The LockBit Comeback: How the Group Evolved After a Global Takedown

LockBit is recognized as one of the most prominent and pervasive Ransomware-as-a-Service (RaaS) operations, operating since 2019 and consistently growing to become a significant global cyber threat. The operation functions using an affiliate model and frequently targets numerous critical sectors worldwide, including the financial, healthcare, manufacturing, and technology industries. A double extortion tactic is employed, wherein data is encrypted on victim systems, and the victims are simultaneously threatened with the public release of stolen data if the ransom is not paid.

The ransomware itself is highly complex, featuring sophisticated anti-analysis and obfuscation techniques. Heavy obfuscation is utilized through methods such as dynamic API resolution via hashing, and in recent versions (like LockBit 5.0), payloads are loaded through DLL reflection.

In February 2024, a major international law enforcement action (Operation Cronos) significantly disrupted the group's infrastructure. The operation led to the compromise of the administration panel and the public release of internal affiliate and victim data. Following the disruption, victim decryption keys were offered, and it was revealed that stolen data was frequently retained even after ransoms had been paid. Subsequently, a clear drop in new infections was observed, and efforts to maintain the illusion of normal operation included reposting old victims to new leak sites.

The current status of LockBit is characterized by its resilience and aggressive resurgence following the major law enforcement disruption. Despite the reputational damage and initial setback, the group resurfaced for its sixth anniversary in early September 2025, announcing and deploying LockBit 5.0. LockBit 5.0 is considered significantly more dangerous than its predecessors [1], indicating the group is actively evolving its codebase and remains a potent cyber threat.

In this blog, we will examine the technical characteristics of LockBit ransomware and its evolution over the years.

LockBit 3.0 (LockBit Black)

The technical analysis of LockBit v3.0, also known as LockBit Black, reveals a sophisticated ransomware variant that incorporates custom cryptographic implementations and advanced anti-analysis techniques. This variant is modeled after the BlackMatter family, which itself originated from the Darkside ransomware family [2].

Core Cryptography and Encryption Scheme

Encryption Algorithms

LockBit v3.0 employs a hybrid cryptographic approach, utilizing both symmetric and asymmetric encryption to secure the files and the keys used for encryption [2].

The sample uses a modified version of the Salsa20 algorithm. It uses a 64-byte key for file encryption, whereas the standard Salsa20 uses a 32-byte key.

The ransomware uses a custom implementation of the RSA algorithm at a 1024-bit key size to encrypt critical key material. The 1024-bit public key is embedded within the ransomware configuration, and this implementation uses no padding.

Key Management Hierarchy

The encryption system follows a layered key-management structure [2]. At the lowest level, each file’s data is encrypted in chunks using a 64-byte file_encryption_key with the modified Salsa20 algorithm. The file_encryption_key itself is not stored in plaintext; instead, a separate 64-byte random Salsa20 key is generated to protect the file_encryption_key, and this second key is designated as the key_encryption_key.

To secure this further, the key_encryption_key is encrypted using a built-in 1024-bit RSA public key. This forms the top layer of protection, ensuring that only a holder of the corresponding RSA private key can recover the key_encryption_key. As an optimization to limit the number of expensive RSA operations, the same key_encryption_key is reused across 1,000 files before a new one is generated.

Encrypted File Structure

Files are processed by dividing them into chunks of 0x20000 bytes. These chunks form alternating groups: before group, skip group, and after group [2]. 

Chunks in the before and after groups are encrypted using Salsa20. Chunks in the skip group are left unencrypted. The overall structure ends with a footer, which contains the structures necessary for decryption.

Evasion and Anti-Analysis Techniques

LockBit v3.0 includes numerous techniques to thwart analysis and maximize impact.

Anti-Analysis and Obfuscation

• API Resolution and Trampolines: The ransomware manually resolves Windows Application Programming Interfaces (APIs) using a hashing algorithm applied to DLLs and export names, avoiding import hash tracking [2]. It iterates through DLL files in the System32 directory [3]. Instead of calling the resolved APIs directly, it allocates small memory chunks to build trampoline code that calculates and jumps to the target API address, complicating static analysis [2].
• Anti-Debugging: The sample performs checks on the Windows HEAP structure, specifically examining the Flag and ForceFlag fields, which change when a debugger is present. If a debugger is detected, the process may attempt to crash by modifying the HEAP structure handle. It also checks for debugger-enabled memory corruption guardrails (magic constants like 0xABABABAB). It conceals threads via NtSetInformationThread() with ThreadHideFromDebugger; and encrypts the DbgUiRemoteBreakin() function via NtProtectVirtualMemory() and RtlEncryptMemory() to trigger a crash if a debugger attempts to attach later [2].

