Law Enforcement Took LockBit Down in 2024. LockBit 5.0 Posted Three Fresh Victims Today and Now Encrypts Your Hypervisors Too. The Reboot Is the Pattern.

This morning we set a watch for where First VPN would reboot after its takedown, on the principle that disrupting criminal infrastructure relocates demand rather than ending it. By the afternoon, a different name was demonstrating the same law on a leak site: LockBit, the ransomware-as-a-service operation that international law enforcement disrupted in early 2024 with great fanfare, posted three fresh victims today as LockBit 5.0 — Central Romana Corporation, a Dominican agro-industrial and tourism conglomerate, and Shougang Hierro Peru, a Peruvian iron producer among them. The trust lifecycle that governs every reputation-based criminal enterprise — build, prove, get disrupted, reboot — is not an abstraction. It is a calendar, and LockBit is on its next turn of it.

The Reboot Took

The 2024 takedown was real and it hurt: infrastructure seized, decryptors recovered, affiliates spooked. But a ransomware brand is not its servers, it is its reputation among affiliates, and LockBit spent the time since rebuilding exactly that. The group reannounced version 5.0 on the RAMP dark-web forum around its six-year anniversary in late 2025, and the relaunch was not cosmetic. Since standing up its new data-leak site it has posted well over a hundred alleged victims, and today's three are simply the latest. This is the part defenders consistently underweight: a takedown that does not also destroy the trust an operation has accumulated buys time, not closure. The brand reboots, the affiliates drift back, and the victims resume. We have written this dynamic about dark markets, about BreachForums, about bulletproof hosts, and this morning about First VPN; LockBit 5.0 is the same chapter with a more famous name on the cover.

What Is Actually New In 5.0: It Eats The Hypervisor

The reboot brought a genuine technical escalation, and it is the part to take seriously regardless of the brand drama. Earlier LockBit was a Windows story. LockBit 5.0 ships dedicated builds for Windows, Linux, and VMware ESXi, and it advertises the ability to run on all versions of Proxmox, the open-source hypervisor that a lot of enterprises have adopted as a cheaper alternative to VMware. That cross-platform reach changes the blast radius of a single intrusion: an attacker who reaches the virtualization layer can encrypt the hypervisor and take out every virtual machine running on it at once, rather than encrypting endpoints one by one. The hypervisor is to a modern data center what the backup server is to recovery — a single high-leverage box where one successful action ends many systems — which is exactly why ransomware has been migrating toward ESXi and now Proxmox. The 5.0 samples also carry the modern evasion kit you would expect from a serious operation: a custom loader with anti-debugging and geolocation checks, Event Tracing for Windows patching to blind endpoint telemetry, COM-based shadow-copy deletion to kill recovery, and custom hashing to mask artifacts. This is not a nostalgia act; it is a current, capable, cross-platform encryptor.

What A Defender Does

Defend the layer LockBit 5.0 is now built to reach: the hypervisor. ESXi and Proxmox hosts are too often managed as infrastructure plumbing rather than as the crown-jewel single-points-of-failure they are — so put management interfaces behind tight network segmentation and strong authentication, keep them off any network segment a phished workstation can reach, patch them on the fast lane, and make sure the people who run your virtualization stack are watching it the way the people who run your domain controllers watch theirs. Because the operation deletes shadow copies and patches ETW to blind the agent, lean on the defenses that survive the endpoint being subverted: immutable, offline-or-air-gapped backups that an encryptor cannot reach or delete, and logging that lands somewhere the attacker cannot edit from the host. And hold the strategic frame from this morning steady: takedowns are real wins that impose real cost, but they are disruptions, not cures, and the disciplined defender plans for the reboot. We armed a watch this morning for where First VPN comes back. LockBit did not make us wait that long — it came back loud, cross-platform, and with fresh victims, which is the whole lesson about why the trust lifecycle, not the takedown, is the thing to track.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register