LockBit's story is the clearest illustration available of a consistent truth in ransomware: law enforcement can destroy infrastructure, but it cannot destroy knowledge, motivation, or — as long as the administrator remains free — the organizational continuity that makes a mature RaaS operation possible. Operation Cronos seized servers, froze wallets, and unmasked a leader. It did not arrest him. Dmitry Khoroshev, operating as LockBitSupp, remained in Russia — a country that has never extradited cybercriminals — and continued building toward a comeback from the moment the NCA's banners replaced his leak site.
Understanding why LockBit 5.0 matters requires understanding what Operation Cronos actually accomplished and what it left intact. The law enforcement operation was extraordinary in its scope and precision. The comeback was equally instructive about the structural limits of infrastructure-focused disruption.
What LockBit Was Before Cronos
LockBit began in 2019 as a low-profile ransomware family called "ABCD ransomware," named for the file extension it appended to encrypted files. Within a few years, it had evolved into the dominant force in the global ransomware economy. Between June 2022 and February 2024 — the window for which law enforcement obtained detailed records during Operation Cronos — more than 7,000 attacks were built using LockBit's services. The group was responsible for 20–30% of all data-leak site victim postings at its peak, making it the single most prolific ransomware operation in the world by that metric.
The architecture that produced that scale was LockBit's mature RaaS model. Operators maintained the ransomware codebase, the affiliate management infrastructure, the negotiation portals, the payment systems, and the leak site. Affiliates — freelancers with their own intrusion capabilities — joined the program, deposited an entry fee, and received access to the tooling and infrastructure. They kept 80% of ransom payments; Khoroshev and the operator core took 20%. The model scaled in ways that no single criminal group operating its own attacks could match.
| Version | Year | Key Development |
|---|---|---|
| ABCD / LockBit 1.0 | 2019–2020 | Initial .abcd extension ransomware; limited RaaS structure |
| LockBit 2.0 | 2021 | Introduced StealBit — a bespoke exfiltration tool for high-speed data theft alongside encryption |
| LockBit 3.0 (Black) | 2022 | Bug bounty program; leaked builder used by unrelated threat actors; ESXi targeting introduced |
| LockBit Green | 2023 | Based on leaked Conti source code; parallel variant alongside Black |
| LockBit 4.0 | Jan 2025 | Released after Operation Cronos disruption; used modified UPX packing; some deployment confirmed but limited |
| LockBit 5.0 (ChuongDong) | Sep 2025 | Full comeback on sixth anniversary; XChaCha20 + Curve25519 encryption; Windows / Linux / ESXi; two-stage loader; invisible mode |
The group's victim list encompassed more than 100 hospitals and healthcare companies, thousands of private businesses, government agencies, schools, and critical infrastructure operators across the U.S., UK, France, Germany, and China. At least 2,110 victims were forced into ransom negotiations. By the time of Operation Cronos, Khoroshev had personally collected approximately $100 million in ransomware proceeds from his 20% share of affiliate payments.
Operation Cronos: What Law Enforcement Did
On February 19, 2024, agencies from ten countries — led by the UK's National Crime Agency with the FBI, Europol, and eight additional national law enforcement bodies — executed one of the most precisely coordinated ransomware takedowns in history. The operation seized LockBit's back-end servers, affiliate management dashboards, decryption keys, cryptocurrency wallets, and the dark web leak site that LockBit used to publish stolen data and pressure victims.
What made Operation Cronos operationally distinctive — and deliberately humiliating for LockBit — was the psychological dimension of what the NCA did with the seized infrastructure. Instead of simply taking the leak site offline, investigators replaced it with law enforcement banners styled exactly like LockBit's own ransom pages: countdown timers, dramatic formatting, and the same visual language LockBit had used for years to terrorize victims. Only the countdowns now ticked toward law enforcement press conferences rather than ransom deadlines. The seized site was then repurposed as an exposé hub — publishing data obtained from LockBit's own systems about its affiliates, victims, and operations.
