LockBit 5.0: The RaaS That Refuses to Go Away

The once-prolific LockBit group appears to have reemerged, recently deploying an updated “LockBit 5.0” variant of its ransomware. Although the Ransomware-as-a-Service (RaaS) group has been trying to reestablish its brand since international law enforcement disrupted the group’s infrastructure in early 2024, this latest effort appears to be a return to form.

LockBit first announced the 5.0 version on the RAMP dark web forum in early September 2025, coinciding with the group’s six-year anniversary. In early December 2025, the group posted an announcement on its old data leak site (DLS) with a link to its new Christmas-themed LockBit 5.0 DLS. Since then, the group has already posted over 100 alleged victims to the new DLS.

A Long History of LockBit Variants

According to researchers, the 5.0 variant has numerous code overlaps with the LockBit 4.0 variant and appears to be the latest in a series of evolving ransomware versions observed since the group first emerged in September 2019.

• In June 2021, LockBit released version 2.0, also known as LockBit Red, followed by a Linux version released in October 2021 that could be deployed on Linux and VMware ESXi systems.
• In March 2022, the group released version 3.0, which was also known as LockBit Black. The builder for this LockBit 3.0 variant was subsequently leaked by a disgruntled affiliate in June 2023. Since then, this leaked builder has been used by a number of unaffiliated threat actors, even after law enforcement’s disruption of the LockBit RaaS in 2024.
• Following the leak of the LockBit Black builder, the group released a LockBit Green version in January 2023, followed by a macOS version in April 2023.
• In February 2024, international law enforcement disrupted LockBit’s operations, seizing the group’s DLS along with numerous websites and servers used by LockBit administrators. In May 2024, international law enforcement revealed that Russian national Dmitry Yuryevich Khoroshev, who went by the alias LockBitSupp, was the developer and administrator of the LockBit RaaS. Khoroshev was sanctioned by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the UK’s Foreign Commonwealth & Development Office (FCDO), and the Australian Department of Foreign Affairs.
• In December 2024, LockBit announced the release of LockBit 4.0, with the new version becoming available to affiliates in February 2025. However, the group remained quiet for most of 2025, and Arete never observed any incidents involving the 4.0 version during the year.

The latest LockBit 5.0 variant has both Windows and Linux versions, with notable improvements, including anti-analysis features and unique 16-character extensions added to each encrypted file. Ransom notes for the 5.0 version direct victims to Tor chat panels, similar to those the group used before law enforcement’s disruptions.
 

Analyst Comments

Despite the number of victims initially posted to the new DLS, it remains to be seen whether LockBit will return to consistent activity levels in 2026. With the group continuing to operate under the LockBit brand, the sanctions against Khoroshev should inhibit victims contemplating payment for LockBit 5.0 decryption keys, creating a substantial barrier to the group reclaiming its place as one of the top RaaS organizations. If the group becomes an increasingly active threat in 2026, the OFAC sanction implications make it exceedingly important for organizations to have adequate data protection and security practices in place to be able to recover from potential encryption and extortion attacks without payment.
 

Sources

• New LockBit 5.0 Targets Windows, Linux, ESXi
• LockBit Ransomware Group Unveils Version 5.0 on Its Sixth Anniversary
• Understanding Ransomware Threat Actors: LockBit
• RaaS Evolved: LockBit 3.0 vs LockBit 4.0