LockBit 5.0 Infrastructure Exposure and Post-Takedown Activity
LockBit 5.0, a major ransomware-as-a-service operation, recently attempted to reestablish its presence by launching a new 'secure' blog domain with claims of enhanced protection against law enforcement. However, security researchers quickly identified and publicly exposed the IP address and domain (karma0[.]xyz, IP: 205.185.116.233), revealing multiple open ports and vulnerable remote access, which left the infrastructure susceptible to disruption. Further analysis showed that LockBit was recycling old victim data on its leak site, with several entries originating from previous leaks or other ransomware groups, highlighting operational security failures and attempts to maintain the appearance of ongoing activity.
This exposure comes in the wake of a significant international law enforcement operation (Operation Cronos) that disrupted LockBit's infrastructure, compromised its administration panel, and led to the public release of affiliate and victim data. Despite these setbacks and reputational damage, LockBit has demonstrated resilience, attempting to reassert itself by reusing old data and launching new infrastructure, though these efforts have been undermined by continued security lapses. Defenders are advised to block the exposed IP and domain and monitor for further developments as the group persists in its operations.
Timeline
Dec 7, 2025
Analysis finds LockBit 5.0 reused old leak data
By December 2025, observers reported that LockBit 5.0 was reposting older victim data rather than publishing entirely new leak material, undermining its claims of fresh compromises.
Dec 5, 2025
Researcher exposes LockBit 5.0 blog infrastructure
On December 5, 2025, researcher Rakesh Krishnan said he identified LockBit 5.0's new blog infrastructure, including IP address 205.185.116.233 and domain karma0[.]xyz, and claimed the group was using SmokeLoader in attacks.
Dec 4, 2025
LockBit announces 23 purported new victims
On December 4, 2025, LockBit 5.0 announced 23 alleged new victims on its leak site, though later reporting said many of the entries were recycled from older leaks or other ransomware groups.
Sep 1, 2025
LockBit resurfaces with LockBit 5.0
Despite the February 2024 disruption, LockBit re-emerged in September 2025 with LockBit 5.0, a new version with enhanced anti-analysis, evasion, and cross-platform capabilities.
Feb 1, 2024
Researchers uncover LockBit-NG-Dev prototype during takedown
Data exposed during the February 2024 takedown revealed the LockBit-NG-Dev prototype, a .NET-based build using runtime JSON configuration and multiple encryption and evasion modes.
Feb 1, 2024
Operation Cronos disrupts LockBit infrastructure
In February 2024, a major law-enforcement action known as Operation Cronos disrupted LockBit's infrastructure and exposed internal data from the group.
Jan 1, 2019
LockBit begins operating as a ransomware-as-a-service group
LockBit became active in 2019 as a major ransomware-as-a-service operation using double-extortion tactics and targeting critical sectors worldwide.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Sources
Related Stories
LockBit 5.0 Ransomware Variants and Updated Affiliate Panel Exposed
Security researchers reported that **LockBit** has continued operating after the law-enforcement disruption known as **Operation Cronos**, releasing multiple new **LockBit 5.0** payload variants and maintaining an active ransomware-as-a-service (RaaS) affiliate ecosystem. Reporting citing *Flare.io* analysis described four newly observed builds labeled `LB_Black_14_01_2026` (Windows), `LB_Linux_14_01_2026` (Linux), `LB_ESXi_14_01_2026` (VMware ESXi), and `LB_ChuongDong_14_01_2026` (specialized deployments), indicating an ongoing multi-platform targeting strategy. Analysis of the latest **LockBit 5.0 affiliate panel** indicated the operation’s core workflows remain largely intact, with only minor cosmetic/interface changes (including **holiday-themed** elements). The panel reportedly supports coordination of multiple concurrent campaigns and includes capabilities for attack management, affiliate onboarding, and victim payment/negotiation handling—signaling continued operational maturity despite reputational damage and prior takedown pressure. Researchers recommended organizations prioritize updated detection/signatures and closely monitor EDR alerts for activity consistent with these new LockBit 5.0 variants.
1 months ago
LockBit 5.0 Ransomware Introduces Advanced Encryption and Maintains Global Dominance
LockBit 5.0 has emerged as the latest evolution of the notorious ransomware-as-a-service operation, introducing sophisticated encryption algorithms and advanced anti-analysis techniques that significantly complicate detection and recovery efforts for targeted organizations. The malware now employs a combination of ChaCha20-Poly1305 for file encryption and X25519 with BLAKE2b for secure key exchange, while also terminating Volume Shadow Copy Service processes to prevent system recovery. LockBit 5.0’s runtime flexibility allows it to operate even without specific parameters, and its use of advanced packing and obfuscation further hinders static analysis by security professionals. Despite increased law enforcement pressure, LockBit has sustained its position as a dominant global ransomware threat, accounting for a substantial share of attacks worldwide. The group’s operations have impacted a wide range of sectors, including IT, electronics, law firms, and religious institutions, resulting in billions of dollars in ransom payments and recovery costs. LockBit continues to leverage its dark web platform to publicly list compromised organizations and stolen data, using these tactics to pressure victims into paying ransoms.
1 months ago
LockBit 5.0 Ransomware Expands Cross-Platform Attacks on Windows, Linux, and VMware ESXi
Acronis Threat Research Unit reported active campaigns using **LockBit 5.0**, a major update to the **LockBit** ransomware-as-a-service (RaaS) operation that broadens targeting across **Windows, Linux, and VMware ESXi** in coordinated intrusions. The variant continues **double extortion** (data theft plus encryption) and is positioned for enterprise impact by enabling attackers to hit endpoints, servers, and hypervisors—where a single ESXi compromise can disrupt many virtual machines at once. Reporting also notes the group’s claimed ability to operate against **Proxmox** virtualization environments, further expanding the potential attack surface in organizations adopting alternative hypervisors. Technical analysis highlights stronger and more enterprise-focused builds, with the **Windows** payload using advanced defense-evasion and anti-analysis techniques such as packing/obfuscation, **DLL unhooking**, **process hollowing**, and **ETW (Event Tracing for Windows) patching**, alongside log-clearing to reduce forensic visibility. The **Linux/ESXi** builds are described as less reliant on packing but use extensive string encryption to hinder detection, while maintaining strong encryption routines and using randomized file extensions; Acronis-linked reporting also cites faster encryption and continuity with LockBit 4’s design. Victimology cited in coverage indicates a heavy focus on the **U.S. business sector** and a broad spread across industries (including manufacturing, healthcare, education, financial services, and government), with dozens of recent leak-site postings used to pressure victims and demonstrate ongoing operational tempo despite law-enforcement disruption efforts.
1 months ago