"We know who he is." — NCA post on the seized LockBit leak site, February 2024, referring to LockBitSupp
The practical outcomes were substantial. Law enforcement obtained over 2,500 decryption keys and proactively contacted nearly 240 LockBit victims in the UK alone to offer support. The NCA seized more than 2,000 Bitcoin worth approximately $110 million in ransomware proceeds that had not yet been laundered. Four individuals were arrested — one in Ukraine, one in Poland, two in the United States. A decryptor for LockBit 3.0 was built from seized keys and released for free on No More Ransom.
Three months after the February takedown, on May 7, 2024, the U.S., UK, and Australia jointly identified Khoroshev publicly — ending the anonymity he had protected for years and for which he had famously offered a $10 million reward to anyone who could reveal it. OFAC sanctioned him, the DOJ unsealed a 26-count indictment, and the U.S. State Department offered up to $10 million for information leading to his arrest or conviction. International sanctions made it illegal for organizations in most Western countries to pay LockBit ransoms.
Then, in May 2025, LockBit was hit again — this time not by law enforcement but by unknown attackers. Its infrastructure was breached and defaced, with internal dashboards replaced by the message "Don't do crime, CRIME IS BAD xoxo from Prague." The resulting data dump exposed Bitcoin wallet addresses, public encryption keys, internal chat logs with victims, affiliate details, and ransom negotiations. It was the second catastrophic exposure of LockBit's internal operations in fourteen months.
Eighteen Months Between Disruptions: What Happened
LockBit did not go quiet after Operation Cronos. Khoroshev's response was immediate defiance: within days of the February takedown, he restored infrastructure and announced that restrictions for affiliates had been lifted. To inflate the appearance of continued activity, the group reposted victims who had been targeted prior to the NCA's seizure to new leak sites, mixing old entries with genuine post-Cronos attacks to obscure how significantly active affiliate numbers had fallen.
The NCA's analysis confirmed the actual damage: of 194 affiliates registered with LockBit as of February 2024, the active count fell to 69 in the months following the disruption. UK monthly attack volumes dropped 73%. The group was operating, but at substantially reduced capacity and with a battered reputation in the underground ecosystem. Affiliates who had paid to join a platform that law enforcement had publicly infiltrated — and whose identities were potentially known to investigators — had strong incentives to move elsewhere.
LockBit 4.0 was announced in late 2024 and released in January 2025. It represented a transitional version — updates to the codebase, modified packing using UPX, some confirmed deployments — but not yet the full operational resurrection the group was working toward. Khoroshev kept posting on RAMP, dismissing law enforcement actions, and signaling that a more significant return was coming.
In May 2025, the second infrastructure breach hit. LockBit went silent on its Data Leak Site for the remainder of the summer. But in August 2025, LockBitSupp reappeared on RAMP with a direct statement: the group was "getting back to work." The post proved accurate.
LockBit's forum rehabilitation was not straightforward. RAMP, where LockBitSupp remained active, is one of the primary forums where RaaS groups recruit affiliates. XSS, another major forum, had banned LockBit after a conflict with a forum user in February 2024. When LockBit attempted to restore its XSS presence in September 2025 — running a vote to lift the ban — 27 of 49 voters opposed it. The ban remained. The difficulty of restoring credibility on forums that major ransomware actors use for recruitment is one of the less-discussed consequences of Operation Cronos's reputational damage.
LockBit 5.0: The Technical Architecture
LockBit 5.0, which the group internally calls the "ChuongDong" version, was announced on the group's sixth anniversary in early September 2025. Trend Micro researchers identified binaries in the wild by September 25; Flashpoint, Acronis, and S2W subsequently published detailed analyses. All three platform variants — Windows, Linux, and ESXi — were confirmed within weeks of the announcement.
