Security researchers have published detailed analyses of LockBit 5.0, the latest version of one of the most prolific ransomware families. Released in late September 2025, version 5.0 introduces significant upgrades to encryption, evasion, and operational capabilities. Despite law enforcement’s Operation Cronos disrupting LockBit’s infrastructure in February 2024, the group rebuilt and returned stronger.
Version overview
| Attribute | Details |
|---|
| Version | LockBit 5.0 |
| First observed | September 2025 |
| Predecessor | LockBit 4.0 (inactive May-September 2025) |
| Affiliate fee | $500 (significantly reduced from prior versions) |
| Platforms | Windows, Linux, ESXi |
| RaaS model | Continues as Ransomware-as-a-Service |
Operation Cronos and resurgence
February 2024 disruption
| Action | Result |
|---|
| Servers seized | 34 across multiple countries |
| Affiliate accounts disabled | 14,000+ |
| Cryptocurrency wallets frozen | 200+ |
| Arrests | 3 affiliates (Poland, Ukraine) |
| Led by | UK NCA and FBI |
Recovery timeline
| Date | Event |
|---|
| February 19-20, 2024 | Operation Cronos strikes |
| February-May 2024 | Limited LockBit activity |
| May 2025 | Data Leak Site goes inactive |
| September 2025 | LockBit 5.0 launches |
| September 2025+ | Active victim listings resume |
The lowered $500 affiliate entry fee was judged a bold attempt to recover diminished influence and restructure the attack ecosystem following Operation Cronos and internal panel data leaks.
Encryption architecture
LockBit 5.0 implements a hybrid cryptographic framework:
Cryptographic components
| Component | Algorithm | Purpose |
|---|
| Symmetric encryption | ChaCha20-Poly1305 | File encryption |
| Key exchange | X25519 (ECDH) | Per-victim key generation |
| Hashing | BLAKE2b | Key derivation |
| Variant | XChaCha20 + Curve25519 | Fast cross-platform encryption |
Why ChaCha20?
| Factor | Benefit |
|---|
| Software performance | Faster than AES without hardware acceleration |
| Authenticated encryption | Poly1305 prevents tampering |
| Cross-platform | Consistent performance on all targets |
File handling by size
| File size | Encryption method |
|---|
| Up to ~83.9 MB | Direct ChaCha20 encryption using derived key streams |
| Larger files | Segmented into 8 MB chunks with independent encryption |
| Integrity | Custom hash-based markers appended to each segment |
Key derivation
| Step | Process |
|---|
| 1 | SHA-512 hash of master key |
| 2 | First 32 bytes become ChaCha20 key |
| 3 | SHA-512 hash of ChaCha20 key |
| 4 | First 24 bytes become nonce |
Two-stage deployment model
Flashpoint’s analysis confirms LockBit 5.0 uses a refined modular deployment designed to maximize evasion:
Stage 1: Loader
| Action | Details |
|---|
| Process creation | Creates suspended instance of defrag.exe |
| Injection | Process hollowing technique |
| Shellcode | Custom shellcode with execution trampolines |
| Purpose | Achieve execution in legitimate process context |
Stage 2: Ransomware core
| Action | Details |
|---|
| Execution context | Within hollowed legitimate process |
| Activities | Encryption, system manipulation, ransom note |
| Visibility | Appears as legitimate Windows process |
This near-fileless deployment evades traditional file-based detection.
