New LockBit 5.0 variants, affiliate panel uncovered

Infamous ransomware-as-a-service operation LockBit has launched four new variants of its latest LockBit 5.0 payload last week, GBHackers News reports.

Windows systems have been targeted by the LB_Black_14_01_2026 variant, while the LB_Linux_14_01_2026, LB_ESXi_14_01_2026, and LB_ChuongDong_14_01_2026 versions have been aimed at Linux systems, VMware ESXi hypervisors, and specialized deployments, respectively, according to findings from Flare.io. Additional analysis of LockBit 5.0's affiliate panel revealed the RaaS operation to have retained its primary operational procedures following the RaaS group's partial shutdown as part of Operation Cronos.

Researchers found that the latest LockBit 5.0 affiliate panel, which had holiday-themed elements, enabled simultaneous management of two or more attack campaigns, while featuring attack coordination, payment negotiations, and onboarding options. The emergence of four new LockBit 5.0 iterations should prompt organizations to adopt threat detection signatures and prioritize endpoint detection and response warnings, researchers added.