Encryption: XChaCha20 and Curve25519
All three variants share a unified cryptographic architecture. File encryption uses XChaCha20 — a stream cipher that provides strong performance at scale and is significantly faster than AES-based alternatives for large-volume encryption. Key exchange uses Curve25519 elliptic-curve Diffie-Hellman, providing asymmetric key protection. The master encryption key is itself protected through a multi-step process: a derived key undergoes Curve25519 operations, the result is SHA-512 hashed, and the first 32 bytes of that hash serve as the ChaCha20 key, with the first 16 bytes of a second SHA-512 hash serving as the nonce. Each encrypted file receives a randomly generated 16-character extension — a departure from previous LockBit versions' consistent extension formatting, designed to make identification and automated detection more difficult.
Encryption threads are created based on the number of available processors, ensuring the encryption process is as fast as the target system's hardware allows. The file encryption pipeline walks directory structures, saves found files to an internal list, and dispatches them to encryption threads that process in parallel — maximizing throughput and minimizing the time between initial access and full encryption.
Two-stage deployment architecture
Flashpoint's analysis identified a two-stage deployment model as a key architectural change from prior versions. The first stage is a loader component that decrypts the ransomware payload using XOR and LZ compression, then executes it entirely in memory. This avoids writing the final payload to disk — meaning file-based detection and hash matching tools see only the loader, not the actual encryptor. The second stage is the ransomware payload itself, executing in memory from the context of the loader process.
Defense evasion: the Windows variant
The Windows variant carries the most extensive anti-analysis and evasion capabilities of the three platform builds. Key mechanisms documented by researchers include:
- ETW patching — the payload patches the
EtwEventWriteAPI to disable Windows Event Tracing for Windows. This severs the telemetry feed that security monitoring tools and SIEM systems rely on to observe process behavior and system events. With ETW disabled, the encryption phase becomes significantly less visible to detection infrastructure. - Mixed Boolean-Arithmetic (MBA) obfuscation — return-address dependent hashing wrapped around MBA obfuscation conceals the payload's true control flow. This technique is specifically designed to defeat static analysis tools and reverse engineering workflows, increasing the cost for defenders and researchers trying to understand the payload's behavior.
- Service termination — a hardcoded list of service name hashes is used to terminate over 60 security services and AV/EDR processes using
taskkill,net stop, and direct service manipulation. Volume Shadow Copy Service (VSS), Windows Search, and Edge Update are among the services explicitly stopped before encryption begins — VSS termination being the standard method to prevent recovery from shadow copies. - Event log wiping — the
EvtClearLogAPI is called after encryption completes, wiping all event logs to remove forensic artifacts of the attack chain. - DLL unhooking — repeated library unhooking is applied to every DLL loaded during execution. EDR agents typically instrument user-mode DLLs by placing hooks on key API functions; unhooking removes those hooks, allowing subsequent API calls to proceed without the EDR agent observing them.
- Invisible mode — LockBit 5.0 introduces an execution mode that encrypts files without changing extensions or dropping ransom notes anywhere in the filesystem. This mode produces no visible artifacts of encryption in real time, designed for scenarios where stealth is valued over immediate victim awareness — potentially for sabotage or data destruction purposes where no ransom demand is intended.
Geolocation exclusions
LockBit 5.0 maintains the standard Russian-based ransomware practice of avoiding execution on systems in Russia and post-Soviet allied states. The payload checks system language settings before running and exits if Russian or CIS-compatible language identifiers are detected. This is consistent with all prior LockBit versions and reflects both the operators' political positioning and the practical reality that Russian law enforcement does not pursue cybercriminals targeting Western organizations.
Researchers at Flashpoint additionally documented the payload avoiding execution on Philippine-based systems — a geographic exclusion that appears unique to this version and whose rationale has not been publicly established.
ESXi and Linux targeting
The Linux and ESXi variants share the core XChaCha20/Curve25519 cryptographic architecture but are delivered unpacked — unlike the Windows variant's custom packing — presumably to facilitate rapid deployment in environments where complex loader mechanics would increase operational risk. The ESXi variant specifically targets VMware virtualization infrastructure, encrypting virtual machine files including .vmdk, .vmx, and related configuration files. Support for Proxmox, an open-source virtualization platform widely deployed in European enterprise and SMB environments, was explicitly advertised as a new capability.
