The notorious LockBit ransomware operation has resurfaced with a vengeance after months of dormancy following Operation Cronos takedown efforts in early 2024.<\/p>\n
Despite law enforcement disruptions and infrastructure seizures, the group\u2019s administrator, LockBitSupp, has successfully rebuilt the operation and launched LockBit 5.0, internally codenamed \u201cChuongDong.\u201d<\/p>\n
This latest variant represents a significant evolution in the group\u2019s ransomware<\/a> capabilities, targeting organizations across multiple platforms with enhanced technical sophistication.<\/p>\n Throughout September 2025, the revived operation demonstrated its operational recovery by compromising a dozen organizations across Western Europe, the Americas, and Asia.<\/p>\n Half of these incidents involved the newly released LockBit 5.0 variant, while the remainder utilized LockBit Black.<\/p>\n The attacks primarily focused on Windows environments, accounting for approximately 80% of infections, with ESXi and Linux systems comprising the remaining 20%.<\/p>\n Check Point analysts identified<\/a> these campaigns as clear evidence that LockBit\u2019s Ransomware-as-a-Service model has successfully reactivated its affiliate network.<\/p>\n The rapid return highlights the resilience of established cybercriminal enterprises.<\/p>\n After announcing its comeback on underground forums in early September, LockBitSupp recruited new affiliates by requiring roughly $500 in Bitcoin deposits for access to the control panel and encryption tools<\/a>.<\/p>\n LockBit 5.0 introduces several technical improvements designed to maximize impact while minimizing detection.<\/p>\n The malware now supports multi-platform deployments with dedicated builds for Windows, Linux, and ESXi environments.<\/p>\n Its encryption routines have been optimized to reduce the response window available to defenders, enabling faster system-wide file encryption.<\/p>\n The variant employs randomized 16-character file extensions to evade signature-based detection mechanisms.<\/p>\n Enhanced anti-analysis features obstruct forensic<\/a> investigation and reverse engineering attempts, making it significantly more challenging for security researchers to analyze the malware\u2019s behavior.<\/p>\n Updated ransom notes identify themselves as LockBit<\/a> 5.0 and provide personalized negotiation links with a 30-day deadline before stolen data publication.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post LockBit 5.0 Actively Attacking Windows, Linux, and ESXi Environments<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nEnhanced Encryption and Evasion Capabilities<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhA1g63QVfZ8OgkD_moNMlOzQNoYCbj_qtnmDi44KRWte-pmjG8jjH7GE1HYVWRr2qABdGF6nTT_SrJ_j62RQkF4mNCB9MSm-CuQOQKtTjTi3VaX4T2ry_3mibjWdB3-jtiwbXBxqDDoyxXoFcvo7ppH-IKHSC5a4z28PuCvnw2i7j4ED9v0EGWZZY5Ik8\/s16000\/LockBit%25205.0%2520affiliate%2520registration%2520screen%2520%28Source%2520-%2520Check%2520Point%29.webp?ssl=1\")