LockBit5 Claims 53 Victims in Single Day as Holiday Attacks Surge

Ransomware groups maintained aggressive operations through the Christmas holiday, with tracking data showing 63 victim claims from six different groups on December 26 alone. LockBit5—the latest iteration of the notorious ransomware operation—accounted for 53 of those claims, demonstrating the group's continued activity despite repeated law enforcement disruptions.

TL;DR

• What happened: 63 ransomware victim claims across 32 countries on December 26, with LockBit5 responsible for 53
• Who's affected: Organizations across manufacturing, technology, and healthcare sectors; Japanese, US, and European targets prominent
• Severity: High - coordinated holiday timing exploits reduced security staffing
• Action required: Organizations should maintain security coverage through holidays and review incident response readiness

Holiday Attack Patterns

The December 26 activity follows a well-documented pattern. According to a Semperis report, 52% of ransomware attacks in the past year occurred on weekends or holidays. The timing is deliberate—78% of organizations reduce security staff during these periods.

Last year's Treasury Department intrusion by Chinese hackers during the final week of December underscores the risk. Threat actors understand that skeletal IT teams, delayed response times, and reduced monitoring create exploitation windows.

The six groups active on December 26:

Group	Claims	Notable Targets
LockBit5	53	Multiple sectors globally
Akira	3	agralite.coop (agriculture)
SafePay	2	47club.jp (Japan)
BlackShrantac	2	acpagro.com
WorldLeaks	2	Chatham Asset (finance)
Other	1	Various

What is LockBit5?

LockBit has proven remarkably resilient. Despite a February 2024 law enforcement operation that seized infrastructure and arrested affiliates, the group rebuilt. LockBit5 represents their current operational phase, maintaining the ransomware-as-a-service model that made earlier versions prolific.

The group provides ransomware tooling to affiliates who conduct the actual intrusions. This distributed model makes LockBit difficult to disrupt permanently—seizing central infrastructure doesn't stop affiliates already operating with existing tools.

LockBit's December activity suggests business as usual. The 53 claims in a single day, while possibly inflated by delayed postings from earlier compromises, indicates sustained operational tempo.

2025 Ransomware Landscape

The holiday surge fits broader 2025 trends. According to ransomware tracking site Ransomware.live, 306 groups listed 7,902 victims this year—significantly higher than 6,129 in 2024 and 5,336 in 2023.

Sector breakdown for 2025:

1. Manufacturing: 930 victims
2. Technology: 893 victims
3. Healthcare: 529 victims

US organizations represented nearly half of all victims (3,328), consistent with prior years. The concentration reflects both the US economy's size and American companies' willingness to pay ransoms.

Why Holiday Attacks Work

Several factors make holidays attractive for ransomware operators:

Reduced staffing. Security operations centers run skeleton crews. Incident response teams may be unavailable. Decision-makers needed to authorize emergency actions are on vacation.

Detection delays. Abnormal activity that would trigger investigation on a normal workday goes unnoticed. Attackers have more time to establish persistence, exfiltrate data, and stage encryption.

Recovery pressure. Organizations face pressure to restore operations before business resumes. This urgency can push victims toward paying ransoms rather than pursuing slower recovery options.

IT maintenance windows. Many organizations schedule system updates and maintenance during holidays. This activity can mask malicious behavior and reduce alerting effectiveness.

Defensive Recommendations

1. Maintain security coverage - Don't reduce SOC staffing during holidays; consider managed detection and response services to fill gaps
2. Pre-position incident response - Ensure IR team contacts and procedures are documented and accessible; brief backup personnel
3. Freeze unnecessary changes - Limit IT changes during holidays to reduce noise in security monitoring
4. Test backup restoration - Verify backup integrity and restoration procedures before holiday periods
5. Brief executives - Ensure leadership understands they may need to make quick decisions on incident response authorization

Organizations should also review their ransomware playbooks. The time to establish communication with legal counsel, insurers, and incident response firms is before an attack—not during a holiday weekend scramble.

Notable December 26 Targets

Beyond aggregate numbers, specific targeting shows ransomware groups' breadth:

• 47club.jp: Japanese organization hit by SafePay
• agralite.coop: Agricultural cooperative targeted by Akira
• Chatham Asset: Financial services firm claimed by WorldLeaks
• acpagro.com: Agribusiness targeted by BlackShrantac

The agricultural sector's presence reflects ransomware groups' expansion beyond traditional technology and healthcare targets. Critical infrastructure adjacent to food production faces growing risk.

Frequently Asked Questions

Is my organization at higher risk during holidays?

Yes. The combination of reduced security staffing, delayed detection, and pressure to restore operations quickly makes holidays prime time for ransomware attacks. Organizations should plan accordingly.

What should I do first to prepare?

Ensure you have documented, tested incident response procedures that don't depend on specific individuals. Verify backup integrity and restoration capabilities. Consider whether you have adequate security monitoring coverage through holiday periods.

How can I tell if we've been targeted?

Monitor for unusual authentication activity, unexpected remote access, large data transfers, and disabled security tools. Many ransomware groups dwell in networks for days before detonating—early detection during this phase offers the best chance to limit damage.