Signs are emerging that the notorious ransomware group LockBit may be preparing a comeback under the new name “LockBit 5.0”, despite being targeted by global law enforcement through Operation Cronos. Security researchers and dark web trackers have pointed to a newly discovered private data leak site (DLS) as one of the strongest indicators that the group may be staging a revival.
The most compelling piece of evidence is this new dark web infrastructure. Unlike the open, public-facing sites LockBit used in the past, this new DLS requires a private key to access, suggesting a heightened focus on operational security.
According to researchers at redhotcyber.com, this move could be designed to limit exposure to law enforcement and restrict access to only a trusted network of affiliates. Reports also indicate that the portal uses a “queue panel” system reminiscent of earlier LockBit versions and continues to support ransom payments in Monero, Bitcoin, and Zcash.
Experts are weighing several possible scenarios for this LockBit 5.0 activity. One theory is that this is a genuine reboot, with surviving core members rebuilding the operation with more stealth and tighter security.
Another possibility is opportunistic brandjacking, where unrelated cybercriminal groups are using the LockBit name to benefit from its infamy and attract new affiliates. Some analysts have even suggested that this could be a law enforcement honeypot, designed to lure ransomware affiliates and gather intelligence on their activities.
If LockBit 5.0 proves to be real, its return could carry major implications for the cybersecurity landscape. The group may introduce more advanced Tactics, Techniques, and Procedures (TTPs), using stronger encryption and even more aggressive double-extortion methods.
Businesses and critical infrastructure operators could once again face a highly organized ransomware threat, while investigators would have a harder time tracking the group’s activities due to its private infrastructure.
Although there is still no confirmed evidence of fresh attacks linked to LockBit 5.0, the activity is significant enough to warrant close monitoring. The true identity of the operators behind this new portal remains unknown, and it is not yet clear whether the effort is still in its experimental phase or already fully operational.