Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

LockBit ransomware resurgence in multi-region attacks

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The LockBit ransomware family has returned to active attack operations, putting at least a dozen organizations at risk of encryption and data-theft extortion in September 2025. The observed infections used LockBit 5.0 and LockBit 3.0/LockBit Black, and they affected Windows and Linux systems across Western Europe, the Americas, and Asia. The newer build adds ESXi support, anti-analysis features, and ransom-note workflows that threaten publication of stolen data after a 30-day deadline.

Related Happenings

Windows 11 BitLocker bypass YellowKey security flaw

Vulnerability
First: 14.05.2026 10:27 Last: 14.05.2026 10:27 Sources 1

About this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...

Latest development: 20.05.2026 10:31

Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.

Open Happening

2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates

Trend
First: 17.03.2026 23:41 Last: 17.03.2026 23:41 Sources 1

About this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...

Open Happening

Vect ransomware activity with cross-platform encryption and double extortion

Malware Activity
First: 03.02.2026 16:00 Last: 03.02.2026 16:00 Sources 1

About this happening: Security researchers say **Vect** is a new **ransomware-as-a-service (RaaS)** operation that has already claimed victims in **Brazil** and **South Africa**. Its malware targets **...

Open Happening

Sicarii ransomware per-execution RSA key generation breaks decryption

Malware Activity
First: 28.01.2026 00:15 Last: 28.01.2026 00:15 Sources 1

About this happening: The **Sicarii ransomware** now stands out for a **broken decryption process** that generates a new **RSA key pair** on each execution and discards the private key, leaving victims...

Open Happening

VolkLocker ransomware-as-a-service with free-decryption flaw

Malware Activity
First: 15.12.2025 07:33 Last: 15.12.2025 07:33 Sources 1

About this happening: The **CyberVolk**-linked **VolkLocker** ransomware-as-a-service has resurfaced with a flaw that lets victims **decrypt files without paying**. The **Golang** ransomware targets **...

Open Happening

Timeline

  1. 24.10.2025 18:15 2 articles · 7mo ago

    Initial report: LockBit ransomware resurgence in multi-region attacks

    Initial Disclosure

    The rumored **LockBit** comeback became operational in **September 2025**, when new victims began appearing again. The activity now spans multiple regions and both **Windows** and **Linux** targets.

    Show sources
    Open in new tab