All news with #lockbit tag

Ransomware Fragmentation Peaks as LockBit Re-emerges

🔒 Q3 2025 saw an unprecedented decentralization of ransomware, with Check Point Research tracking a record 85 active groups and roughly 1,592 disclosed victims across numerous leak sites. Despite enforcement actions and multiple takedowns, affiliates quickly reconstitute or rebrand, spawning 14 new ransomware brands this quarter. The return of LockBit 5.0 — with updated Windows, Linux and ESXi variants and individualized negotiation portals — suggests a possible shift back toward centralization, while marketing-driven actors like DragonForce further complicate attribution and response.

Weekly Cyber Recap: WSUS Exploited and LockBit 5.0 Surge

⚠️ Microsoft released an out-of-band patch for a critical WSUS remote code execution (CVE-2025-59287) after researchers observed active exploitation that drops a .NET executable and Base64 PowerShell payloads. LockBit has resurfaced with a new multi-platform 5.0 variant claiming victims, while a modified Telegram Android app distributing the Baohuo backdoor has infected tens of thousands of devices. Reporting also shows the F5 breach began in late 2023 and has since widened, underscoring the need for urgent patching and threat hunting.

New LockBit Ransomware Victims Identified October 2025

🔒 After months of rumored silence, security researchers have identified multiple organizations hit by LockBit-branded ransomware in September 2025. Check Point's report documents about a dozen victims across Western Europe, the Americas and Asia, affecting both Windows and Linux systems. Roughly half were infected with LockBit 5.0 and the rest with the leaked 3.0 (LockBit Black) variant. LockBit 5.0 introduces multi-platform builds, enhanced anti-analysis, randomized extensions and a revamped affiliate panel requiring a roughly $500 deposit.

LockBit Resurges with New Variant and Fresh Victims

🛡️ LockBit has reemerged after a disruption in early 2024 and is actively extorting new victims. Check Point Research identified roughly a dozen organizations hit in September 2025, and about half of those incidents involved the new LockBit 5.0 variant, labeled ChuongDong. The group is deploying attacks across Windows, Linux and ESXi environments in Europe, the Americas and Asia. Check Point Harmony Endpoint and Quantum customers are protected via Threat Emulation, which can block these attacks before encryption occurs.

Velociraptor Abused in LockBit Ransomware Campaign Wave

🔒 Threat actors are abusing Velociraptor, an open-source DFIR tool, to support ransomware operations attributed to Storm-2603. Attackers exploited on-premises SharePoint ToolShell flaws to deploy an outdated Velociraptor build (0.73.4.0) vulnerable to CVE-2025-6264, enabling privilege escalation and remote command execution. After lateral movement and creation of domain admin accounts, the group tampered with GPOs, disabled real‑time protection, and staged exfiltration before deploying Warlock, LockBit, and Babuk. Vendors caution that legitimate collection and orchestration capabilities can be repurposed by adversaries.

Velociraptor Abuse Enables Stealthy Ransomware Campaigns

🔒 Researchers report that the open-source DFIR tool Velociraptor was abused by threat actors to maintain stealthy persistent access while deploying multiple ransomware families, including Warlock, LockBit and Babuk. Cisco Talos observed the activity in August 2025 and attributed the multi-vector operation to a China-linked cluster tracked as Storm-2603. Attackers exploited a vulnerable agent (v0.73.4.0) via CVE-2025-6264 to escalate privileges and persist; defenders are urged to verify deployments and update to v0.73.5 or later.

Velociraptor Abused in Ransomware Attacks by Storm-2603

🔐 Cisco Talos confirmed ransomware operators abused Velociraptor, an open-source DFIR endpoint tool, to gain arbitrary command execution in August 2025 by deploying an outdated agent vulnerable to CVE-2025-6264. Talos links the activity with moderate confidence to Storm-2603 based on overlapping tooling and TTPs. Operators used the tool to stage lateral movement, deploy fileless PowerShell encryptors, and deliver multiple ransomware families, severely disrupting VMware ESXi and Windows servers.

LockBit, Qilin and DragonForce Form Ransomware Alliance

🔒 Three major ransomware groups — LockBit, Qilin, and DragonForce — have announced a strategic alliance aimed at sharing techniques, infrastructure, affiliates, and operational resources to amplify extortion campaigns worldwide. The announcement follows LockBit's resurgence and the unveiling of LockBit 5.0, which is advertised to target Windows, Linux, and ESXi systems. Security firms warn the partnership could rebuild affiliate trust, increase attacks on critical infrastructure and diversify threats across multiple industry sectors.

LockBit 5.0 Released: Faster ESXi Encryption, Evasion

🔒 LockBit 5.0 introduces faster ESXi drive encryption and enhanced evasion techniques, according to Trend Micro. The release includes Windows, Linux and VMware ESXi variants featuring heavy obfuscation, ETW patching, DLL reflection and hypervisor-targeted encryption designed to amplify impact. Researcher Jon DiMaggio describes the update as largely incremental fine-tuning and self-branding aimed at restoring affiliate trust after Operation Cronos.

LockBit 5.0 Emerges as Most Dangerous Ransomware Variant

🔒 Trend Micro has identified a new LockBit variant, LockBit 5.0, which it calls significantly more dangerous than prior releases and has observed in the wild. The vendor confirmed Windows, Linux, and ESXi binaries featuring faster encryption, removal of infection markers, randomized 16-character extensions and enhanced evasion. The Windows build includes a cleaner affiliate UI with detailed execution options, while the ESXi variant represents a critical escalation by enabling encryption of multiple virtual machines from a single payload. Researchers note substantial code reuse from 4.0, suggesting an evolutionary update rather than a rebrand.

Project AK47 Linked to SharePoint ToolShell Exploits

🔍Unit 42 links a modular malware suite dubbed Project AK47 to SharePoint exploitation activity observed alongside Microsoft’s ToolShell reporting. The toolset includes a dual-protocol backdoor (AK47C2 with dnsclient and httpclient), a ransomware family (AK47 / X2ANYLOCK), and DLL side‑loading loaders. Analysts found high-confidence overlaps with Microsoft’s Storm-2603 indicators, evidence of LockBit 3.0 artifacts in an evidence archive, and a matching Tox ID on a Warlock leak site. Recommended actions include applying patches for the referenced SharePoint CVEs and enabling updated protections from endpoint, URL, and DNS defenses.

LockBit, Hiveleaks and BlackBasta Drive Ransomware Spike

🚨 Ransomware activity rebounded in July, with NCC Group recording 198 successful campaigns — a 47% increase from June. The surge was led by LockBit 3.0 (62 attacks), followed by Hiveleaks (27) and BlackBasta (24), which showed rapid month‑over‑month growth. Researchers link the fluctuation to restructuring after U.S. pressure on Conti, with affiliates and replacement strains reemerging under new identities.