Operational activities of LockBit cybercrime collective resume following dismantlement efforts
In the realm of cybersecurity, the cat-and-mouse game between ransomware groups and law enforcement continues. While the AlphV ransomware group, formerly known as LockBit, has reemerged on the dark web, its counterpart, LockBit, has not been confirmed to have relaunched operations after a global law enforcement takedown in 2025.
Instead, a suspected China-based group known as Storm-2603, which has historically deployed LockBit ransomware variants, has resurfaced under the name Warlock ransomware. This group is exploiting SharePoint vulnerabilities to deploy the ransomware on targeted systems globally, including critical U.S. federal agencies.
The current status of LockBit's new dark web leak site remains unclear. No direct information from the results indicates that LockBit itself has relaunched a new leak site or resumed its operations under the original moniker. Instead, activity associated with former LockBit infrastructure overlaps with Storm-2603 deploying a different ransomware family (Warlock).
Other ransomware groups have demonstrated rebranding and relaunches post-takedown, but LockBit-specific relaunch is not evidenced in these latest findings. This suggests continued ransomware threats from related or former LockBit affiliates but not a direct resurrection of LockBit itself with an active new dark web leak site as of August 2025.
The relaunch of LockBit is not a surprise to cybersecurity experts. Brett Callow, threat analyst at Emsisoft, states that the disruption of LockBit does not mean the brand is dead but that it is unlikely anyone would trust an operation that was so completely compromised.
Meanwhile, the AlphV ransomware group remains active and continues to list new victims on its data leak site. The global takedown effort against LockBit resulted in the seizure of approximately 11,000 domains and servers located around the globe. The LockBit takedown was widely applauded and regarded as one of the most significant wins for law enforcement in the war against ransomware to date.
However, ransomware groups often reemerge after law enforcement takedowns to continue their criminal activity, albeit in a diminished capacity. The relaunch of LockBit underscores the resilience of some ransomware groups, which can have cockroach-like resilience and be difficult to permanently take out of action.
Corporate stakeholders are seeking to better understand the risk calculus of their technology stacks, answering the question: Are we a target? Despite the continued activity of LockBit, the takedown was a significant win for law enforcement in the war against ransomware. Multiple alleged LockBit affiliates were arrested during the takedown.
Law enforcement likely can provide the victims with decryptors for the LockBit ransomware attacks that occurred before the takedown. The continued activity of LockBit does not alter this fact. The FBI did not immediately respond to a request for comment regarding the LockBit ransomware group's reestablishment.
As the battle against ransomware continues, it is clear that law enforcement's efforts are making a difference. However, the resilience of some groups, like LockBit's affiliates, underscores the need for continued vigilance and collaboration between law enforcement agencies and the private sector.
- The rebranding of a suspected China-based group, previously deploying LockBit ransomware, to Warlock ransomware signifies a potential shift in the threat landscape, demonstrating the adaptability of ransomware groups in the face of cybersecurity measures and law enforcement actions.
- In the realm of general-news and crime-and-justice, the AlphV ransomware group, not LockBit, remains active, continuing to list new victims on its data leak site, evidently showing the resilient nature of ransomware groups and their ability to persist even after law enforcement actions like the global takedown of LockBit.
- As the cybersecurity domain evolves, threat intelligence can play a crucial role in identifying and responding to ongoing cyber threats, such as ransomware, ensuring that both law enforcement and the private sector are equipped with the necessary resources to combat these criminal activities, as demonstrated by the post-takedown relaunch of ransomware groups like LockBit.
