Overview
LockBit is one of the most prolific ransomware-as-a-service (RaaS) operations in recorded history. Following a brief operational disruption from Operation Cronos (February 2024, coordinated Europol/FBI/NCA takedown) and a second infrastructure seizure in May 2024, the group announced a return in September 2025 under what researchers have labelled LockBit 5.0 — internally referred to in affiliate communications and builder artefacts as “ChuongDong.”
As of July 2026, LockBit 5.0 has claimed and verified more than 200 victims on its rebuilt data leak site. The group has restored its affiliate network to an estimated 80-100 active affiliates, rebuilt its negotiation and payment infrastructure, and shipped a cross-platform encryptor that adds Linux (ESXi, EXT4) and macOS (ARM and x86_64) targets to the existing Windows and NAS modules.
Historical Context
| Version | Active Period | Key Characteristics |
|---|---|---|
| LockBit 1.0 | June 2019 — January 2020 | Basic encryptor; small-scale ops |
| LockBit 2.0 (Red) | June 2021 — March 2022 | StealBit exfiltration tool; speed-focused design |
| LockBit 3.0 (Black) | March 2022 — February 2024 | ALPHV code elements; bug bounty; Conti recruitment |
| LockBit 3.0 (disrupted) | February 2024 | Operation Cronos infrastructure seizure; admin doxxed |
| LockBit 5.0 (ChuongDong) | September 2025 — present | Cross-platform; rebuilt affiliate onboarding; 200+ victims |
LockBit 3.0 (Black) borrowed code elements from the leaked ALPHV/BlackCat builder, introducing ECDH key exchange and a configurable network scan component. ChuongDong retains these elements while adding platform portability and a redesigned affiliate control panel with new per-victim ransom analytics.
Technical Capabilities
Encryptor
The ChuongDong encryptor supports four platforms with separate binaries compiled from what appears to be a shared C++ codebase:
- Windows: Uses the same partial-encryption mode as LockBit 3.0 (encrypts first and last 16KB of files above a configurable threshold, full encryption for smaller files). Faster than competitors for large file volumes.
- Linux/ESXi: Targets VMware ESXi datastores. Capable of shutting down VMs before encryption to avoid file lock conflicts. Encrypts
.vmdk,.vmx,.vmsn, and.vswpfiles. - Linux EXT4: General-purpose Linux encryptor targeting file servers and NAS devices.
- macOS: New in ChuongDong. Targets ARM and x86_64. Anti-analysis checks for sandbox environments (checks for specific processes and low uptime). File extension list focuses on documents, databases, and developer artefacts. Note: macOS variant has produced fewer confirmed victim cases than Windows/Linux; researchers assess it as maturing.
Exfiltration
StealBit (the group’s custom exfiltration tool) was updated and is distributed as part of the affiliate toolkit. StealBit 3.0 adds:
- File type filtering via configurable extension lists (default prioritises documents, databases, email archives, and credential stores)
- Traffic obfuscation via domain fronting using legitimate CDN providers
- Chunked upload with retry logic for unreliable connections
- Self-deletion after successful exfil confirmation
Initial Access
ChuongDong is a RaaS operation — the group provides the encryptor and infrastructure; affiliates are responsible for initial access. Observed initial access methods across confirmed victims include:
- Exploitation of public-facing vulnerabilities (Citrix Bleed, Fortinet VPN CVEs, and the SharePoint CVE-2026-45659 deserialization RCE have all been observed in LockBit 5.0 intrusions)
- Phishing with credential harvesting leading to VPN or RDP access
- Purchase of access from initial access brokers (IABs) on criminal forums
- Exploitation of unpatched perimeter devices (Ivanti, Palo Alto, Check Point VPNs)
Affiliate Network and Operations
LockBit’s RaaS model offers affiliates 80% of ransom proceeds, with the core group retaining 20%. The rebuilt affiliate onboarding process for ChuongDong reportedly includes:
- A technical vetting interview (verifying penetration testing capability, not just script use)
- A deposit requirement (reduces throwaway affiliate accounts)
- A reputation scoring system based on successful prior operations
The group has actively recruited from disrupted RaaS programmes — ALPHV/BlackCat’s shutdown in March 2024 and Ragnar Locker’s 2023 disruption are cited as talent sources.
