Key Takeaways
  • LockBit is back. After being disrupted in early 2024, the ransomware group has resurfaced and is already extorting new victims.
  • New version, new victims. Check Point Research identified a dozen organizations hit in September 2025, half by the new LockBit 5.0 (“ChuongDong”) variant.
  • Expanded targeting. The group is deploying attacks across Windows, Linux, and ESXi environments in Europe, the Americas, and Asia.
  • Check Point Harmony Endpoint and Quantum protect customers against LockBit and other ransomware groups’ infections through Threat Emulation, blocking attacks before encryption can occur.

Just months after being disrupted during Operation Cronos, the notorious LockBit ransomware group has reemerged — and it hasn’t wasted time. Check Point Research has confirmed that LockBit is back in operation and already extorting new victims.

Throughout September 2025, Check Point Research identified a dozen organizations targeted by the revived operation, with half of them infected by the newly released LockBit 5.0 variant and the rest by LockBit Black. The attacks span Western Europe, the Americas, and Asia, affecting both Windows and Linux systems, a clear sign that LockBit’s infrastructure and affiliate network are once again active.

A Rapid and Confident Comeback

At the beginning of September, LockBit officially announced its return on underground forums, unveiling LockBit 5.0 and calling for new affiliates to join. This latest version, internally codenamed “ChuongDong,” marks a significant evolution of the group’s encryptor family.

The newly observed LockBit 5.0 attacks span a broad range of targets — about 80% on Windows systems, and around 20% on ESXi and Linux environments. The quick reappearance of multiple active victims demonstrates that LockBit’s Ransomware-as-a-Service (RaaS) model has successfully reactivated its affiliate base.

From Disruption to Reorganization

Until its takedown in early 2024, LockBit was the most dominant RaaS operation globally, responsible for 20–30% of all data-leak site victim postings. Following Operation Cronos, several arrests and data seizures disrupted the group’s infrastructure. Competing ransomware programs, such as RansomHub and Qilin, briefly tried to absorb its affiliates.

However, LockBit’s administrator, LockBitSupp, evaded capture and continued to hint at a comeback on dark web forums. In May 2025, he posted defiantly on the RAMP forum: “We always rise up after being hacked.” By August, LockBitSupp reappeared again, claiming the group was “getting back to work,” a statement that quickly proved true.

Figure 1 – LockBit administrator announcing the group’s return on RAMP chat.

A Divided Underground

While LockBit regained traction on RAMP, other major forums like XSS continued to ban RaaS advertising. In early September, LockBitSupp attempted to be reinstated on XSS, even prompting a community vote, which ultimately failed.

Figure 2 – Voting results on LockBitSupp’s proposed return to XSS.

Figure 2 – Voting results on LockBitSupp’s proposed return to XSS.

This episode highlights a key tension in today’s underground scene: as many smaller ransomware operations emerge, platforms are increasingly wary of the visibility and law enforcement attention that large groups like LockBit attract. Yet, LockBit’s re-entry could signal a recentralization of the RaaS ecosystem under a single, experienced actor.

LockBit 5.0: Technical and Operational Enhancements

LockBit 5.0 introduces several updates designed to enhance efficiency, security, and stealth:

  • Multi-platform support: New builds for Windows, Linux, and ESXi systems.
  • Stronger evasion: Enhanced anti-analysis mechanisms to obstruct forensic investigation.
  • Faster encryption: Optimized routines that reduce response windows for defenders.
  • New identifiers: Randomized 16-character file extensions to evade detection.

Affiliate control panel

 Provides improved management interface with individualized credentials.

To join, affiliates must deposit roughly $500 in Bitcoin for access to the control panel and encryptors, a model aimed at maintaining exclusivity and vetting participants.

Updated ransom notes now identify themselves as LockBit 5.0 and include personalized negotiation links granting victims a 30-day deadline before stolen data is published.

Figure 3 – LockBit 5.0 affiliate registration screen.

Implications: A Familiar Threat Returns

LockBit’s reemergence underscores the group’s resilience and sophistication. Despite high-profile law enforcement actions and public setbacks, the group has once again managed to restore its operations, recruit affiliates, and resume extortion.

With its mature RaaS model, cross-platform reach, and proven reputation among cyber criminals, LockBit’s return represents a renewed threat to organizations across all sectors. September’s wave of infections likely marks only the beginning of a larger campaign — and October’s postings may confirm the group’s full operational recovery.

Check Point Protections

Check Point customers are protected against LockBit and related ransomware threats through advanced threat prevention technologies.

  • Check Point Quantum network security blocks initial infection attempts and command-and-control communication through Threat Emulation.
  • Check Point Harmony Endpoint prevents ransomware execution on endpoints by detecting and blocking malicious payloads before encryption begins.

Together, these solutions provide end-to-end defense against LockBit’s latest techniques, ensuring organizations remain protected even as ransomware operations evolve.

Check Point Research continues to monitor LockBit’s activity and will provide updates on the group’s evolving tools, victims, and ecosystem as new evidence emerges.

You may also like