Attack alert: lockbit5 targets rjwalker.com - GB
Introduction
On December 5, 2025, the ransomware group Lockbit5 claimed responsibility for a cyberattack against rjwalker.com, a British manufacturer of industrial equipment founded in 1946. This manufacturing company, which employs between 50 and 100 people and has an annual turnover of £15 million, is facing a SIGNAL-level compromise according to the XC classification. The incident potentially exposes B2B customer data, confidential technical plans, and connected production systems, placing this family-owned business, established for nearly 80 years, at the heart of a major cybersecurity crisis.
This attack illustrates the persistent vulnerability of medium-sized industrial companies to sophisticated cybercriminal threats. For rjwalker.com, the consequences extend far beyond the technical realm: the compromise threatens the confidentiality of B2B business relationships, the intellectual property associated with industrial equipment, and the operational continuity of production systems. The SIGNAL level assigned by our XC-Classify analysis indicates a detected exposure, but its precise extent is still being assessed, requiring increased vigilance from business partners and customers.
Analyse détaillée
The intrusion occurs within a context where the UK manufacturing sector is experiencing increasing cybercriminal pressure, with malicious actors systematically targeting industrial infrastructure for its strategic value. Data certified on the Polygon blockchain via the XC-Audit protocol confirms the veracity of this claim, enabling immutable traceability of the incident, unlike traditional centralized verification systems.
Understanding XC criticality levels and their significance is essential for assessing the true severity of such compromises and tailoring response measures.
The cybercriminal collective lockbit5 operates according to the Ransomware-as-a-Service (RaaS) model, a structure that decentralizes attack operations while pooling technical resources. This approach allows independent affiliates to use the encryption infrastructure developed by the main operators, in exchange for a share of the ransoms collected.**
Currently active, Lockbit 5 continues the legacy of previous Lockbit iterations, which dominated the ransomware landscape between 2019 and 2024 before the partial takedowns orchestrated by international authorities. The RaaS model adopted by this group significantly lowers the barrier to entry for less technically skilled cybercriminals, creating an ecosystem where specialization reigns supreme: developers design the malware, initial access brokers compromise networks, and affiliates orchestrate the final extortion.
The tactics employed generally follow a tried-and-tested pattern: exploitation of unpatched vulnerabilities or compromised credentials for initial access, lateral movement within the network to identify critical assets, exfiltration of sensitive data before encryption, and then deployment of the ransomware accompanied by a ransom demand. Double extortion—the threat of publishing stolen data in addition to encryption—is now the operational standard for maximizing pressure on victims.
→ A complete analysis of the Lockbit5 group and its evolution contextualizes this attack within the broader trajectory of the collective and anticipates their next potential targets.
Previous victims of the Lockbit family span all economic sectors, from financial services to critical infrastructure, demonstrating an opportunistic rather than sector-specific approach. This indifference to targets reflects the purely financial logic of the RaaS model, where affiliates select their victims based on their presumed ability to pay rather than strategic criteria.
Founded in 1946, rjwalker.com embodies nearly eight decades of expertise in manufacturing industrial equipment, a remarkable longevity in a constantly evolving technological sector. This British family business, which generates £15 million in annual revenue with a workforce of 50 to 100 employees, represents the typical profile of a European industrial SME: highly specialized technical expertise, long-standing B2B customer relationships, and a progressively modernized digital infrastructure.
The website https://www.rjwalker.com serves as the digital storefront for this manufacturing organization, but the breach reveals the growing interconnectedness between its online presence and internal operational systems. The confidential technical plans mentioned in our analysis constitute the core of the company's intellectual property, representing decades of engineering and incremental innovation. Their potential exposure directly threatens rjwalker.com's competitive advantage in its markets.
The exposed B2B customer data likely includes contractual information, order histories, and customized technical specifications—all of which, in the wrong hands, could compromise the confidentiality of established business relationships. For a company of this size, the loss of customer trust resulting from a data breach can prove more financially damaging than the ransom itself.
Connected production systems, characteristic of Industry 4.0, which is being progressively adopted by the manufacturing sector, represent a particularly critical attack surface. Their compromise can lead to prolonged production downtime, product quality losses, or even risks to the physical safety of operators. This vulnerability illustrates the dilemma faced by industrial SMEs: modernizing to remain competitive while securing infrastructures historically designed without cybersecurity considerations.
→ Other attacks in the Manufacturing sector and their impacts reveals attack trends specifically targeting manufacturers and recurring sector-specific vulnerabilities.
The SIGNAL level assigned to this compromise by our XC classification system indicates a detected exposure, but the precise scope and extent of which are still being analyzed. Unlike MINIMAL, PARTIAL, or FULL levels, which clearly quantify the volume of data disclosed, SIGNAL status indicates an active investigation phase where the presence of a threat is confirmed, but its full extent has not yet been established.
This classification is based on certified analysis of available metadata and public claims from the lockbit5 group, verified via our XC-Audit protocol on the Polygon blockchain. The lack of granular details on the exact nature of the compromised files—technical schematics, customer databases, or operational systems—currently prevents a precise NIST assessment, which requires a comprehensive mapping of the exposed assets.
The incident timeline begins on December 5, 2025, with the publication of the claim on lockbit5's usual communication channels. Our analysis of the certified data reveals that the initial intrusion likely preceded this announcement by several weeks, during which time the attackers mapped the network, identified valuable data, and prepared the exfiltration. This latency between compromise and public disclosure is a recurring characteristic of sophisticated ransomware operations.
The risks to exposed data vary depending on its type: confidential technical plans could be resold to competitors or used for reverse engineering; B2B customer data threatens GDPR compliance if it includes personal information of business contacts; and the compromise of connected production systems could enable subsequent attacks against rjwalker.com customers using the manufactured equipment.
The initial attack vector remains unconfirmed at this stage, but a review of recent Lockbit5 campaigns suggests several likely hypotheses: exploitation of unpatched vulnerabilities in perimeter network equipment, compromise of credentials via targeted phishing against employees with privileged access, or exploitation of poorly secured VPN configurations allowing remote access to industrial systems.
Questions Fréquentes
When did the attack by lockbit5 on rjwalker.com occur?
The attack occurred on December 5, 2025 and was claimed by lockbit5. The incident can be tracked directly on the dedicated alert page for rjwalker.com.
Who is the victim of lockbit5?
The victim is rjwalker.com and operates in the manufacturing sector. The company is located in United Kingdom. Visit rjwalker.com's official website. To learn more about the lockbit5 threat actor and their other attacks, visit their dedicated page.
What is the XC protocol level for the attack on rjwalker.com?
The XC protocol level is currently at XC SIGNAL status, meaning the attack on rjwalker.com has been claimed by lockbit5 but has not yet been confirmed by our community. Follow the progress of this alert.
Conclusion
The UK manufacturing sector faces increasing cybercrime pressure in 2025, with manufacturers representing prime targets due to their combination of valuable intellectual property, critical operational systems, and often insufficient cybersecurity maturity compared to the financial or technology sectors. The attack on rjwalker.com is part of this worrying trend where industrial SMEs, pillars of the UK economy, are becoming recurring victims.