LockBit was once the most feared ransomware group until global law enforcement action sent the group into decline last year. Now the threat group hopes to mount a comeback with LockBit 5.0.
LockBit announced the release of LockBit version 5.0 on the underground forum RAMP last week (image below), coinciding with the sixth anniversary of the group’s ransomware operations. LockBit says the update includes a complete redevelopment of their ransomware panel and lockers, and the new malware is more modular and offers faster encryption and better evasion of security defenses.
LockBit shared the panel address and claimed their program is highly profitable for affiliates, adding that a more detailed announcement will be coming soon. However, it remains to be seen whether the new features will be enough to reverse the group’s long-term decline.
Can LockBit 5.0 Reverse Ransomware Group’s Decline?
LockBit is the all-time top ransomware group in Cyble’s threat intelligence database (chart below), with more than 2,700 claimed victims, roughly three times more than competitors like Play, CL0P and Akira.
However, in the last year LockBit has claimed only about 60 victims total, according to Cyble data, a dramatic decline for the group and about 90% less than the new leaders that have emerged during that time. Akira, Qilin and RansomHub have all claimed around 600 victims each since September 2024, but leadership has shifted dramatically during that time, as a possible act of sabotage by rival DragonForce sent RansomHub into decline in late March 2025 and Qilin has emerged as the most active ransomware group in the months since then.
LockBit 4.0 failed to gain much traction and was never completely rolled out, and now the group is attempting to mount a comeback against rivals that have done well attracting ransomware affiliates on terms like profit sharing and features, so the road back for LockBit appears to be a challenging one.
Enforcement Actions Against LockBit Met with Success
LockBit’s decline began after an international law enforcement action in February 2024 severely disrupted the group, resulting in arrests, shutdown of infrastructure, seizure of servers and data leak sites, and freezing of cryptocurrency accounts linked to the group. More arrests have since followed, and the group has averaged just five new victims a month in the last year.
The group’s own leaked source code has been used by rivals in their ransomware development, and another leak in May 2025 further exposed the group’s operations.
In short, LockBit may face a steep challenge in its comeback attempt, but the group’s history still makes it one to be wary of.
