The people behind the new version LockBit ransomware sharply expanded its targets in September amid a broader rise in ransomware attacks, which were up by more than a quarter from August, according to security industry data.
NCC Group of Companies last monthly Pulse of threat report shows attack volumes increased for the first time in six months, up 28% to 421 observed and reported incidents, and while this is not a record high, the company's threat team said it could signal a renewed escalation as the holiday season approaches.
“The increase in attacks in September could be a sign that the decline we have seen recently is over,” said NCC head of threat intelligence Matt Hull.
“As we head into a busy season for attackers – with Black Friday and Christmas fast approaching – organizations cannot rest easy. Recent attacks on the transport and retail sectors in particular have shown just how serious breaches can be.
“Organizations need to ensure robust third-party risk management, rapid incident response and proactive security strategies,” he said.
But while the NCC report says Qilin, Akira and INC Ransom's operations are currently dominant, Check Point intelligence shows that major LockBit operators are targeting organizations in America, Asia and Europe with the LockBit 5.0 Chuongdong variant and have claimed at least a dozen victims in September.
LockBit, once the most dominant ransomware-as-a-service (RaaS) group in NCC datasets, was famously taken down by the UK's National Crime Agency in a coordinated multinational operation dubbed Operation Kronoswhich occurred just over 18 months ago, in February 2024. At that time, the gang was responsible for up to a third of all reports from victims of data leak sites.
However, despite the highly effective removal causing major disruption in the cybercriminal underground, LockBit administrator, LockBitSupp – publicly named Russian citizen Dmitry Khoroshev. – continued to taunt his pursuers, and in August used the RAMP forum to announce that the group was returning to work.
According to Check Point's intelligence team, LockBitSupp has not only regained popularity on RAMP, but is also trying to repair its damaged reputation by trying to recover on the rival XSS forum where it was banned. That attempt failed, which Check Point believes may reflect its residents' growing wariness about the extent of law enforcement infiltration into their world.
According to Check Point, LockBit 5.0 introduces four major updates that improve the efficiency, security and stealth of the locker. It now boasts multi-platform support with builds targeting Windows, Linux, and ESXi systems, improved anti-analysis features to make investigators' jobs harder, faster encryption, and randomized 16-character file extensions to evade detection.
Meanwhile, its affiliate control panel provides RaaS users with an improved management interface, and joining the affiliate program also requires an initial payment of $500 (£375) in Bitcoin.
“The revival of LockBit highlights the resilience and complexity of the group,” the Check Point team said. “Despite high-profile actions by law enforcement agencies and public failures, the group again managed to restore its activities, recruit affiliates and resume extortion.
“With its mature RaaS model, cross-platform reach, and proven reputation among cybercriminals, the return of LockBit represents a new threat to organizations across all sectors. The September wave of infections likely marks just the beginning of a larger campaign, and October reports could confirm the group is fully operational again.”
