The notorious LockBit ransomware operation has resurfaced with a vengeance after months of dormancy following Operation Cronos takedown efforts in early 2024.
Despite law enforcement disruptions and infrastructure seizures, the group’s administrator, LockBitSupp, has successfully rebuilt the operation and launched LockBit 5.0, internally codenamed “ChuongDong.”
This latest variant represents a significant evolution in the group’s ransomware capabilities, targeting organizations across multiple platforms with enhanced technical sophistication.
Throughout September 2025, the revived operation demonstrated its operational recovery by compromising a dozen organizations across Western Europe, the Americas, and Asia.
Half of these incidents involved the newly released LockBit 5.0 variant, while the remainder utilized LockBit Black.
The attacks primarily focused on Windows environments, accounting for approximately 80% of infections, with ESXi and Linux systems comprising the remaining 20%.
Check Point analysts identified these campaigns as clear evidence that LockBit’s Ransomware-as-a-Service model has successfully reactivated its affiliate network.
The rapid return highlights the resilience of established cybercriminal enterprises.
After announcing its comeback on underground forums in early September, LockBitSupp recruited new affiliates by requiring roughly $500 in Bitcoin deposits for access to the control panel and encryption tools.
Enhanced Encryption and Evasion Capabilities
LockBit 5.0 introduces several technical improvements designed to maximize impact while minimizing detection.
LockBit 5.0 affiliate registration screen (Source – Check Point)
The malware now supports multi-platform deployments with dedicated builds for Windows, Linux, and ESXi environments.
Its encryption routines have been optimized to reduce the response window available to defenders, enabling faster system-wide file encryption.
The variant employs randomized 16-character file extensions to evade signature-based detection mechanisms.
Enhanced anti-analysis features obstruct forensic investigation and reverse engineering attempts, making it significantly more challenging for security researchers to analyze the malware’s behavior.
Updated ransom notes identify themselves as LockBit 5.0 and provide personalized negotiation links with a 30-day deadline before stolen data publication.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post LockBit 5.0 Actively Attacking Windows, Linux, and ESXi Environments appeared first on Cyber Security News.
