LockBit is the notorious ransomware collective responsible for one of the globe’s most perilous Ransomware-as-a-Service (RaaS) models. Recently, LockBit is said to have made a comeback with LockBit 5.0, a fresh iteration of their ransomware that is already operational.

In early 2024, a coalition of law enforcement entities undertook Operation Cronos, dismantling crucial infrastructure of the notorious ransomware outfit. As an RaaS provider, this group marketed tools and software that allowed affiliates to carry out their own hacking endeavors. This was regarded as a significant achievement at that time. More than a year later, LockBit appears to have re-emerged, and a technical assessment by Trend Micro indicates that this is alarming news.

In early September, LockBit disclosed a new iteration of its ransomware software, LockBit 5.0. Following this announcement, Trend Micro researchers began to look for occurrences of LockBit 5.0 in active environments. They identified instances on Windows, Linux, and ESXi (virtual machines), and their evaluation revealed that LockBit Version 5.0 is the most sophisticated ransomware the collective has created thus far.

According to Trend Micro, version 5.0 retains certain elements from version 4.0, suggesting it’s a progression rather than an entirely new ransomware. The updated version brings features such as DLL reflection (loading a DLL from memory), novel anti-analysis strategies, and for the Linux variant, the capability to use the command line to zero in on specific directories and types of files. All versions also incorporate a random 16-bit string to hinder data recovery efforts.

Once the ransomware seizes control of your system, it operates similarly to earlier LockBit versions, displaying a ransom note in a text file with payment details. There is also an option to “chat with support” for ransom negotiations.

Beyond the technical specifics, it has been reported that LockBit’s affiliate incentive structure has been revised, offering malicious actors greater motivation to utilize the software. This update was purportedly intended to re-engage participants with LockBit following the operational interruption caused by Operation Cronos last year.

With LockBit reinstated, it aligns with a new wave of AI-enhanced ransomware that emerged in late summer 2025, referred to as PromptLock. If you’re not up to date with the latest cybersecurity threats and scams, now is an ideal moment to refresh your understanding of how to remain secure online.