LockBit 5.0 Ransomware Variants and Updated Affiliate Panel Exposed
Security researchers reported that LockBit has continued operating after the law-enforcement disruption known as Operation Cronos, releasing multiple new LockBit 5.0 payload variants and maintaining an active ransomware-as-a-service (RaaS) affiliate ecosystem. Reporting citing Flare.io analysis described four newly observed builds labeled LB_Black_14_01_2026 (Windows), LB_Linux_14_01_2026 (Linux), LB_ESXi_14_01_2026 (VMware ESXi), and LB_ChuongDong_14_01_2026 (specialized deployments), indicating an ongoing multi-platform targeting strategy.
Analysis of the latest LockBit 5.0 affiliate panel indicated the operation’s core workflows remain largely intact, with only minor cosmetic/interface changes (including holiday-themed elements). The panel reportedly supports coordination of multiple concurrent campaigns and includes capabilities for attack management, affiliate onboarding, and victim payment/negotiation handling—signaling continued operational maturity despite reputational damage and prior takedown pressure. Researchers recommended organizations prioritize updated detection/signatures and closely monitor EDR alerts for activity consistent with these new LockBit 5.0 variants.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers report LockBit affiliate program is still recruiting
Analysis of the affiliate panel indicated that LockBit continued onboarding and recruiting affiliates even after reputational damage and prior law-enforcement disruption. The panel was described as supporting multiple concurrent campaigns and attack coordination.
Researchers uncover LockBit 5.0 affiliate panel details
Researchers obtained leaked materials and screenshots exposing LockBit's affiliate panel, including campaign management, negotiations, payments, partner rules, and recruitment processes. The analysis found the group largely preserved its established operating model, with only minor cosmetic interface changes.
LockBit releases new 5.0 ransomware variants
LockBit released new LockBit 5.0 payload variants targeting Windows, Linux, and VMware ESXi environments, showing continued focus on enterprise and virtualized systems. Reporting indicates at least four variants were identified by researchers.
Operation Cronos partially disrupts LockBit infrastructure
Law-enforcement action under Operation Cronos partially shut down LockBit infrastructure, but did not fully stop the ransomware-as-a-service operation. Later reporting describes subsequent LockBit activity as continuing despite this disruption.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LockBit 5.0 Ransomware Introduces Advanced Encryption and Maintains Global Dominance
LockBit 5.0 has emerged as the latest evolution of the notorious ransomware-as-a-service operation, introducing sophisticated encryption algorithms and advanced anti-analysis techniques that significantly complicate detection and recovery efforts for targeted organizations. The malware now employs a combination of ChaCha20-Poly1305 for file encryption and X25519 with BLAKE2b for secure key exchange, while also terminating Volume Shadow Copy Service processes to prevent system recovery. LockBit 5.0’s runtime flexibility allows it to operate even without specific parameters, and its use of advanced packing and obfuscation further hinders static analysis by security professionals. Despite increased law enforcement pressure, LockBit has sustained its position as a dominant global ransomware threat, accounting for a substantial share of attacks worldwide. The group’s operations have impacted a wide range of sectors, including IT, electronics, law firms, and religious institutions, resulting in billions of dollars in ransom payments and recovery costs. LockBit continues to leverage its dark web platform to publicly list compromised organizations and stolen data, using these tactics to pressure victims into paying ransoms.
Mar 21, 2026
LockBit 5.0 Infrastructure Exposure and Post-Takedown Activity
LockBit 5.0, a major ransomware-as-a-service operation, recently attempted to reestablish its presence by launching a new 'secure' blog domain with claims of enhanced protection against law enforcement. However, security researchers quickly identified and publicly exposed the IP address and domain (`karma0[.]xyz`, IP: `205.185.116.233`), revealing multiple open ports and vulnerable remote access, which left the infrastructure susceptible to disruption. Further analysis showed that LockBit was recycling old victim data on its leak site, with several entries originating from previous leaks or other ransomware groups, highlighting operational security failures and attempts to maintain the appearance of ongoing activity. This exposure comes in the wake of a significant international law enforcement operation (Operation Cronos) that disrupted LockBit's infrastructure, compromised its administration panel, and led to the public release of affiliate and victim data. Despite these setbacks and reputational damage, LockBit has demonstrated resilience, attempting to reassert itself by reusing old data and launching new infrastructure, though these efforts have been undermined by continued security lapses. Defenders are advised to block the exposed IP and domain and monitor for further developments as the group persists in its operations.
Mar 21, 2026
LockBit 5.0 Ransomware Expands Cross-Platform Attacks on Windows, Linux, and VMware ESXi
Acronis Threat Research Unit reported active campaigns using **LockBit 5.0**, a major update to the **LockBit** ransomware-as-a-service (RaaS) operation that broadens targeting across **Windows, Linux, and VMware ESXi** in coordinated intrusions. The variant continues **double extortion** (data theft plus encryption) and is positioned for enterprise impact by enabling attackers to hit endpoints, servers, and hypervisors—where a single ESXi compromise can disrupt many virtual machines at once. Reporting also notes the group’s claimed ability to operate against **Proxmox** virtualization environments, further expanding the potential attack surface in organizations adopting alternative hypervisors. Technical analysis highlights stronger and more enterprise-focused builds, with the **Windows** payload using advanced defense-evasion and anti-analysis techniques such as packing/obfuscation, **DLL unhooking**, **process hollowing**, and **ETW (Event Tracing for Windows) patching**, alongside log-clearing to reduce forensic visibility. The **Linux/ESXi** builds are described as less reliant on packing but use extensive string encryption to hinder detection, while maintaining strong encryption routines and using randomized file extensions; Acronis-linked reporting also cites faster encryption and continuity with LockBit 4’s design. Victimology cited in coverage indicates a heavy focus on the **U.S. business sector** and a broad spread across industries (including manufacturing, healthcare, education, financial services, and government), with dozens of recent leak-site postings used to pressure victims and demonstrate ongoing operational tempo despite law-enforcement disruption efforts.
Mar 21, 2026