LockBit 5.0 Ransomware: Cross-Platform Evolution Targets Windows, Linux, and ESXi

Trend Research has released an in-depth analysis of LockBit 5.0, the latest evolution of one of the world’s most notorious ransomware families. Emerging after the February 2024 Operation Cronos law enforcement takedown, LockBit resurfaced in September for its sixth anniversary, unveiling a new version that significantly raises the stakes for enterprises worldwide.

Trend Research confirmed that LockBit 5.0 is not limited to traditional Windows environments. “The existence of Windows, Linux, and ESXi variants confirms LockBit’s continued cross-platform strategy, enabling simultaneous attacks across entire enterprise networks including virtualized environments.”

• Windows Variant: Employs DLL reflection loading with heavy obfuscation, patches Windows Event Tracing APIs, and terminates over 60 security services before clearing event logs.
• Linux Variant: Provides a command-line interface mirroring Windows, capable of targeting specific directories and file types, with detailed logging for affiliates.
• ESXi Variant: Specifically designed to encrypt VMware virtualization infrastructure, allowing attackers to cripple dozens or even hundreds of virtual machines in one strike.

The technical enhancements make LockBit 5.0 a formidable challenge for defenders. According to Trend Research, “The Windows binary uses heavy obfuscation and packing: it loads its payload through DLL reflection while implementing anti-analysis techniques like ETW patching and terminating security services.”

The ransomware also clears all event logs post-encryption using the EvtClearLog API and avoids execution on Russian systems by detecting language and geolocation settings.

Another hallmark is the use of randomized 16-character file extensions for encrypted files, complicating recovery and detection efforts.

LockBit 5.0 preserves the group’s streamlined victim interaction model. Upon execution, it generates a signature ransom note that directs victims to a dedicated leak site with a “Chat with Support” section for negotiations.

This model ensures LockBit remains attractive to affiliates, offering flexibility and a familiar interface across platforms.

Despite its improvements, LockBit 5.0 builds directly on its predecessor rather than being a full rewrite. “Both versions share identical hashing algorithms for string operations, a critical component for API resolution, and service identification… LockBit 5.0 represents a continuation of the LockBit ransomware family and is not an imitation or rebrand by different threat actors.”

This evolutionary model allows LockBit developers to incrementally improve their platform while preserving stability and affiliate trust.

LockBit 5.0 underscores that no platform is safe from modern ransomware. With variants tailored for Windows, Linux, and ESXi, combined with advanced obfuscation and anti-forensic measures, the ransomware-as-a-service group demonstrates resilience even after global law enforcement actions.

As Trend Research warns, “Heavy obfuscation across these new variants significantly delays detection signature development, while technical improvements including removed infection markers, faster encryption, and enhanced evasion make LockBit 5.0 significantly more dangerous than its predecessors.”

Related Posts:

• LockBit 4.0: A Deep Dive into the Evolving Ransomware
• LockBit Ransomware Evolves: New Stealthy Tactics Use DLL Sideloading & Masquerading to Bypass Defenses
• Europol Leads Global Crackdown on LockBit Ransomware Syndicate
• Cyberattackers Unleash LockBit Ransomware Using Cobalt Strike and Proxy Tools