LockBit is Back: What’s New in Version 5.0

September 12, 2025

LockBit is Back: What’s New in Version 5.0

LockBit is a prolific ransomware-as-a-service (RaaS) operation that has evolved through multiple versions since its debut in 2019. Despite a major law enforcement takedown (Operation Cronos in early 2024) that seized servers and leaked decryption keys, the group has re-emerged with LockBit 5.0. This latest version is positioned as a “comeback” for the gang, boasting faster encryption, stronger evasion, and a revamped affiliate program. This blog provides a comprehensive breakdown of LockBit 5.0’s technical features and actionable insights for SOC teams to strengthen defenses against its affiliate-driven campaigns.

*LockBit 5.0 Login Page* *(Source: SOCRadar)*

Quick Recap of LockBit Evolution

LockBit first appeared in 2019 under the name ABCD ransomware, a reference to the “.abcd” extension it added to encrypted files. This early version was relatively basic, focusing purely on fast encryption of local files without the advanced tactics we see today.

In 2021, LockBit 2.0 (Red) marked the first major leap. It introduced StealBit, a purpose-built data exfiltration tool that enabled attackers to steal sensitive data at scale. This version also added automated propagation through SMB and PsExec, giving affiliates the ability to spread rapidly across corporate networks. Around the same time, the group expanded to Linux and VMware ESXi targets, signaling the start of its big-game hunting focus.

LockBit 3.0 (Black), launched in 2022, pushed innovation even further. It was the first ransomware group to run a bug bounty program, openly inviting hackers to help improve its malware. It also deployed intermittent encryption to accelerate attacks, encrypting only chunks of large files while still rendering them useless. This version cemented LockBit as the most active ransomware group globally, responsible for more than 40% of reported incidents that year. A leaked builder kit in late 2022 also gave researchers—and rival criminals—a rare inside look at how customizable LockBit had become.

By late 2024, LockBit responded to law enforcement pressure with LockBit 4.0 (Green). This release was nearly a full rewrite, developed in .NET Core with a modular architecture and enhanced stealth. Gone were noisy features like printer spam, replaced by API unhooking, obfuscation, and stealthier execution. Encryption speed reached new highs, capable of crippling large networks in minutes. Affiliates gained more flexibility with customizable ransom notes and support for Linux and ESXi environments.

Now, with LockBit 5.0, the group is attempting a full comeback after global takedowns and internal leaks. This version continues the modular approach, introduces stronger evasion against modern EDR, and offers revamped affiliate incentives to rebuild its network. The result is a ransomware strain designed to be faster, more resilient, and more adaptable than any of its predecessors.

Version	Timeframe	Key Features & Changes
LockBit 1.0 “ABCD”	2019 to 2020	Initial family release, files appended with .abcd, basic but fast encryptor. Limited data theft capabilities at this stage. Early C or C++ implementation, no mature affiliate tooling yet.
LockBit 2.0 “Red”	2021	Introduction of StealBit for rapid exfiltration. Better automation for discovery and lateral movement using SMB, PsExec, WMI. Significant speed improvements. Added Linux and VMware ESXi lockers to hit virtual infrastructure. Formalized RaaS program with revenue split and panel access for affiliates.
LockBit 3.0 “Black”	2022	Added intermittent encryption to accelerate impact while keeping files unusable. Continued AES plus RSA hybrid crypto. Launched a public bug bounty for malware improvements. Mature point and click builder for affiliates. Double and triple extortion tactics increased. Builder later leaked which enabled copycats and signature coverage on older builds.
LockBit 4.0 “Green”	Late 2024 to early 2025	Major rework with .NET Core codebase and stealth-first design. Complex API hashing and user land unhooking to bypass EDR. Removed noisy self propagation and printer abuse to cut detections. Faster multi threaded encryption, customizable ransom notes for affiliates, decentralized Tor infrastructure for resiliency. Expanded Linux and ESXi targeting for data center impact.
LockBit 5.0	Mid to late 2025	Modular architecture so affiliates toggle components per campaign. Further speed optimizations and stronger anti analysis. Flexible comms during negotiation, Tor portals plus Tox where needed. Revamped affiliate incentives to rebuild the network, influx of new affiliates. Signals of cooperation with peer groups, potential cartel style coordination. Goal is faster time to impact with lower detection surface.

