OrganisationRU

LockBit5

Rebuilt post-Cronos iteration of the LockBit ransomware platform; active with sustained victim postings in April 2026.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

How did LockBit rebuild after Operation Cronos, and what does that mean for ransomware defence?

Timeline for LockBit5

#117 Apr

Mentioned in: CitrixBleed 3 lands on SAML broker

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What happened to LockBit after Operation Cronos?: The UK NCA, Europol and FBI seized LockBit's infrastructure in February 2024 under Operation Cronos, arresting affiliates and releasing decryption keys. LockBit's administrator subsequently rebuilt the platform; LockBit5 was active with sustained victim postings as of April 2026.Source: NCA / Europol / Mandiant M-Trends 2026
Is LockBit 5 the same as LockBit ransomware?: LockBit5 is the latest iteration of the LockBit ransomware-as-a-service platform, rebuilt after the February 2024 Operation Cronos takedown. It shares the same administrator and affiliate programme model as prior versions.Source: Mandiant / NCA
How many ransomware attacks happened in March 2026?: Mandiant's M-Trends 2026 data showed 808 ransomware victim postings across 65 active groups in March 2026, up 19% month-on-month and 33% above the 2025 monthly average. LockBit5 and DragonForce were the highest-volume operators.Source: Mandiant M-Trends 2026

Background

LockBit5 is the iteration of the LockBit ransomware-as-a-service (RaaS) platform rebuilt following Operation Cronos, the February 2024 international law enforcement action led by the UK's National Crime Agency (NCA), Europol and the FBI that seized LockBit infrastructure, arrested affiliates in multiple countries and obtained decryption keys. LockBit's administrator, known as LockBitSupp, subsequently rebuilt the operation and is running sustained victim posting activity on a rebuilt leak site as of March and April 2026, alongside DragonForce.

LockBit was the dominant global RaaS platform from 2022 through 2024, responsible for thousands of attacks across healthcare, education, critical infrastructure and professional services. The FBI estimated LockBit had received over $120 million in ransom payments by the time of Operation Cronos. The group's resilience is notable: despite infrastructure seizure, affiliate arrests and the LockBitSupp identity partially exposed, the core operation has rebuilt. LockBit5 represents the fourth Major iteration of the platform.

The sustained March-April 2026 posting volume, described in the Lowdown cyber briefing as part of an 808-victim-posting month across 65 active ransomware groups in March 2026, places LockBit5 alongside DragonForce as the highest-volume operators. March 2026 ransomware postings were up 19 per cent month-on-month and 33 per cent above the 2025 monthly average, suggesting that law enforcement disruption has not reduced aggregate ransomware volume.

How the World Sees Them

United States

LockBit is one of the most-prolific ransomware groups to have targeted US healthcare and critical infrastructure. DOJ has outstanding indictments against LockBit operators.

Law enforcement

NCA, Europol and FBI regard Operation Cronos as a major success, but acknowledge LockBit's rebuild demonstrates the structural resilience of the RaaS model.

Ransomware ecosystem

LockBit's repeated rebuilding after law enforcement disruption has become a reference model for RaaS resilience, influencing how other groups structure their infrastructure redundancy.