LockBit5
LockBit5 is an active ransomware group described in the provided reporting as a reemergent LockBit-branded operation that regained momentum after Operation Cronos. It was highlighted as an emerging ransomware group whose activity increased sharply in March 2026, ranked among the most active groups in late 2025 and Q1 2026, and was listed as second by share of published attacks in December 2025, although reporting also noted that many late-December victim disclosures appeared to be duplicated from earlier incidents. The group is associated with ransomware and data-leak-site extortion activity, including adding Insight Hospital and Medical Center in Chicago to its leak site on December 4, 2025 and claiming theft of nearly 200 GB of medical data. The reporting states that LockBit5 evolved its tradecraft by adding P2P encrypted communications to its existing Tor-based infrastructure and by using randomly generated file extensions after encryption to hinder detection. ESRC assessed that LockBit5, alongside Qilin and DragonForce, reflects an evolution toward a distributed ransomware supply chain sharing infrastructure and tactics. The same reporting notes that DragonForce publicly announced a strategic alliance with LockBit and Qilin on a Russian-language underground forum in September 2025. Based on the provided content, LockBit5 targets organizations across multiple sectors, with healthcare explicitly referenced through the Insight Hospital case. No additional aliases, sub-groups, or high-confidence attribution to a specific nation state are directly stated in the content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware group that remained active but showed a notable decline in incidents during April 2026.
Resurgent ransomware group recovering after Operation Cronos, evolving its infrastructure with P2P-encrypted communications and randomized post-encryption extensions, and participating in a strategic alliance with Qilin and DragonForce.
Referenced as one of the leading ransomware groups by Q1 2026 activity volume.
Ransomware/extortion activity against a Chicago hospital; claims large-scale data theft and publication on a leak site.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.