LockBit September 2025 multi-region ransomware campaign
Campaign
Summary
Hide ▲
Show ▼
LockBit returned in a renewed ransomware campaign that hit at least a dozen organizations in September 2025. The activity spanned Western Europe, the Americas and Asia, and used both LockBit 5.0 and LockBit 3.0 / LockBit Black, indicating the operation’s infrastructure and affiliate network were active again. The campaign affected Windows and Linux systems and extended the threat with ESXi support in the newer build. Updated ransom notes added personalized negotiation links and a 30-day deadline before stolen data would be published.
Related Happenings
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
Campaign
First: 20.04.2026 23:02
Last: 20.04.2026 23:02
Sources 1
About this happening:
The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Gentlemen ransomware affiliate campaign expanding toolkit and infrastructure
CampaignAbout this happening: The **Gentlemen ransomware** campaign has now been tied to a **ransomware attack on Oltenia Energy Complex** on the **second day of Christmas**, disrupting **ERP systems**, **docu...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
Campaign
First: 20.04.2026 16:33
Last: 20.04.2026 16:33
Sources 1
About this happening:
The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
CampaignAbout this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Aleksey Olegovich Volkov sentenced in Yanluowang ransomware case
Law Enforcement
First: 24.03.2026 15:06
Last: 24.03.2026 15:06
Sources 1
About this happening:
The **Justice Department** said **Aleksey Olegovich Volkov** was **sentenced to 81 months** in prison for serving as an **initial access broker** in **Yanluowang ransomware** atta...
Aleksey Olegovich Volkov sentenced in Yanluowang ransomware case
Law EnforcementAbout this happening: The **Justice Department** said **Aleksey Olegovich Volkov** was **sentenced to 81 months** in prison for serving as an **initial access broker** in **Yanluowang ransomware** atta...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor Meta
First: 19.03.2026 18:00
Last: 19.03.2026 18:00
Sources 1
About this happening:
**hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
The Gentlemen RaaS split exposed by hastalamuerte
Threat Actor MetaAbout this happening: **hastalamuerte** exposed the internal workings of **The Gentlemen** ransomware group, revealing a **Qilin-related RaaS split** that shows how affiliate-driven ecosystems can rapi...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target Trend
First: 17.03.2026 23:41
Last: 17.03.2026 23:41
Sources 1
About this happening:
**Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates
Target TrendAbout this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...
Timeline
-
24.10.2025 18:15 3 articles · 7mo ago
LockBit September 2025 multi-region ransomware campaign
Initial Disclosure**Early September 2025** marked LockBit’s public comeback when the group unveiled **LockBit 5.0** on underground forums and called for new affiliates. The first wave of follow-on activity showed the ransomware network was active again after earlier disruption.
Show sources
- New LockBit Ransomware Victims Identified by Security Researchers — www.infosecurity-magazine.com — 24.10.2025 18:15
- Ransomware's Fragmentation Reaches a Breaking Point While LockBit Returns — thehackernews.com — 14.11.2025 12:37
- New LockBit Ransomware Victims Identified by Security Researchers — www.infosecurity-magazine.com — 24.10.2025 18:15