Detailed Analysis of LockBit 5.0
Pulse ID: 6971da943816f46b2e0e1d22
Pulse Link: https://otx.alienvault.com/pulse/6971da943816f46b2e0e1d22
Pulse Author: Tr1sa111
Created: 2026-01-22 08:06:44
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #LockBit #OTX #OpenThreatExchange #bot #Tr1sa111
Detailed Analysis of LockBit 5.0
LockBit, originating as ABCD ransomware in 2019, has evolved to version 5.0 in September 2025. After a period of inactivity, it resumed operations in December 2025 with a reduced affiliate sign-up fee. LockBit 5.0, nicknamed ChoungDong, consists of a Loader and Ransomware component. The Loader decrypts and executes the payload in memory, while the Ransomware uses ChaCha20 and Curve25519 for encryption. This update significantly enhances evasion techniques and attack efficiency, introducing features like Mutex, Execution Delay, and Wiper. The group's history includes affiliation with the Maze cartel, independent operations, and continuous upgrades. Mitigation strategies involve monitoring process behavior, applying security patches, and preparing for swift responses using provided IoCs and MITRE ATT&CK techniques.
Pulse ID: 6970a45822ddea57307db903
Pulse Link: https://otx.alienvault.com/pulse/6970a45822ddea57307db903
Pulse Author: AlienVault
Created: 2026-01-21 10:03:04
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#ChaCha20 #CyberSecurity #Encryption #InfoSec #LockBit #OTX #OpenThreatExchange #RAT #RansomWare #bot #AlienVault
Morning, cyber practitioners! It's been a busy start to the year with significant breaches impacting government contractors and healthcare, ongoing crypto theft linked to past compromises, and new insights into nation-state activity. We're also seeing an old Fortinet vulnerability still being actively exploited, and regulators are taking a hard look at AI deepfakes. Let's dive in:
Recent Cyber Attacks and Breaches ⚠️
- Sedgwick Government Solutions, a major federal contractor, confirmed a cyber incident affecting an isolated file transfer system, with the TridentLocker ransomware gang claiming 3.4 GB of data theft. The company states no wider systems or claims management servers were impacted.
- Covenant Health, a Catholic healthcare provider, has revised the impact of its May 2025 data breach to nearly 478,188 patients. The Qilin ransomware group claimed responsibility, having stolen 852 GB of data, including names, SSNs, health insurance, and treatment details.
- Trust Wallet's browser extension suffered an $8.5 million crypto theft from over 2,500 wallets, linked to exposed GitHub developer secrets and a leaked Chrome Web Store API key. Attackers published a malicious JavaScript file in a trojanised extension, bypassing internal review, and the incident is believed to be related to the "industry-wide" Shai-Hulud NPM supply chain attack.
- Ongoing cryptocurrency thefts, totalling over $35 million, have been traced back to the 2022 LastPass breach, with attackers gradually decrypting stolen encrypted vaults containing private keys and seed phrases. TRM Labs successfully "demixed" funds laundered through Wasabi Wallet's CoinJoin, linking the activity to the Russian cybercrime ecosystem.
- A cybercrook claims to be selling 139 GB of engineering data from Pickett and Associates, a firm serving major US utilities like Tampa Electric Company, Duke Energy Florida, and American Electric Power, for 6.5 Bitcoin. The alleged data includes LiDAR files, orthophotos, and design files, highlighting the increasing targeting of critical infrastructure.
🗞️ The Record | https://therecord.media/sedgwick-cyber-incident-ransomware
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/covenant-health-says-may-data-breach-impacted-nearly-478-000-patients/
🗞️ The Record | https://therecord.media/covenant-health-breach-qilin
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/trust-wallet-links-85-million-crypto-theft-to-shai-hulud-npm-attack/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cryptocurrency-theft-attacks-traced-to-2022-lastpass-breach/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/02/critical_utility_files_for_sale/
New Threat Research and Tradecraft 🛡️
- Transparent Tribe (APT36) is targeting Indian governmental, academic, and strategic entities with new RAT attacks. The campaign uses weaponised LNK files disguised as PDFs, executing a remote HTA script that loads the RAT directly into memory, with persistence mechanisms adapting based on detected antivirus solutions.
- Cybercriminals are abusing Google Cloud's Application Integration "Send Email" feature to send phishing emails from a legitimate `noreply-application-integration@google[.]com` address, bypassing DMARC and SPF checks. The multi-stage attack uses Google Cloud services for redirection and a fake CAPTCHA before leading to a credential-stealing Microsoft login page.
