The LockBit group, which many had quickly dismissed after high-profile failures and leaks, unexpectedly returned to the scene. In the fall of 2025, it unveiled a new version of its ransomware, LockBit 5.0 , and significantly changed its business approach, making its attacks more accessible and sophisticated.
LockBit’s story begins in 2019, when, following the collapse of the Maze cartel, the group went independent under the name ABCD . By the end of that year, the brand was rebranded to LockBit , and in 2020, the operators transitioned to a double-extortion ransomware with its own data leak website.
Over the years, the ransomware has undergone several major updates, including versions 2.0, 3.0, and 4.0, as well as experiments with attacks on macOS and leveraging developments from the leaked Conti source code.
After the update to LockBit 4.0, the group’s activity gradually declined. After May 2025, no new victims appeared on the data leak site, and the infrastructure itself appeared to be abandoned.
The situation changed in September 2025, when LockBit released version 5.0 and dramatically lowered the partner access threshold. While it previously required significant investment and reputation gains, participation in the partner program now required only $500. Analysts attribute this move to an attempt to regain influence after Operation CRONOS and the internal control panel leaks.
By the end of 2025, signs of a recovery emerged. The group launched new domains for its data leak site (DLS) and began reactivating underground forums, including RAMP and XSS. According to researchers, key participants in the affiliate program remained, and the structure itself was restructured to increase the effectiveness and reach of attacks.
Technically, LockBit 5.0 is significantly different from previous versions. The ransomware consists of a loader and a core module. The loader is responsible for bypassing security mechanisms, decrypting the payload, and executing it directly in memory, actively using anti-debugging and anti-analysis techniques. The core module is responsible for data encryption and has received a number of new features.
One of the key changes is more flexible file encryption. The algorithm now depends on file size, and ChaCha20 and Curve25519 are used to protect the keys. Files are assigned random 16-character extensions, and the malware terminates the processes that keep the files open before encryption. This increases the encryption success rate and reduces the likelihood of errors.
LockBit 5.0 also introduces new features not previously available. The malware now uses a mutex to prevent reboots, can display encryption status in the console, deletes temporary files to speed up operations, and can intentionally damage the system using the wiper function, filling the disk with unwanted data. The logic for deleting shadow copies and deleting event logs has also been modified, significantly complicating data recovery and subsequent incident analysis.
Experts note that the update to version 5.0 has made LockBit significantly more resilient to analysis and more effective in attacks . However, the reduction in partner program membership costs could lead to an increase in attacks from less experienced, but more numerous, operators.
Security experts recommend that organizations carefully monitor anomalous process behavior, promptly install updates, and use up-to-date security tools. The resurgence of LockBit demonstrates that even the most severe attacks on ransomware infrastructures don’t guarantee their complete disappearance, but rather encourage adaptation and the search for new tactics.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
