The individuals behind a new version of the LockBit ransomware dramatically expanded their targeting during September, amid a wider rise in ransomware attacks, which were up by over a quarter when compared with August, according to security industry data.
NCC Group’s latest monthly Threat pulse report reveals that attack volumes have risen for the first time in six months, up 28% to 421 observed and reported incidents, and while this is not an all-time high, the firm’s threat team said it may signal a renewed escalation as the festive season approaches.
“The rise in attacks in September could be a sign that the decline we’ve seen recently is now over,” said NCC threat intelligence head Matt Hull.
“As we approach the busy season for attackers – with Black Friday and Christmas fast approaching – organisations can’t be complacent. Recent attacks on the transport and retail sector, specifically, have shown just how severe the disruption can be.
“Organisations need to ensure they have robust third-party risk management, rapid incident response and proactive security strategies,” he said.
But while NCC’s report says it is the Qilin, Akira and INC Ransom operations that currently dominate the landscape, intelligence from Check Point reveals that the at-large operators of LockBit are attacking organisations across the Americas, Asia and Europe with a LockBit 5.0 Chuongdong variant, and racked up at least a dozen victims in September.
Once the most dominant ransomware as a service (RaaS) crews in NCC’s datasets, LockBit was famously laid low by the UK’s National Crime Agency in a coordinated, multinational sting dubbed Operation Cronos, which unfolded just over 18 months ago in February 2024. The gang had been responsible for up to a third of all data-leak site victim postings at that time.
However, despite the highly effective takedown, which caused major disruption in the cyber criminal underground, LockBit’s administrator, LockBitSupp – named publicly as Russian national Dmitry Khoroshev – has continued to taunt his pursuers, and in August, used the RAMP forum to proclaim the group was getting back to work.
According to Check Point’s intel team, LockBitSupp has not only gained renewed traction on RAMP, but has also been attempting to mend his ravaged reputation by trying to get reinstated on the rival XSS forum, from which he had been banned. This attempt failed, which Check Point said may reflect its denizens’ increasing wariness about the scope of law enforcement penetration of their world.
According to Check Point, LockBit 5.0 introduces four core updates to enhance the locker’s efficiency, security and stealth. It now boasts multi-platform support with builds targeting Windows, Linux and ESXi systems, enhanced anti-analysis features to make investigators’ jobs harder, faster encryption, and randomised 16-character file extensions to evade detection.
Meanwhile, its affiliate control panel provides RaaS users an improved management interface, and joining the partner programme also requires a $500 (£375) down payment in Bitcoin.
“LockBit’s reemergence underscores the group’s resilience and sophistication,” said Check Point’s team. “Despite high-profile law enforcement actions and public setbacks, the group has once again managed to restore its operations, recruit affiliates and resume extortion.
“With its mature RaaS model, cross-platform reach and proven reputation among cyber criminals, LockBit’s return represents a renewed threat to organisations across all sectors. September’s wave of infections likely marks only the beginning of a larger campaign – and October’s postings may confirm the group’s full operational recovery.”