Anti-analysis techniques
LockBit 5.0 employs multiple layers of analysis evasion:
| Technique | Implementation |
|---|
| Control flow obfuscation | Jump destinations calculated dynamically |
| Runtime API resolution | Custom hashing algorithm resolves function calls |
| EDR bypass | Reloads clean NTDLL and Kernel32 from disk |
| Sandbox detection | Identifies analysis environments |
| String encryption | Critical strings encrypted at rest |
| ETW patching | Disables Event Tracing for Windows |
| Service termination | Kills 60+ security and backup services |
EDR bypass details
| Action | Purpose |
|---|
| Read clean system DLLs from disk | Obtain unhooked versions |
| Overwrite in-memory DLLs | Replace security tool hooks |
| Result | EDR monitoring circumvented |
New capabilities in 5.0
The update from LockBit 4.0 to 5.0 adds several features:
| Feature | Description |
|---|
| Mutex handling | Prevents multiple instances |
| Execution delay | Configurable delay before encryption |
| Status bar | Visual progress indicator |
| Delete TEMP | Cleans temporary files after encryption |
| Wiper mode | Option to destroy data rather than encrypt |
| Shadow copy deletion | Overhauled VSS deletion method |
| Large file handling | Updated encryption logic |
Wiper mode
| Scenario | Use case |
|---|
| Non-paying victim | Destroy data as punishment |
| Attribution masking | Make incident look like wiper attack |
| Maximum pressure | Threaten data destruction |
Stealbit integration
LockBit 5.0 integrates Stealbit, a purpose-built data exfiltration tool for double extortion:
| Component | Function |
|---|
| Configuration | Affiliates configure target file types via LockBit panel |
| Exfiltration | Copies selected data to attacker servers over HTTP |
| Timing | Executes before encryption begins |
| Destinations | MEGA, compromised cloud accounts, attacker infrastructure |
Double extortion flow
| Phase | Action |
|---|
| 1 | Stealbit exfiltrates sensitive data |
| 2 | LockBit encrypts files |
| 3 | Ransom note demands payment |
| 4 | Non-payment leads to data publication |
Alternative exfiltration: Some affiliates use Rclone or FreeFileSync instead of Stealbit.
| Platform | Status |
|---|
| Windows | Primary target |
| Linux | Supported |
| ESXi | Dedicated variant |
| macOS | Supported |
ESXi targeting
| Capability | Impact |
|---|
| VM encryption | Entire virtualized infrastructure at risk |
| Snapshot deletion | Prevents VM recovery |
| Simultaneous attack | All VMs affected at once |
Operational model
LockBit continues as a Ransomware-as-a-Service platform:
| Role | Responsibility |
|---|
| Operators | Infrastructure, malware development, panel |
| Affiliates | Intrusions, deployment, negotiation |
| Revenue split | 70-80% to affiliate, 20-30% to operators |
Affiliate recruitment changes
| LockBit 4.0 | LockBit 5.0 |
|---|
| Vetting process | $500 fee, minimal vetting |
| Higher barrier | Lower barrier to entry |
| Established affiliates | New affiliates recruited |
The lowered entry fee aims to rebuild affiliate base after Operation Cronos losses.
Historical context
| Year | LockBit share of ransomware attacks |
|---|
| 2023 | ~25% of all attacks |
| 2024 | Reduced (Operation Cronos impact) |
| 2025 | Rebuilding with LockBit 5.0 |
Detection and defense
Behavioral indicators
| Indicator | Detection method |
|---|
Process hollowing into defrag.exe | Process monitoring |
| NTDLL/Kernel32 reloading | Memory scanning |
| Rapid file encryption | File system monitoring |
| VSS deletion | Volume shadow copy monitoring |
| Service termination | Service monitoring |
Technical IOCs
| Source | Content |
|---|
| ASEC (AhnLab) | Detailed technical IOCs |
| Flashpoint | MITRE ATT&CK mappings |
| S2W TALON | Sample hashes and C2 |
| CISA StopRansomware | Updated advisories |
MITRE ATT&CK techniques
| Technique | ID |
|---|
| Process Injection: Process Hollowing | T1055.012 |
| Obfuscated Files or Information | T1027 |
| Impair Defenses: Disable or Modify Tools | T1562.001 |
| Data Encrypted for Impact | T1486 |
| Inhibit System Recovery | T1490 |
| Exfiltration Over Web Service | T1567 |
Recommendations
For defenders
| Priority | Action |
|---|
| Critical | Update EDR with LockBit 5.0 signatures |
| Critical | Maintain offline, tested backups |
| High | Monitor for process hollowing |
| High | Detect NTDLL/Kernel32 reloading |
| High | Alert on rapid file encryption patterns |
| Ongoing | Review CISA StopRansomware advisories |
For incident responders
| Priority | Action |
|---|
| Immediate | Isolate affected systems |
| High | Preserve memory for analysis |
| High | Check for Stealbit exfiltration |
| Ongoing | Engage law enforcement |
Context
That LockBit came back with an upgraded version after Operation Cronos demonstrates the resilience of the RaaS model—even substantial law enforcement action doesn’t permanently eliminate well-organized ransomware operations. The $500 affiliate fee signals desperation to rebuild but also lowers the barrier for new attackers to join.
Organizations should expect LockBit 5.0 attacks to continue and potentially increase as the affiliate base rebuilds. The combination of sophisticated evasion, cross-platform capability, and established brand makes LockBit one of the most dangerous ransomware threats regardless of law enforcement pressure.
