LockBit 5.0 & Ransomware Cartel: What You Need To Know?

[Update] December 8, 2025: “LockBit 5.0 “Secure Blog” Infrastructure Already Exposed”

LockBit represents one of the longest-running and most structured ransomware gangs of recent years, with a Ransomware-as-a-Service (RaaS) model that has profoundly shaped the criminal ecosystem. For years, its affiliates carried out high-impact attacks across industries, making LockBit a constant presence in both underground forums and security reports.

In February 2024, however, the group suffered its most significant setback during Operation Cronos, a multinational law enforcement campaign that seized key infrastructures, compromised management panels, and exposed sensitive details about affiliates. At that point, many observers believed the operation marked the beginning of an irreversible decline for LockBit.

Yet, in recent weeks, signs of a resurrection have appeared. On the onion network and in underground forums, the group announced LockBit 5.0, a rebranded platform suggesting not only survival but also an attempt to reclaim dominance.

LockBit:
“Today our affiliate program turns 6 years old. On this day, we are releasing the long-awaited update LockBit 5.0
lockbitfbinpwhbyomxkiqtwhwiye…onion”

blessthefall:
(quoting LockBit’s message)
“Today our affiliate program turns 6 years old. On this day, we are releasing the long-awaited update LockBit 5.0
lockbitfbinpwhbyomxkiqtw…onion”

“Let me get myself a tattoo ‘LB 5.0’ for $1000.”

What Is LockBit 5.0?

LockBit 5.0 marks the latest step in the group’s evolution. The malware is described as more modular, with faster encryption and improved methods to bypass defenses. The affiliate program has also been refreshed, offering cybercriminal partners new incentives to join. If the update delivers on these claims, LockBit could quickly regain traction and increase its activity across the ransomware ecosystem.

What Led To LockBit 5.0?

LockBit’s history shows constant adaptation. Starting as ABCD in 2019, it soon rebranded as LockBit and became a leading Ransomware-as-a-Service (RaaS) platform. Each version added new features:

• LockBit 2.0: Introduced StealBit for rapid data theft.
• LockBit 3.0 (Black): Added a bug bounty program and more advanced extortion tactics.
• LockBit 4.0: Announced in late 2024 but never fully deployed.
• LockBit 5.0: Now released, allegedly bringing modular design, faster encryption, and stronger evasion.

What Evidence Points to LockBit 5.0’s Return?

The new LockBit 5.0 portal mirrors the group’s earlier infrastructure. Visitors see a queue system, routing messages, and cryptocurrency logos like Monero, Bitcoin, and Zcash. These details show continuity with past versions and suggest that whoever is behind the site wants to project legitimacy.

Still, the evidence can be read in different ways. It may point to a genuine revival led by core members who survived Operation Cronos and are trying to rebuild their affiliate base. It could also be a trap created by law enforcement or researchers to observe activity and lure in affiliates. Another possibility is opportunists reusing the LockBit name to quickly gain authority in underground markets.

What Is the Ransomware Cartel?

On the hacker forum RAMP, DragonForce publicly invited LockBit and Qilin to join forces. The idea was simple: less infighting, no public drama, and shared rules for affiliates. Instead of competition, DragonForce suggested cooperation, where gangs could control the underground market together and maximize profits.

The exchange went as follows:

DragonForce:“Welcome home (LB). I think we should all establish communication (LockBit, Qilin, DragonForce). I have a proposal for everyone: create equal competition conditions, no conflicts and no public insults… Clear agreements, understandable to everyone. No undercutting percentages or deposits. This way, we can all increase our income and dictate market conditions. Call it whatever you like — coalition, cartel, etc. The main thing is to stay in touch, be friendly to each other, and be strong allies, not enemies. There’s enough pie here for everyone.”

LockBit:“I completely agree with you. I love you and I don’t wish you anything bad. As people are to me, so I am to people.”

LockBit:“Give me your Tox [ID], I’ll add you as a friend.”

What Does the Ransomware Landscape Look Like in 2025?

Ransomware remains one of the most profitable forms of cybercrime. Groups continue to innovate with multi-extortion techniques, supply chain attacks, and campaigns against critical infrastructure.

Law enforcement has had some successes, but the ecosystem adapts quickly. Affiliates now play a central role, moving between different Ransomware-as-a-Service (RaaS) offerings depending on profits and risks. A cartel model could reduce this competition and bring more predictable profits for the criminals.

DragonForce has evolved from small campaigns into a recognized brand. Known for its aggressive tactics and strong online presence, the group now seeks to position itself as a leader. Their cartel proposal underlines an ambition to expand influence and consolidate power.

Qilin has also risen fast, carrying out frequent attacks across industries and attracting affiliates who once favored LockBit or BlackCat. Their inclusion in the cartel talks highlights their growing status as a top-tier ransomware player.

LockBit 5.0 “Secure Blog” Infrastructure Already Exposed

Shortly after LockBit 5.0 announced a “new secure blog domain with multi-layered protection,” researchers and media started to pick that claim apart. On December 7, 2025, the infrastructure behind the new leak site was already public, after security researcher Rakesh Krishnan shared the server details on X.

New ‘’secure’’ blog domain

Key details observed:

• IP: 205.185.116.233
• Domain: karma0[.]xyz
• RDP open on 3389
• Hostname: WINDOWS-401V6QI
• Server stack: Apache/2.4.58 (Win64), OpenSSL/3.1.3, PHP/8.0.30

The leak site also includes old entries and recycled material from previous LockBit operations and even from unrelated groups. This weakens LockBit’s attempt to rebuild its reputation after earlier disruptions and suggests its current operation is still unstable.

Shared victims on their new DLS

From a defensive viewpoint, these findings offer clear indicators for blocking and hunting. They also highlight that the group’s operational security remains uneven, even as it tries to project confidence with version 5.0.

In Conclusion

What once looked like a fractured landscape of competing crews is showing signs of consolidation, with groups openly discussing rules, alliances, and shared profits.

For defenders, this matters. A coordinated cartel would not only raise the technical bar but also stabilize the business model for affiliates, making it harder to exploit rivalries or disruptions. It’s a reminder that cybercrime is not static, it learns, reorganizes, and borrows strategies from legitimate markets.

Whether this ‘’cartel’’ holds or collapses under the weight of egos and distrust, the signal is clear: ransomware remains adaptable, and the cybersecurity community must be just as agile in anticipating its next move.