Double Extortion
Standard ChuongDong operations follow double-extortion: exfiltration before encryption, public leak site posting for non-paying victims. The rebuilt leak site (accessible via Tor) uses a countdown timer and incremental data release for victims who partially engage but do not pay. The operator threatens release of incrementally sensitive data at each countdown expiration.
Victim Negotiation
The group operates a dedicated negotiation panel accessible to victims via a victim-specific Tor link. Observed negotiation characteristics:
- Initial ransom demands typically 1-3% of estimated annual revenue for large enterprises
- Discounts of 30-50% observed for fast payment (within 72 hours)
- Data deletion “proof” offered as part of negotiated outcomes (not independently verifiable)
- Re-extortion risk: paying does not guarantee non-release; there are confirmed cases of re-extortion by LockBit affiliates 60-90 days after initial payment and data deletion claim
Sector Targeting
No sector is explicitly excluded. Confirmed ChuongDong victims span:
- Finance: Regional banks, insurance companies, asset managers
- Healthcare: Hospital systems, pharmacy chains, medical device manufacturers
- Manufacturing: Automotive suppliers, aerospace component manufacturers, food processing
- Government: Municipal governments, state agencies (non-federal US), government contractors
- Legal: Law firms (targeting client data for maximum leverage)
- Logistics: Freight forwarders, 3PL providers
- Education: Universities and research institutions
Geographic distribution: North America (~45%), Europe (~35%), Asia-Pacific (~15%), other (~5%). UK, France, Germany, Italy, Australia, and Canada are the most represented non-US countries.
Detection Guidance
Pre-Encryption Indicators
Detecting LockBit before encryption begins is the only effective defensive posture. Key pre-encryption behaviours to hunt:
- Credential harvesting tools: Mimikatz, Cobalt Strike Beacon, Brute Ratel, and Sliver have all been observed in LockBit affiliate intrusions. Detection of these tools should be treated as a potential ransomware precursor.
- Reconnaissance commands:
net group "domain admins",nltest /domain_trusts,arp -a,wmic /node:* OS getrun in rapid succession from a non-admin context - Shadow copy deletion:
vssadmin delete shadows /all /quietorwmic shadowcopy deleteare near-universal pre-encryption steps. This command should trigger immediate response. - Backup enumeration and targeting: Access to backup server shares or backup software APIs (Veeam, Backup Exec, etc.) from unexpected principals
- StealBit activity: Large outbound data transfers to IP addresses or domains with no prior history in DNS logs, particularly during off-hours
Encryptor Indicators
- Files renamed with
.lockbitextension (Windows variant) or no extension change but file content encrypted (Linux variant uses in-place encryption in some configurations) LOCKBIT-README.txtor similar ransom note dropped in every encrypted directory- Process creating high volumes of file handle open/close operations across multiple directories simultaneously
- Encryption of VSS snapshots and backup-related file paths
Network Indicators
LockBit uses configurable C2 — IPs and domains change per affiliate and campaign. Hunting by behaviour is more reliable than IOC lists. Look for:
- Outbound HTTPS to newly registered domains (< 30 days)
- Beaconing patterns: periodic low-volume HTTPS at regular intervals (15-60 minute periods common with Cobalt Strike default configs)
- DNS requests for
.oniondomains proxied through Tor2web gateways from enterprise endpoints
Response Considerations
If LockBit ChuongDong is suspected or confirmed on your network:
- Do not reboot affected systems: Rebooting may destroy volatile memory artifacts needed for forensics and may trigger additional encryptor components
- Isolate, do not shut down: Network isolation is preferable to power-off where possible
- Preserve VSS snapshots on unaffected systems: If shadow copies survive on systems that haven’t been reached, protect them by isolating those systems before the operator can delete them
- Engage law enforcement early: FBI, CISA, NCA, and Europol all have dedicated ransomware response teams with intelligence on active LockBit affiliate infrastructure that may assist recovery or identify decryption options
- Do not pay without legal counsel: Payments to sanctioned entities create OFAC liability. While LockBit’s sanctioned individuals (Dmitry Khoroshev / “LockBitSupp”) are identifiable, affiliates may also be sanctioned persons