📰 The Hacker News | https://thehackernews.com/2026/01/transparent-tribe-launches-new-rat.html
🗞️ The Record | https://therecord.media/pakistan-linked-hacking-group-targets-indian-orgs
📰 The Hacker News | https://thehackernews.com/2026/01/cybercriminals-abuse-google-cloud-email.html
Actively Exploited Vulnerability 🚨
- Over 10,000 Fortinet firewalls remain exposed to CVE-2020-12812, a critical (9.8 severity) five-year-old 2FA bypass vulnerability in FortiGate SSL VPN. Attackers are actively exploiting this flaw when username case is changed and LDAP is enabled, with state-sponsored groups and ransomware actors having leveraged it since at least 2021.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/over-10-000-fortinet-firewalls-exposed-to-ongoing-2fa-bypass-attacks/
Regulatory Spotlight on AI Deepfakes ⚖️
- European regulators, including France and the UK, are considering action against Elon Musk's X after its AI tool Grok was used to create sexually explicit deepfakes of a minor. The UK plans to ban "nudification tools," intensifying the debate between European content moderation efforts and X's stance on free speech.
🗞️ The Record | https://therecord.media/europe-regulators-grok-france
Law Enforcement & Cybersecurity Recognition 🏅
- Gavin Webb of the National Crime Agency (NCA) has been awarded an OBE by King Charles for his strategic coordinating role in Operation Cronos, the international law enforcement effort that disrupted the LockBit ransomware group. LockBit was responsible for a quarter of all ransomware attacks between 2023-2024.
- British security researcher Jacob Riggs has secured Australia's rare Subclass 858 National Innovation visa after discovering a critical vulnerability in the Department of Foreign Affairs and Trade (DFAT) systems, demonstrating his commitment to cybersecurity.
- Ilya Lichtenstein, who pleaded guilty to money laundering related to the 2016 Bitfinex crypto theft, has been released early after serving approximately 14 months, attributing his release to Trump's First Step Act. His wife, Heather Morgan, also received an early release.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/02/nca_new_year_honours/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/02/brit_security_australia_visa/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/02/bitfinex_crypto_thief_released/
#CyberSecurity #ThreatIntelligence #Ransomware #Phishing #APT #TransparentTribe #LockBit #Fortinet #Vulnerability #Deepfake #AI #CryptoTheft #LastPass #CriticalInfrastructure #InfoSec #IncidentResponse
LockBit, Türkiye merkezli 6 yeni kurban duyurdu! Bunlar yeni mi?
#lockbit #ransomware #FidyeYazılımı
https://webrecord.media/lockbit-turkiye-merkezli-6-yeni-kurban-duyurdu-bunlar-yeni-mi/
Cyberzbóje w święta nie czekają na serniczka. Kolejna polska spółka ofiarą ransomware? https://sekurak.pl/cyberzboje-w-swieta-nie-czekaja-na-serniczka-kolejna-polska-spolka-ofiara-ransomware/ #Aktualnoci #Incydent #Lockbit #Ransomware
Cyberzbóje w święta nie czekają na serniczka. Kolejna polska spółka ofiarą ransomware?
Zaledwie wczoraj informowaliśmy o potencjalnym kolejnym ataku grupy Safepay, a już dzisiaj trafiła do nas informacja nt. grupy Lockbit 5.0 i prawdopodobnym ataku na polską spółkę – Mosty Katowice Sp. z o.o. Firma to znany lider w branży projektowej i inżynieryjnej w Polsce, działający głównie w budownictwie infrastrukturalnym i usługach...
暗网勒索软件团伙LockBit 5.0新的服务器IP地址和明网域名被泄露。
#LockBit
https://www.anwangxia.com/4540.html
LockBit 5.0 – nowa infrastruktura, publicznie dostępna lista zhakowanych firm i OPSEC grupy pod znakiem zapytania
Nie tak dawno na łamach Sekuraka pisaliśmy o sojuszu grup LockBit, DragonForce oraz Qilin i reaktywacji Lockbit 5.0 z zaawansowanym, wieloplatformowym malwarem, wykorzystującym m.in. silne szyfrowanie. Zgodnie z oceną badaczy z Trend Micro, powrót Lockbit stanowi realne zagrożenie oraz może skutkować zwiększoną częstotliwością ataków, o czym mieliśmy okazję się przekonać...
LockBit 5.0: Key IP + Domain Exposed in Rare OPSEC Breakdown
https://www.technadu.com/lockbit-5-0-infrastructure-details-exposed-by-researchers-in-major-security-failure-including-a-key-ip-address-and-domain/615296/
Researcher Rakesh Krishnan uncovered and published IP 205.185.116.233 and domain karma0[.]xyz — the backbone of LockBit 5.0’s new leak site. The server runs with open RDP, FTP, HTTP, and other services, exposing glaring vulnerabilities in LockBit’s infrastructure.
