligence as a disruptive factor is increasingly central. As also highlighted in the post by Anastasia Sentsova, the possibility of AI-orchestrated ransomware campaigns emerging in the future opens up scenarios in which targeting, lateral movement, and negotiation could be optimized in real time. In this sense, the potential rebirth of LockBit 5.0 could mark the beginning of a new experimental phase.

Conclusions

The leaked login screen from the new DLS, requesting a private key, isn’t just a technical detail, but a clue that raises a series of open questions:

  • Who really manages this infrastructure?
  • Is it really Is LockBit orchestrating the resurgence, or is a new player exploiting the brand?
  • What will be the next evolution in the extortion and data publication model?

At the moment, there are no definitive answers. However, one thing is certain: the void left by LockBit in the ransomware landscape is too large to remain so for long. If LockBit 5.0 were to prove itself, the industry could face a new turning point, with significant impacts on the tactics, techniques, and procedures of international cybercrime.

Pietro Melillo
Head of the Dark Lab group. A Computer Engineer specialised in Cyber Security with a deep passion for Hacking and technology, currently CISO of WURTH Italia, he was responsible for Cyber Threat Intelligence & Dark Web analysis services at IBM, carries out research and teaching activities on Cyber Threat Intelligence topics at the University of Sannio, as a Ph.D, author of scientific papers and development of tools to support cybersecurity activities. Leads the CTI Team "RHC DarkLab"

Lista degli articoli