The LockBit Comeback: How the Group Evolved After a Global Takedown
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
LockBit is recognized as one of the most prominent and pervasive Ransomware-as-a-Service (RaaS) operations, operating since 2019 and consistently growing to become a significant global cyber threat. The operation functions using an affiliate model and frequently targets numerous critical sectors worldwide, including the financial, healthcare, manufacturing, and technology industries. A double extortion tactic is employed, wherein data is encrypted on victim systems, and the victims are simultaneously threatened with the public release of stolen data if the ransom is not paid.
The ransomware itself is highly complex, featuring sophisticated anti-analysis and obfuscation techniques. Heavy obfuscation is utilized through methods such as dynamic API resolution via hashing, and in recent versions (like LockBit 5.0), payloads are loaded through DLL reflection.
In February 2024, a major international law enforcement action (Operation Cronos) significantly disrupted the group's infrastructure. The operation led to the compromise of the administration panel and the public release of internal affiliate and victim data. Following the disruption, victim decryption keys were offered, and it was revealed that stolen data was frequently retained even after ransoms had been paid. Subsequently, a clear drop in new infections was observed, and efforts to maintain the illusion of normal operation included reposting old victims to new leak sites.
The current status of LockBit is characterized by its resilience and aggressive resurgence following the major law enforcement disruption. Despite the reputational damage and initial setback, the group resurfaced for its sixth anniversary in early September 2025, announcing and deploying LockBit 5.0. LockBit 5.0 is considered significantly more dangerous than its predecessors [1], indicating the group is actively evolving its codebase and remains a potent cyber threat.
In this blog, we will examine the technical characteristics of LockBit ransomware and its evolution over the years.
Article Link: https://www.picussecurity.com/resource/blog/the-lockbit-comeback-how-the-group-evolved-after-a-global-takedown
1 post - 1 participant
Malware Analysis, News and Indicators - Latest topics
Sp123
"An underestimated security threat to organizations is employee apathy and burn out."