LockBit ransomware originated as ABCD ransomware in 2019 and has evolved through multiple versions, with version 5.0 (nicknamed ChoungDong) released in September 2025. After a period of inactivity, the group resumed operations in December 2025, lowering affiliate sign-up fees to attract more operators. The malware architecture consists of two main components: a Loader and the Ransomware payload. The Loader decrypts and executes the ransomware payload directly in memory, reducing disk artifacts and improving evasion against endpoint detection systems. The ransomware uses modern cryptographic algorithms, ChaCha20 for symmetric encryption and Curve25519 for asymmetric key exchange, ensuring strong data encryption and complicating recovery without the decryption key. New evasion techniques include the use of Mutex to prevent multiple instances, execution delays to avoid sandbox detection, and a wiper functionality that can destroy data, increasing the threat severity beyond simple encryption. LockBit’s affiliate model allows multiple threat actors to deploy the ransomware, increasing attack scale and diversity. The group has a history of affiliation with the Maze cartel and has independently upgraded its tools continuously. Indicators of Compromise (IoCs) such as file hashes are available, and the campaign leverages MITRE ATT&CK techniques like process injection (T1055.012) and indicator removal (T1070.006). Although no specific CVEs or exploits are currently known in the wild, the threat’s sophistication and operational history make it a significant risk. Mitigation strategies focus on behavioral monitoring, patch management, and rapid incident response using the provided IoCs and threat intelligence.

For European organizations, LockBit 5.0 poses a significant threat due to its advanced evasion capabilities and destructive potential. The use of strong encryption algorithms means that encrypted data is effectively inaccessible without paying ransom or having reliable backups. The introduction of a wiper component increases the risk of permanent data loss, which can severely disrupt business operations, especially in critical sectors such as healthcare, finance, manufacturing, and government. The affiliate model and reduced sign-up fees may lead to increased attack frequency and diversity, targeting a wider range of organizations across Europe. The ransomware’s ability to execute payloads in memory complicates detection and response efforts, potentially allowing longer dwell times and more extensive damage. Double-extortion tactics, where data is exfiltrated before encryption, threaten confidentiality and increase regulatory and reputational risks under GDPR and other data protection laws. The medium severity rating reflects the balance between the threat’s capabilities and the current lack of widespread exploitation, but the potential impact on confidentiality, integrity, and availability remains high.

European organizations should implement advanced endpoint detection and response (EDR) solutions capable of detecting in-memory execution and process injection techniques. Monitoring for unusual mutex creation and execution delays can help identify LockBit 5.0 activity. Network segmentation and strict access controls should be enforced to limit lateral movement. Regular patching of operating systems and applications is critical to reduce attack surface, even though no specific CVEs are currently exploited. Organizations should maintain and regularly test offline backups to ensure data recovery without paying ransom. Incident response plans must be updated to incorporate LockBit-specific IoCs and MITRE ATT&CK techniques such as T1055.012 (process injection) and T1070.006 (indicator removal). Threat intelligence sharing within industry sectors and with national cybersecurity centers can improve detection and response. User training should emphasize phishing awareness, as initial infection vectors often involve social engineering. Finally, organizations should consider deploying deception technologies to detect ransomware activity early and disrupt execution.