• Check Point Blog
  By Check Point Research
  October 23, 2025

Key Takeaways

• LockBit is back. After being disrupted in early 2024, the ransomware group has resurfaced and is already extorting new victims.
• New version, new victims. Check Point Research identified a dozen organizations hit in September 2025, half by the new LockBit 5.0 (“ChuongDong”) variant.
• Expanded targeting. The group is deploying attacks across Windows, Linux, and ESXi environments in Europe, the Americas, and Asia.
• Check Point Harmony Endpoint and Quantum protect customers against LockBit and other ransomware groups’ infections through Threat Emulation, blocking attacks before encryption can occur.

Just months after being disrupted during Operation Cronos, the notorious LockBit ransomware group has reemerged — and it hasn’t wasted time. Check Point Research has confirmed that LockBit is back in operation and already extorting new victims.

Throughout September 2025, Check Point Research identified a dozen organizations targeted by the revived operation, with half of them infected by the newly released LockBit 5.0 variant and the rest by LockBit Black. The attacks span Western Europe, the Americas, and Asia, affecting both Windows and Linux systems, a clear sign that LockBit’s infrastructure and affiliate network are once again active.

A Rapid and Confident Comeback
At the beginning of September, LockBit officially announced its return on underground forums, unveiling LockBit 5.0 and calling for new affiliates to join. This latest version, internally codenamed “ChuongDong,” marks a significant evolution of the group’s encryptor family.

The newly observed LockBit 5.0 attacks span a broad range of targets — about 80% on Windows systems, and around 20% on ESXi and Linux environments. The quick reappearance of multiple active victims demonstrates that LockBit’s Ransomware-as-a-Service (RaaS) model has successfully reactivated its affiliate base.

From Disruption to Reorganization
Until its takedown in early 2024, LockBit was the most dominant RaaS operation globally, responsible for 20–30% of all data-leak site victim postings. Following Operation Cronos, several arrests and data seizures disrupted the group’s infrastructure. Competing ransomware programs, such as RansomHub and Qilin, briefly tried to absorb its affiliates.

However, LockBit’s administrator, LockBitSupp, evaded capture and continued to hint at a comeback on dark web forums. In May 2025, he posted defiantly on the RAMP forum: “We always rise up after being hacked.” By August, LockBitSupp reappeared again, claiming the group was “getting back to work,” a statement that quickly proved true.

A Divided Underground
While LockBit regained traction on RAMP, other major forums like XSS continued to ban RaaS advertising. In early September, LockBitSupp attempted to be reinstated on XSS, even prompting a community vote, which ultimately failed.

Implications: A Familiar Threat Returns
LockBit’s reemergence underscores the group’s resilience and sophistication. Despite high-profile law enforcement actions and public setbacks, the group has once again managed to restore its operations, recruit affiliates, and resume extortion.

With its mature RaaS model, cross-platform reach, and proven reputation among cyber criminals, LockBit’s return represents a renewed threat to organizations across all sectors. September’s wave of infections likely marks only the beginning of a larger campaign — and October’s postings may confirm the group’s full operational recovery.

• VanHelsingRaaS is a new and rapidly growing ransomware-as-a-service (RaaS) affiliate program launched on March 7, 2025. The RaaS model allows a wide range of participants, from experienced hackers to newcomers, to get involved with a $5,000 deposit. Affiliates keep 80% of the ransom payments, while the core operators earn 20%. The only rule is not to target the Commonwealth of Independent States (CIS).
• Check Point Research discovered two VanHelsing ransomware variants targeting Windows, but as the RaaS mentions in its advertisement, it provides more offerings “targeting Linux, BSD, ARM, and ESXi systems”. The program provides an intuitive control panel that simplifies operating ransomware attacks. Check Point Research obtained two variants of the VanHelsing Ransomware, compiled just five days apart. The newest variant shows significant updates, highlighting the fast-paced evolution of this ransomware.
• In less than two weeks since its introduction to the cybercrime community, this ransomware operation has already infected three known victims, demanding large ransom payments for decryption and the deletion of stolen data. During negotiations, they demanded $500,000 to be paid to a specified Bitcoin wallet.

orums as part of our Threat Discovery Process.
Designed to target Windows systems, this ransomware employs advanced encryption techniques and appends a unique file extension to compromised files. Its stealthy evasion tactics and persistence mechanisms make detection and removal challenging. This highlights the need for proactive cybersecurity measures and a robust incident response strategy to safeguard data integrity and minimize breach risks.