Defense Evasion and System Compromise

LockBit 3.0 uses the Trusted Installer service access token to enumerate, stop, and delete predefined Windows Security Services (including SecurityHealthService, WinDefend, and various Windows Defender drivers) that were listed in its configuration.

If required privileges are not found (specifically Domain Admin membership), it attempts to gain access by locating the operating system process, such as explorer.exe, and duplicating its access token using functions like ZwOpenProcessToken and NtDuplicateToken [3]:

The ransomware includes checks to prevent operation in certain countries, including Russia, Ukraine, Belarus, and others. It also checks if the system started in safe mode, setting a registry key to run on the next normal boot if necessary.

Execution and File Impact

LockBit 3.0 performs encryption in a multi-threaded manner.

Files that are encrypted receive a unique extension (e.g., .IzYqBW5pa). The ransomware modifies the file system icon association in the registry (HKEY_CLASSES_ROOT) and drops an icon file (e.g., C:\ProgramData\IzYqBW5pa.ico) to change the icons of encrypted files to the LockBit "B" logo.

A ransom note ([unique ID].README.txt) (e.g., xEC9do6g6.README.txt) is dropped in every target directory. The content of the note is decrypted at runtime [3].

When configured, the sample communicates with a C2 server over TLS 1.2 using the HTTP POST method. Variables and values within the POST request data are AES-encrypted, and the User-Agent string is randomized.

LockBit-NG-Dev

During the February 2024 law enforcement takedown of the LockBit server, authorities discovered an advanced prototype known as LockBit-NG-Dev, which was likely intended to become LockBit 4.0.

Architectural Changes

Unlike previous versions written in C/C++, this new version is written in .NET and appears to be compiled using CoreRT [4].

Also, the binary is packed using MPRESS, likely a measure to evade static file detections.

Configuration and Initialization

Unlike variants that hardcode behavior directly into the main execution flow, LockBit-NG-Dev relies on an embedded JSON configuration that is decrypted at runtime. This configuration dictates the entire operational scope, including target dates, encryption modes, and ransom note details [4].

Upon initialization, the malware establishes a mutex using the ID value found in the configuration. If this mutex already exists, the process terminates immediately to prevent concurrent infections [4].

Defense Evasion and Pre-Encryption Routines

Before the encryption phase begins, the malware executes several routines to ensure maximum impact and hinder recovery efforts.

The malware checks the StopProcesses and StopServices flags. If enabled, it iterates through the ProcessesToStop and ServicesToStop lists provided in the JSON configuration and terminates them. This action ensures that file handles held by active applications (such as databases or security tools) are released, allowing them to be encrypted [4].

To prevent victims from restoring files via local recovery options, LockBit-NG-Dev executes specific commands based on the configuration flags DeleteVolumeShadowCopies and DeleteWindowsSystemBackups [4].

To remove forensic evidence after the attack execution, the malware checks the SelfDelete flag. If enabled, it executes a PowerShell command that terminates the ransomware process and overwrites the executable's on-disk data with null bytes using fsutil [4].

Encryption Mechanisms

LockBit-NG-Dev utilizes AES for file encryption, with the AES keys subsequently encrypted using the RSA public key embedded in the configuration. The malware supports three distinct encryption modes [4]:

1. Fast Mode: Encrypts only the first 0x1000 bytes of the file. This is typically applied to files listed in the FastSet. The exact size is determined by the BufferSize.
2. Intermittent Mode: Encrypts specific blocks of the file at intervals. The density of encryption is controlled by the Percent field, and the gap between blocks is defined by the Segmentation field.
3. Full Mode: Encrypts the entire file content.

When ChangeFilename is set to true, the encrypted files are renamed to a random string. To allow for potential decryption, the original filename is preserved within the file structure [4].

