LockBit 5.0 Reemerges with Enhanced Capabilities & Affiliate Incentives

In September 2025, IronGate observed two confirmed LockBit 5.0 incidents, marking the sixth anniversary of the LockBit affiliate program. This resurgence follows a quiet period after Operation Cronos in early 2024, a multinational law enforcement operation that disrupted LockBit’s infrastructure. The latest version introduces a revamped affiliate model with improved incentives, aiming to attract new cybercriminal partners. LockBit continues to employ double extortion tactics, combining file encryption with data theft and public leaks to pressure victims. 

Threat Actor Profile: LockBit 5.0 Ransomware 

• First Seen: September 2025 
• Type: Ransomware-as-a-Service (RaaS) 
• Target Platforms: Windows, Linux, VMware ESXi 
• Encryption Extensions: Varies by affiliate 
• Ransom Notes: Customized per campaign 
• Extortion Model: Double extortion (data theft + encryption) 
• Known Affiliations: Historically linked to sanctioned entities 

Attack Lifecycle 

Initial Access 

• Exploitation of public-facing systems 
• Credential compromise
  
• Spearphishing campaigns 
  

Execution & Evasion 

• DLL Reflection: Injects malicious code directly into memory 
• ETW Patching: Disables Windows event tracing 
• Security Service Termination: Shuts down over 60 AV/EDR services using taskkill, net stop, and direct service manipulation 
• Geolocation Checks: Avoids execution on Russian systems 

Persistence & Anti-Forensics 

• Event log clearing post-encryption 
• Advanced obfuscation to hinder reverse engineering 

Impact 

• Data exfiltration 
• Public leak site exposure 
• Ransom demand with threat of publication 
  

Recommended Mitigations  

• Use Multi-layered Detection 
  Deploy behavioral analytics and modern EDR tools to detect in-memory execution and service tampering monitored 24x7 by a SOC or MDR team.
• Patch Management 
  Ensure timely updates for all systems, especially VMware ESXi, firewalls, and remote access tools. 
  Monitor Logs and Services 
  Watch for signs of ETW tampering, unexpected service termination, and log deletion. 
• Segment Critical Infrastructure 
  Isolate sensitive systems to prevent lateral movement and reduce blast radius. 
• Backup Strategy 
  Maintain secure, offline backups and test restoration procedures regularly. 
• Legal Due Diligence 
  Consult legal counsel before engaging with threat actors. LockBit affiliates may be sanctioned, and ransom payments could violate U.S. law.

Contact us today to learn more about our Digital Forensics and Incident Response (DFIR) services.

Steve Ramey has spent the past two decades helping clients protect, investigate, and respond to events involving their digital interests. He has led hundreds of data breach investigations, assessed incident response and security programs, and successfully advised organizations through extortion negotiations.