Cross-platform support has been present in LockBit since version 2.0, but the maturity of the Linux and ESXi variants in 5.0 represents a meaningful evolution. Organizations that have invested in EDR coverage for Windows endpoints but have weaker visibility into Linux servers and ESXi hypervisors remain specifically exposed to this targeting approach.
The Restructured Affiliate Program
One of the most significant strategic changes in LockBit 5.0 was the restructuring of the affiliate program's entry requirements. The original LockBit program required substantial vetting and entry costs, maintaining a degree of selectivity that kept affiliate numbers relatively controlled. Following the May 2025 data breach that exposed affiliate panel details, LockBit made a deliberate pivot: the entry fee was dramatically reduced to $500 in Bitcoin — in some configurations as low as $777 for a "Lite" panel — and the recruitment posture shifted from selectivity toward volume.
This democratization of access reflects the strategic reality LockBit faced. After two major disruptions, the group needed affiliates more than it needed quality control. The lower barrier was an explicit attempt to rebuild affiliate numbers rapidly, even at the cost of attracting less sophisticated operators. The $500 entry model Check Point documented — requiring a Bitcoin deposit for access to the control panel and encryptors — is calibrated to screen out completely casual entrants while remaining accessible enough to attract a broad pool of operators who were previously on other platforms.
The affiliate program structure also shifted responsibility allocation in a legally significant direction. LockBit 5.0's affiliate panel explicitly states that affiliates may target any organization including critical infrastructure and medical facilities, while placing full responsibility for such targeting choices on the affiliates themselves. This is a documented attempt to create legal and reputational distance between the operator and the most consequential attacks — a design decision that has no effect on actual harm but matters for how the group positions itself in the underground ecosystem.
OFAC's designation of Dmitry Khoroshev in May 2024 made it illegal for U.S. persons and organizations to pay ransoms to LockBit in most circumstances, regardless of the circumstances of a specific attack. Organizations that receive LockBit 5.0 ransom demands should consult legal counsel before making any payment decision — a payment to a sanctioned entity can carry civil and criminal liability independent of the ransomware incident itself.
The Full Timeline: From Peak to Disruption to Return
What the Comeback Actually Means
The most important question the LockBit 5.0 resurgence poses is not about LockBit specifically. It is about what law enforcement operations against major RaaS operators can and cannot accomplish.
Operation Cronos accomplished something genuine and significant. It reduced active affiliates by 64%, caused a 73% drop in UK attack volumes, recovered decryption keys that helped hundreds of victims without paying ransom, seized $110 million in proceeds, and publicly destroyed the anonymity that Khoroshev had built his entire criminal identity around. These are real outcomes that prevented real harm.
What it did not accomplish was ending LockBit. Khoroshev was not arrested. The core development capability was not neutralized. The RaaS model — the intellectual and operational infrastructure of how LockBit operates — survived intact inside the head of a person who remains beyond Western law enforcement's reach. Infrastructure can be seized; human knowledge cannot. And LockBit 5.0's technical quality demonstrates that the knowledge and capability to build sophisticated ransomware was not lost in the disruption.
"Operation Cronos merely made the group more aggressive, with enhanced evasion tactics against endpoint detection." — The Register, quoting security researchers, September 2025
Check Point's assessment that LockBit's return "could signal a recentralization of the RaaS ecosystem under a single, experienced actor" is worth taking seriously. The fragmentation of the ransomware ecosystem following the collapse of LockBit, ALPHV, and RansomHub in 2024–2025 produced a broader, more distributed threat landscape — one that was in some ways harder to track but in others less capable than the concentrated operations it replaced. A fully reconstituted LockBit with a mature affiliate program and three-platform payload capability occupies a different position in the ecosystem than the dozens of smaller, shorter-lived operations that filled the vacuum. The ability to conduct large-scale, coordinated campaigns against enterprises — rather than the pattern of smaller, opportunistic attacks from less experienced crews — represents a qualitatively different threat.
What Defenders Need to Know
LockBit 5.0's technical design reflects years of accumulated knowledge about what defenses exist and how to circumvent them at each stage of the attack chain. Defenders need to address several specific capabilities the new version introduces or improves.
