
LockBit5
Rebuilt post-Cronos iteration of the LockBit ransomware platform; active with sustained victim postings in April 2026.
Last refreshed: 17 April 2026 · Appears in 1 active topic
How did LockBit rebuild after Operation Cronos, and what does that mean for ransomware defence?
Timeline for LockBit5
Mentioned in: CitrixBleed 3 lands on SAML broker
Cybersecurity: Threats and DefencesWhat happened to LockBit after Operation Cronos?
Is LockBit 5 the same as LockBit ransomware?
How many ransomware attacks happened in March 2026?
Background
LockBit5 is the iteration of the LockBit ransomware-as-a-service (RaaS) platform rebuilt following Operation Cronos, the February 2024 international law enforcement action led by the UK's National Crime Agency (NCA), Europol and the FBI that seized LockBit infrastructure, arrested affiliates in multiple countries and obtained decryption keys. LockBit's administrator, known as LockBitSupp, subsequently rebuilt the operation and is running sustained victim posting activity on a rebuilt leak site as of March and April 2026, alongside DragonForce.
LockBit was the dominant global RaaS platform from 2022 through 2024, responsible for thousands of attacks across healthcare, education, critical infrastructure and professional services. The FBI estimated LockBit had received over $120 million in ransom payments by the time of Operation Cronos. The group's resilience is notable: despite infrastructure seizure, affiliate arrests and the LockBitSupp identity partially exposed, the core operation has rebuilt. LockBit5 represents the fourth major iteration of the platform.
The sustained March-April 2026 posting volume, described in the Lowdown cyber briefing as part of an 808-victim-posting month across 65 active ransomware groups in March 2026, places LockBit5 alongside DragonForce as the highest-volume operators. March 2026 ransomware postings were up 19 per cent month-on-month and 33 per cent above the 2025 monthly average, suggesting that law enforcement disruption has not reduced aggregate ransomware volume.