Target Technologies: Windows
Target Geography: France, USA.
Target Industry: Government, Manufacturing, Pharma.
Encrypted file extension: .vanhelsing
Observed First: 2025-03-16
Threat actor Communication mode: Tor

First observed in March 2024, “BlackLock” (aka El Dorado or Eldorado) has rapidly emerged as a major player in the ransomware-as-a-service (RaaS) ecosystem. By Q4 2024, it ranked as the 7th most prolific ransomware group on data-leak sites, fueled by a staggering 1,425% increase in activity from Q3. BlackLock uses a double extortion tactic—encrypting data while stealing sensitive information—to pressure victims with the threat of public exposure. Its ransomware is built to target Windows, VMWare ESXi, and Linux environments, though the Linux variant offers fewer features than its Windows counterpart.

The LockBit ransomware group will soon launch a comeback with the planned release of LockBit 4.0 in February 2025, Cyble

Kryptina's adoption by Mallox affiliates complicates malware tracking as ransomware operators blend different codebases into new variants.

• Kryptina evolved from a free tool on public forums to being actively used in enterprise attacks, particularly under the Mallox ransomware family.
• In May 2024, a Mallox affiliate leaked staging server data, revealing that their Linux ransomware was based on a modified version of Kryptina.
• The affiliate made superficial changes to source code and documentation, stripping Kryptina branding but retaining core functionality.
• The adoption of Kryptina by Mallox affiliates exemplifies the commoditization of ransomware tools, complicating malware tracking as affiliates blend different codebases into new variants.
• This original research was presented by the author at LABScon 2024 in Scottsdale, Arizona.

In the hidden corners of the internet, a parallel economy thrives—one that operates beyond the reach of conventional search engines and law enforcement agencies. Dark Web Forums have become the breeding grounds for cybercriminals.

In the world of cybersecurity, Exploit in is a well-known private Russian hacker forum. Since it began in 2012, the forum has developed into a well-known exchange and sales platform for various cybercrime tools and stolen data. A wide range of cybercrime-related topics are covered by Exploit, such as credit card information, email spamming tools, social engineering, security & vulnerabilities, social network hacking, cryptography, cracked tools, buying and selling of hacked databases, info-stealer & Malware as a service (Maas). The creators of Exploit, a well-known cybercrime forum where ransomware gangs recruit affiliates and promote their Ransomware-as-a-Service (RaaS) offerings, have declared that ransomware advertisements are no longer permitted and will be taken down.

Play ransomware has turned into Ransomware-as-a-Service (RaaS), allowing other cybercriminals to use it.

The hacker collective called GhostSec has unveiled an innovative Ransomware-as-a-Service (RaaS) framework called GhostLocker. They provide comprehensive assistance to customers interested in acquiring this service through a dedicated Telegram channel. Presently, GhostSec is focusing its attacks on Israel. This move represents a surprising departure from their past activities and stated agenda.

All you need to know about Qilin ransomware and its operations targeting critical sectors.
Group-IB’s Threat Intelligence team infiltrated the Qilin ransomware group in March 2023 and now can reveal inside information about this RaaS program. The blog provides recommendations on how to prevent Qilin’s attacks and will be useful for threat intelligence experts, threat hunters, and corporate cybersecurity teams.

Ransomware attacks are becoming more frequent and costlier—breaches caused by ransomware grew 41 percent in the last year, the average cost of a destructive attack rising to $5.12 milllion. What’s more, a good chunk of the cyber criminals doing these attacks operate on a ransomware-as-a-service (RaaS) model.

Ransom Cartel is ransomware as a service (RaaS) that exhibits several similarities to and technical overlaps with REvil ransomware. Read our overview.