LockBit 5.0

A new iteration of the LockBit ransomware family, version 5.0, has been identified in the wild. This version represents a continued evolution of the group's capabilities, targeting Windows, Linux, and VMware ESXi environments [5]. Analysis indicates that while the core functionalities have been preserved to maintain operational consistency, significant technical improvements and evasion techniques have been introduced. These updates aim to complicate analysis and delay the development of detection signatures.

Cross-Platform Execution and Configuration

The ransomware maintains a consistent command-line interface across its Windows, Linux, and ESXi variants, allowing operators to deploy it with similar parameters regardless of the operating system. Most remarkable ones are given below [5]:

• -i (Invisible Mode): This argument activates a stealth operation state. When enabled, the malware encrypts files without appending the 16-character extension, suppresses the creation of ransom notes, and preserves the original file modification timestamps to blend in with legitimate system activity.
• -m <mode> (Encryption Scope): Defines the operational radius of the attack. Operators can specify local to restrict encryption to the infected machine, net to target network shares specifically, or all to compromise the entire available environment.
• -w (Anti-Forensics): This flag triggers a wiping routine that overwrites free disk space after the encryption process is complete.

Anti-Forensics and Defense Evasion

To evade detection and impede forensic investigation, LockBit 5.0 implements several countermeasures [5]:

ETW Patching

The malware patches the EtwEventWrite API in user mode by overwriting the function's beginning with a 0xC3 (RET) instruction. This effectively disables Windows Event Tracing, preventing security solutions from monitoring its activities.

Service Termination

It contains a hardcoded list of 63 service name hashes. The malware hashes the names of running services and compares them against this list. If a match is found, the service is terminated to disable security tools or backup solutions. 

Example Service Hashes: FEF56F15, BEC3470B, 9757464D, 88CE6B8E, 826AC445...

Log Clearing

Upon the completion of the encryption process, the EvtClearLog API is used to wipe all event logs, removing traces of the attack.

Encryption and Victim Interaction

The ransomware encrypts files and appends a randomized 16-character extension to the filenames (e.g., .1a2b3c4d5e6f7g8h). 

A ransom note is generated, directing victims to a Tor-based data leak site. This site includes a "Chat with Support" section, streamlining the negotiation process between the attackers and the victim [5].

How Picus Simulates LockBit Ransomware Attacks?

We also strongly suggest simulating LockBit Ransomware Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as HybridPetya, Yurei, BlackNevas, and CyberVolk, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the LockBit Ransomware Campaign:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

• The LockBit operation remained functional and regained momentum after the global 2024 disruption, returning with LockBit 5.0 for its sixth anniversary.
• LockBit 3.0 features modified Salsa20, custom RSA-1024 without padding, layered key management, selective file chunk encryption, and extensive anti-analysis capabilities.
• LockBit 3.0 uses token duplication, security service removal, and safe mode checks to maintain execution and evade defenses.
• LockBit-NG-Dev shifts to a .NET CoreRT implementation with MPRESS packing and relies entirely on a decrypted JSON configuration to control behavior.
• LockBit-NG-Dev supports multiple encryption modes, configurable file targeting, recovery disruption routines, and optional self-deletion through PowerShell and fsutil.
• LockBit 5.0 introduces cross-platform operation, invisible mode, selectable encryption scope, ETW patching, service termination using hashed identifiers, and event log clearing.

References

[1] “New LockBit 5.0 Targets Windows, Linux, ESXi,” Trend Micro. Accessed: Nov. 25, 2025. [Online]. Available: https://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html

[2] N. Huỳnh, H. Nguyen, and T. Duong, “Dissecting LockBit v3 ransomware,” Calif. Accessed: Nov. 25, 2025. [Online]. Available: https://blog.calif.io/p/dissecting-lockbit-v3-ransomware

[3] D. Behling, “LockBit 3.0 Ransomware Unlocked,” VMware Security Blog. Accessed: Nov. 25, 2025. [Online]. Available: https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html

[4] “LockBit attempts to stay afloat with a new version.” Accessed: Nov. 26, 2025. [Online]. Available: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf

[5] “New LockBit 5.0 Targets Windows, Linux, ESXi,” Trend Micro. Accessed: Nov. 26, 2025. [Online]. Available: https://www.trendmicro.com/tr_tr/research/25/i/lockbit-5-targets-windows-linux-esxi.html