Evolution of LockBit RaaS, 2019 to 2025

LockBit 5.0 Features in Action: TTPs and What’s Changed

LockBit 5.0 introduces modularity, faster encryption, and stronger evasion—but the real impact is how these features play out during an intrusion. Below, we map the new capabilities to each stage of the attack lifecycle so SOC teams can see exactly where to focus detection and response.

Initial Access

What’s new: The affiliate program’s lowered barriers (auto-registration, wider recruitment) mean more varied intrusion techniques across campaigns.
Observed techniques: Phishing, brute-force and credential stuffing of RDP/VPN, exploitation of unpatched services like Exchange or Fortinet.
SOC focus: Monitor for abnormal login activity, repeated authentication failures, and unpatched public-facing infrastructure.

Execution & Privilege Escalation

What’s new: Payloads are often launched filelessly via PowerShell or LOLBins, and builds can include validity periods that expire, hindering analysis.
Observed techniques: In-memory loaders, mshta.exe execution, credential dumping from LSASS, registry hive exfiltration.
SOC focus: Detect suspicious script activity, especially PowerShell spawning child processes, and registry access outside normal baselines.

Lateral Movement

What’s new: Affiliates can toggle propagation modules, making LockBit less predictable and stealthier than earlier worm-like versions.
Observed techniques: PsExec, WMI jobs, Group Policy Object (GPO) abuse to spread ransomware across hosts.
SOC focus: Hunt for new service creations, unusual remote WMI commands, or lateral RDP connections outside business hours.

Defense Evasion

What’s new: Expanded process-kill lists, advanced API unhooking, and obfuscation built into the modular architecture.
Observed techniques: Termination of AV/backup agents, shadow copy deletion (vssadmin delete), log clearing, sandbox/VM checks.
SOC focus: Correlate mass process/service stoppages with registry edits or administrative command executions.

Impact & Extortion

What’s new: Encryption speed is faster through optimized intermittent encryption. Ransom notes may include tiered payment deadlines and Tox IDs instead of only Tor portals.
Observed techniques: Large-scale file renaming with randomized extensions, {random}.README.txt ransom notes in directories, wallpaper changes, exfiltration via StealBit/Rclone.
SOC focus: Detect bulk file renames, unexpected wallpaper changes, and abnormal outbound transfers to cloud storage or unknown servers.

Why Prevention Alone Isn’t Enough Against LockBit 5.0

LockBit 5.0 highlights the uncomfortable truth: even well-tuned prevention controls cannot stop every attack. Affiliates exploit weak credentials, unpatched systems, or phishing to get in—and once inside, they use tools and techniques that blend in with legitimate activity. By the time ransomware is detonated, the damage is already done.

Here’s where traditional prevention layers fall short:

Perimeter defenses like firewalls, VPNs, and MFA block many attempts but cannot recognize valid stolen credentials. If an attacker logs in as a trusted user, they walk straight through.
Endpoint agents can be killed or bypassed. LockBit 5.0 aggressively terminates AV and EDR processes, executes filelessly in memory, and unhooks APIs, leaving few traces.
Log-centric tools (SIEM, DLP) depend on visibility attackers can remove. LockBit clears event logs and deletes shadow copies, blinding defenders just before encryption begins.
Backups are directly targeted. Process kill lists include backup and recovery services, leaving organizations without their last line of defense.

For SOC teams, this means focusing only on prevention is not enough. A post-compromise detection and response strategy is critical—one that hunts for the behaviors attackers cannot hide:

Credential misuse and privilege escalation.
Unusual lateral movement via PsExec, WMI, or GPO.
Mass process termination and shadow copy deletion.
Abnormal outbound data transfers to cloud services or Tor/Tox channels.

Detect LockBit Related Activities With Vectra AI

The Vectra AI Platform is built to close this detection gap. Instead of relying solely on logs or signatures, it continuously analyzes behaviors across network, identity, cloud, and SaaS environments, surfacing real attacker activity in real time. By combining prevention with post-compromise detection and AI-driven response, SOC teams can stop LockBit 5.0 before encryption cripples business operations.

Explore our self-guided demo to see how Vectra AI closes the gap and ensures that when prevention fails, detection and response are ready.

---

Sources: The information in this blog is drawn from a variety of threat intelligence analyses, including industry research blogs and official advisories. Key references include the SOCRadar threat intel blog on LockBit 5.0’s features, the joint advisory (May 2025) detailing LockBit 3.0/4.0 TTP, Trend Micro’s report in collaboration with the UK NCA on LockBit’s new developments, and the Trellix research on LockBit’s leaked admin panel data.