ETW patching requires detection at a level below the event pipeline. When LockBit patches EtwEventWrite, it severs the event stream that most security monitoring relies on. Detection of ETW patching itself — through kernel-level telemetry, hypervisor-based monitoring, or endpoint agents that operate independently of ETW — is necessary to maintain visibility when an attacker attempts to blind the standard telemetry path.
Invisible mode creates no encryption-phase detection signal. The mode that encrypts without changing extensions or dropping ransom notes removes the two primary indicators organizations use to detect ransomware in progress: anomalous file extension changes and unexpected file creation events for ransom notes. Organizations that rely primarily on ransomware-specific signature detection or file modification event patterns will not see this mode firing. Detection must move to earlier phases — lateral movement, credential theft, service termination, and shadow copy deletion.
ESXi hypervisors need security controls, not just endpoint coverage. The mature ESXi variant combined with Proxmox support reflects sustained investment in targeting environments that remain outside many organizations' primary security coverage. VMware ESXi management interfaces should be network-segmented and not accessible from general enterprise networks. Monitor for unexpected VM power state changes, unauthorized access to hypervisor management interfaces, and anomalous access to VM disk files (.vmdk, .vmx).
Immutable backups are the recovery prerequisite. LockBit's explicit termination of VSS before encryption means shadow copies will not survive an attack. Recovery capability depends entirely on backups that are offline or write-protected — storage that cannot be reached and modified by a compromised endpoint or domain admin account. Online backups accessible from the same environment as production systems should be treated as additional encryption targets rather than recovery assets.
LockBit payments are legally constrained. The OFAC sanctions against Khoroshev mean that payment to LockBit-affiliated actors carries legal risk under U.S. law in most circumstances. This changes the decision calculus around ransom negotiation in ways that require legal counsel involvement from the earliest stages of an incident, not as an afterthought once a payment decision has been made.
Key Takeaways
- Infrastructure seizure disrupts but does not destroy a RaaS operation when the administrator remains free. Operation Cronos was exceptionally well-executed and produced real protective outcomes. LockBit 5.0 demonstrates its structural limit: an administrator in a non-extraditing country can rebuild from knowledge and relationships even after total infrastructure loss.
- LockBit 5.0 is a genuine technical evolution, not a rebranded imitation. The two-stage loader, invisible mode, ETW patching, MBA obfuscation, and unified XChaCha20/Curve25519 cryptographic architecture across three platforms represent sustained development investment. Researchers confirmed code continuity with LockBit 4.0 through identical hashing algorithms and API resolution methods — this is the same group, with improved capabilities.
- Cross-platform targeting is the defining feature of the current version. Windows-only security coverage is structurally insufficient against a RaaS operation deploying mature, analyzed-in-the-wild Linux and ESXi variants. Organizations with mixed or virtualized infrastructure need platform-consistent security coverage, not endpoint-centric coverage with blind spots on servers and hypervisors.
- The reduced affiliate entry fee trades quality for volume. The shift from a selective program to a $500 access model produces a broader but less consistent affiliate population. Some will be capable operators from other disrupted platforms; many will be lower-skilled. The resulting attack volume will likely be higher, but the per-attack sophistication will vary more widely than during LockBit's peak period.
- OFAC sanctions create legal exposure around any ransom payment. Organizations hit by LockBit 5.0 face legal constraints on ransom payments that did not exist during earlier versions. This requires legal counsel involvement in incident response from the outset, not after a payment decision has been considered.
- The pattern will repeat. LockBit has survived two major infrastructure disruptions, public unmasking of its administrator, sanctions, developer extraditions, and a secondary infrastructure breach by unknown attackers. The consistent lesson across all of these events is that a motivated, skilled operator who remains free and located in a non-cooperating jurisdiction cannot be permanently stopped through infrastructure actions alone. The most durable protection is organizational resilience — backups, segmentation, MFA, and detection that does not depend on the infrastructure the attacker will disable first.