John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
In February 2024, law enforcement dismantled LockBit’s infrastructure, seized their site, arrested affiliates, and publicly named their admin. One of the most visible ransomware takedowns ever.
207 victims in 2026. They’re back. Same affiliate model, rebuilt infrastructure, new platform.
This is what ransomware resilience actually looks like. You can seize servers and embarrass operators. You can’t arrest an idea.
LockBit 5.0 is engineered specifically to kill your EDR tools. It overwrites Windows kernel telemetry so Event Tracing for Windows goes dark. Everything that depends on ETW goes with it. Standard endpoint tools miss it not because they’re misconfigured but because the malware was built to exploit how they work.
Winona County, Minnesota is the story that sticks. They got hit in January. Governor issued an emergency declaration. National Guard responded. They recovered, hardened their systems, documented lessons. Got hit again in April. The hardening from January worked: 911 and emergency services stayed up. A different vector got in anyway. Two emergency declarations. National Guard twice. Three months apart.
That’s not a story about failure to learn. It’s a story about why targeted fixes and a security posture aren’t the same thing. A county government can’t harden every possible entry point at once. The next attacker won’t use the same door.