LockBit 5.0 Infrastructure Exposure and Post-Takedown Activity
LockBit 5.0, a major ransomware-as-a-service operation, recently attempted to reestablish its presence by launching a new 'secure' blog domain with claims of enhanced protection against law enforcement. However, security researchers quickly identified and publicly exposed the IP address and domain (karma0[.]xyz, IP: 205.185.116.233), revealing multiple open ports and vulnerable remote access, which left the infrastructure susceptible to disruption. Further analysis showed that LockBit was recycling old victim data on its leak site, with several entries originating from previous leaks or other ransomware groups, highlighting operational security failures and attempts to maintain the appearance of ongoing activity.
This exposure comes in the wake of a significant international law enforcement operation (Operation Cronos) that disrupted LockBit's infrastructure, compromised its administration panel, and led to the public release of affiliate and victim data. Despite these setbacks and reputational damage, LockBit has demonstrated resilience, attempting to reassert itself by reusing old data and launching new infrastructure, though these efforts have been undermined by continued security lapses. Defenders are advised to block the exposed IP and domain and monitor for further developments as the group persists in its operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Analysis finds LockBit 5.0 reused old leak data
By December 2025, observers reported that LockBit 5.0 was reposting older victim data rather than publishing entirely new leak material, undermining its claims of fresh compromises.
Researcher exposes LockBit 5.0 blog infrastructure
On December 5, 2025, researcher Rakesh Krishnan said he identified LockBit 5.0's new blog infrastructure, including IP address 205.185.116.233 and domain karma0[.]xyz, and claimed the group was using SmokeLoader in attacks.
LockBit announces 23 purported new victims
On December 4, 2025, LockBit 5.0 announced 23 alleged new victims on its leak site, though later reporting said many of the entries were recycled from older leaks or other ransomware groups.
LockBit resurfaces with LockBit 5.0
Despite the February 2024 disruption, LockBit re-emerged in September 2025 with LockBit 5.0, a new version with enhanced anti-analysis, evasion, and cross-platform capabilities.
Researchers uncover LockBit-NG-Dev prototype during takedown
Data exposed during the February 2024 takedown revealed the LockBit-NG-Dev prototype, a .NET-based build using runtime JSON configuration and multiple encryption and evasion modes.
Operation Cronos disrupts LockBit infrastructure
In February 2024, a major law-enforcement action known as Operation Cronos disrupted LockBit's infrastructure and exposed internal data from the group.
LockBit begins operating as a ransomware-as-a-service group
LockBit became active in 2019 as a major ransomware-as-a-service operation using double-extortion tactics and targeting critical sectors worldwide.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LockBit 5.0 Ransomware Variants and Updated Affiliate Panel Exposed
Security researchers reported that **LockBit** has continued operating after the law-enforcement disruption known as **Operation Cronos**, releasing multiple new **LockBit 5.0** payload variants and maintaining an active ransomware-as-a-service (RaaS) affiliate ecosystem. Reporting citing *Flare.io* analysis described four newly observed builds labeled `LB_Black_14_01_2026` (Windows), `LB_Linux_14_01_2026` (Linux), `LB_ESXi_14_01_2026` (VMware ESXi), and `LB_ChuongDong_14_01_2026` (specialized deployments), indicating an ongoing multi-platform targeting strategy. Analysis of the latest **LockBit 5.0 affiliate panel** indicated the operation’s core workflows remain largely intact, with only minor cosmetic/interface changes (including **holiday-themed** elements). The panel reportedly supports coordination of multiple concurrent campaigns and includes capabilities for attack management, affiliate onboarding, and victim payment/negotiation handling—signaling continued operational maturity despite reputational damage and prior takedown pressure. Researchers recommended organizations prioritize updated detection/signatures and closely monitor EDR alerts for activity consistent with these new LockBit 5.0 variants.
Mar 21, 2026
Global LockBit Takedown Disrupted Operations and Exposed Its Leadership
An international law enforcement operation led by the UK's National Crime Agency and the FBI seized LockBit infrastructure on 19 February 2024, disrupting one of the world's most prolific ransomware-as-a-service groups. Follow-on actions publicly identified and sanctioned a senior LockBit leader, while officials said the campaign targeted the gang's administrators, infrastructure, and criminal affiliates. Subsequent reporting said the disruption sharply reduced LockBit's standing in ransomware rankings after years in which the group had claimed thousands of victims across more than 100 countries. Threat research shows LockBit's reach was driven by a scalable affiliate model rather than malware alone, with intrusions commonly starting through abused VPN, Citrix, and RDP access or stolen credentials, followed by use of tools such as **Impacket**, **Mimikatz**, **PsExec**, **Rclone**, and **StealBit**. Affiliates increasingly targeted **VMware ESXi** environments to maximize operational impact, and some skipped encryption entirely in favor of data-theft extortion using LockBit-branded notes. The group's earlier attacks included a reported **$80 million** demand against CDW, but researchers and investigators warn that even as LockBit declines, its affiliates and copycats are likely to continue operating under other ransomware brands.
May 26, 2026
LockBit 5.0 Ransomware Introduces Advanced Encryption and Maintains Global Dominance
LockBit 5.0 has emerged as the latest evolution of the notorious ransomware-as-a-service operation, introducing sophisticated encryption algorithms and advanced anti-analysis techniques that significantly complicate detection and recovery efforts for targeted organizations. The malware now employs a combination of ChaCha20-Poly1305 for file encryption and X25519 with BLAKE2b for secure key exchange, while also terminating Volume Shadow Copy Service processes to prevent system recovery. LockBit 5.0’s runtime flexibility allows it to operate even without specific parameters, and its use of advanced packing and obfuscation further hinders static analysis by security professionals. Despite increased law enforcement pressure, LockBit has sustained its position as a dominant global ransomware threat, accounting for a substantial share of attacks worldwide. The group’s operations have impacted a wide range of sectors, including IT, electronics, law firms, and religious institutions, resulting in billions of dollars in ransom payments and recovery costs. LockBit continues to leverage its dark web platform to publicly list compromised organizations and stolen data, using these tactics to pressure victims into paying ransoms.
Mar 21, 2026