LockBit 5.0 Resurfaces Amid Chaos as Ransomware Market Enters New Phase of Fragmentation
Over the past quarter, the ransomware ecosystem has entered a new phase that markedly reshapes its familiar balance of power. Where the market once revolved around large, entrenched operators with stable infrastructures, it has now fragmented into dozens of small groups that appear, vanish, and re-emerge under new names. Amid this fragmentation, one of the most infamous brands has resurfaced — LockBit.
According to Check Point Research, the third quarter of 2025 saw 85 active groups, the highest figure ever recorded. Instead of a handful of dominant services, the landscape now resembles a constellation of small collectives that emerged after the collapse of projects such as RansomHub, 8Base, and BianLian. Nearly 1,600 victims were listed on leak sites over those three months, yet the ten most active groups accounted for only slightly more than half of all cases. This pattern suggests that many attacks are being carried out by independent operators unaligned with established brands.
Fragmentation diminishes predictability. When major services controlled the field, analysts could study recurring techniques, infrastructures, and behavioural traits. Today, temporary leak portals are widespread, making attribution increasingly unreliable. The problem is compounded by the limited impact of law-enforcement actions: seizing domains or hardware rarely affects the individuals who perform the intrusions. Displaced operators quickly migrate to new platforms or establish their own.
Protection is not optional. It is essential.
Subscribe to us.
Trust in ransomware groups is also eroding. Smaller crews have no incentive to maintain a reputation and frequently fail to honour promises of data restoration. Payment rates continue to decline because victims increasingly doubt that decryption will follow once money is transferred.
Against this fractured backdrop, the reappearance of LockBit became a notable event. Version 5.0 launched in September, triggering a rise in activity. The project’s administrator had long promised a revival after Operation Cronos, and the new release introduces fresh variants for Windows, Linux, and ESXi, accelerated encryption routines, and personalised negotiation channels.
At least a dozen attacks were confirmed in the first month alone, signalling that some operators have chosen to return under the familiar banner. This raises the possibility of renewed centralisation, as brand recognition remains a decisive factor for actors seeking structure and clear rules of engagement.
Another trend emerging from the chaos is the attempt by individual groups to cultivate distinctive identities. In October, DragonForce announced an alliance with LockBit and Qilin — despite no verified infrastructural ties. Such declarations resemble marketing manoeuvres more than the behaviour of traditional criminal syndicates.
The geography of victims remains global. The United States accounts for roughly half of all cases, while South Korea entered the top ten for the first time due to campaigns targeting its financial sector. In Europe, Germany and the United Kingdom are under heightened pressure. The most frequently targeted sectors remain stable: manufacturing and business services retain comparable shares, and healthcare organisations continue to face significant risk, though some groups avoid them to steer clear of excessive scrutiny.
The analysts’ central conclusion is clear: the volume of attacks remains high regardless of law-enforcement pressure. Each dismantled infrastructure leads not to a decline, but to the emergence of new groups. LockBit’s return may temporarily gather parts of the scene around an old centre, but it does not alter the broader picture — the market remains fluid, fragmented, and resilient to external disruption.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