A meaningful win for defenders, enabling immediate blocking and further intelligence gathering.
OFAC + U.K. + Australia sanction Media Land LLC for providing bulletproof hosting to LockBit, BlackSuit, Play, Evil Corp & Black Basta.
Volosovik (Yalishanda), Zatolokin & Pankova named, along with ML Cloud, MLT & DC Kirishi.
Follow @technadu for continuous threat intel.
#CybersecurityNews #Ransomware #LockBit #ThreatIntel
NEW - 🚨 The UK National Crime Agency (#NCA) has exposed and sanctioned Alexander Volosovik, aka “Yalishanda,” for running Russian bulletproof hosting operations linked to LockBit, Evil Corp and BlackBasta ransomware.
Read: https://hackread.com/uk-bulletproof-hosting-operator-lockbit-evil-corp/
"- 85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date.
- 1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure.
- 14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns.
- LockBit's reappearance with version 5.0 signals potential re-centralization after months of fragmentation."
https://thehackernews.com/2025/11/ransomwares-fragmentation-reaches.html
Gemäß einer Analyse von Check Point Research weise das dritte Quartal 2025 das bislang dezentralisierteste Ransomware‑Ökosystem auf. Die Untersuchung habe 85 aktive Ransomware‑ und Erpressungsgruppen sowie 1 590 Opfer ergeben, die über 85 Leak‑Seiten publik gemacht worden seien. Und: LockBit mit Version 5.0 ist zurück, woraus ein neuer Trend zur Zentralisierung abgeleitet werden könnte.
https://maniabel.work/archiv/232
#Ransomware #Lockbit #infosec #infosecnews #BeDiS
Imagine someone selling hacked access like real estate—unwitting gateways to ransomware attacks worth millions. The Volkov case lifts the veil on this shadowy cyber trade. Curious how it all unfolds?
#initialaccessbroker
#ransomware
#cybercrime
#volkovcase
#yanluowang
#lockbit
#cryptocurrency
#cybersecuritytrends
#lawenforcement
LockBit 5.0 is back - faster encryption, random file extensions & advanced obfuscation.
Group claims they’re “penetration testers,” not cybercriminals.
Защита от шифровальщиков. Как происходят атаки и что делать?
За последний год даже те, кто не связан с информационной безопасностью или ИТ-администрированием, узнали о хакерских атаках, в ходе которых уничтожаются или шифруются данные. Теоретически, массовая атака программ-вымогателей может временно парализовать важную инфраструктуру: остановить транспорт, лишить магазины, аптеки и АЗС возможности обслуживать клиентов. Хотя такая картина кажется гиперболизированной, она вполне возможна — особенно на фоне недавних событий и произошедших инцидентов. В статье расскажем о масштабах угрозы и о том, как организации могут противостоять атакам программ-вымогателей. На основе реальных расследований поделимся не только техническими деталями, но и практическими рекомендациями, которые помогут снизить риски и вовремя отреагировать на инцидент.
https://habr.com/ru/companies/jetinfosystems/articles/962282/
#кибербезопасность #ransomware #иб #информационная_безопасность #cybersecurity #расследование_инцидентов #soc #phishing #фишинг #lockbit
💿 LockBit’s back with a new release, and it’s going viral for all the wrong reasons.
After last year’s takedown, LockBit has returned — rebuilt, rebranded, and already hitting new victims worldwide.
Learn more as #CheckPoint Research uncovers LockBit 5.0: https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/
#CheckPoint Research identified #LockBit rapid resurgence after its disruption in 2024, with a dozen organizations hit in September 2025, half by the new LockBit 5.0 (“ChuongDong”) variant. The group is deploying attacks across #Windows, #Linux, and #ESXi environments in Europe, the Americas, and Asia. LockBit 5.0 adds multi-platform builds, stronger anti-analysis, faster encryption, and more.
https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/
🚨 From fake Google Careers pages to Figma phishing, attackers continued to exploit trusted platforms at scale in October.
See all major cyber attacks & threats over the past 30 days, including #LockBit 5.0 and the new #Tykit phishing kit ⬇️
https://any.run/cybersecurity-blog/cyber-attacks-october-2025/?utm_source=mastodon&utm_medium=post&utm_campaign=cyberattacks-october2025&utm_term=291025&utm_content=linktoblog
LockBit Returns — and It Already Has Victims
#LockBit
https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-victims/
