LockBit ransomware return with 5.0 and 3.0 attacks
Malware Activity
Summary
Hide ▲
Show ▼
LockBit resurfaced in active ransomware operations in September 2025, with at least a dozen victims hit and a mix of LockBit 5.0 and LockBit 3.0/LockBit Black observed in the field. The newer build adds Windows, Linux, and ESXi coverage, faster encryption, and unique negotiation portals, underscoring a more mature and potentially more centralized operation. The broader Q3 2025 ransomware landscape remained highly fragmented, with 85 active ransomware and extortion groups and 1,592 new victims disclosed across more than 85 leak sites. That environment increases pressure on defenders because one of the sector’s most recognizable brands is back while the wider ecosystem continues to splinter.
Related Happenings
VECT 2.0 ransomware-branded file destruction malware
Malware Activity
First: 28.04.2026 17:01
Last: 28.04.2026 17:01
Sources 1
About this happening:
The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
VECT 2.0 ransomware-branded file destruction malware
Malware ActivityAbout this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
Campaign
First: 20.04.2026 23:02
Last: 20.04.2026 23:02
Sources 1
About this happening:
The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
CampaignAbout this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Medusa ransomware post-compromise deployment
Malware Activity
First: 07.04.2026 09:35
Last: 07.04.2026 09:35
Sources 1
About this happening:
**Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
Medusa ransomware post-compromise deployment
Malware ActivityAbout this happening: **Medusa ransomware** is being deployed rapidly after initial access, turning intrusions into fast-moving extortion events and shrinking defenders' response time. The malware acti...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
Timeline
-
24.10.2025 18:15 2 articles · 7mo ago
LockBit ransomware return with 5.0 and 3.0 attacks
Initial Disclosure**LockBit 5.0** emerged as new victims began surfacing after the end of summer 2025. Early observed activity included both **LockBit 5.0** and **LockBit 3.0/LockBit Black** in real-world intrusions.
Show sources
- New LockBit Ransomware Victims Identified by Security Researchers — www.infosecurity-magazine.com — 24.10.2025 18:15
- Ransomware's Fragmentation Reaches a Breaking Point While LockBit Returns — thehackernews.com — 14.11.2025 12:37