LockBit ransomware return with 5.0 and 3.0 attacks
Malware Activity
Summary
Hide ▲
Show ▼
LockBit resurfaced in active ransomware operations in September 2025, with at least a dozen victims hit and a mix of LockBit 5.0 and LockBit 3.0/LockBit Black observed in the field. The newer build adds Windows, Linux, and ESXi coverage, faster encryption, and unique negotiation portals, underscoring a more mature and potentially more centralized operation. The broader Q3 2025 ransomware landscape remained highly fragmented, with 85 active ransomware and extortion groups and 1,592 new victims disclosed across more than 85 leak sites. That environment increases pressure on defenders because one of the sector’s most recognizable brands is back while the wider ecosystem continues to splinter.
Related Happenings
INC ransomware encryptors rewritten in Rust
Malware Activity
H score38
First: 18.06.2026 17:12
Last: 18.06.2026 17:12
Sources 1
About this happening:
INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...
INC ransomware encryptors rewritten in Rust
Malware ActivityAbout this happening: INC's **Windows** and **Linux/ESXi encryptors** were rewritten in **Rust**, improving cross-platform development and making reverse engineering harder. The malware line also gaine...
INC ransomware group’s RaaS expansion and victim growth in 2026
Threat Actor Meta
H score45
First: 18.06.2026 17:12
Last: 18.06.2026 17:12
Sources 1
About this happening:
**INC** has grown from a **RaaS** startup into one of **2026**’s most prolific ransomware groups, with **830+ victims since August 2023**. The expansion followed affiliate migrati...
INC ransomware group’s RaaS expansion and victim growth in 2026
Threat Actor MetaAbout this happening: **INC** has grown from a **RaaS** startup into one of **2026**’s most prolific ransomware groups, with **830+ victims since August 2023**. The expansion followed affiliate migrati...
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
H score4
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
Campaign
H score53
First: 20.04.2026 23:02
Last: 20.04.2026 23:02
Sources 1
About this happening:
The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
CampaignAbout this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Timeline
-
24.10.2025 18:15 2 articles · 8mo ago
LockBit ransomware return with 5.0 and 3.0 attacks
Initial Disclosure**LockBit 5.0** emerged as new victims began surfacing after the end of summer 2025. Early observed activity included both **LockBit 5.0** and **LockBit 3.0/LockBit Black** in real-world intrusions.
Show sources
- New LockBit Ransomware Victims Identified by Security Researchers — www.infosecurity-magazine.com — 24.10.2025 18:15
- Ransomware's Fragmentation Reaches a Breaking Point While LockBit Returns — thehackernews.com — 14.11.2025 12:37