LockBit 5.0 Resurfaces Stronger: New Variant Blinds Defenders by Disabling Windows ETW for Stealth Encryption
Ddos 
Image: Europol
Just eighteen months ago, the cybersecurity world celebrated “Operation Cronos,” a massive law enforcement crackdown that promised to dismantle the LockBit ransomware empire. Yet, in a stark reminder of the resilience of modern cybercrime, the group has resurfaced more aggressive than ever. A new technical report from Picus Labs reveals that LockBit has not only survived but evolved, launching LockBit 5.0—a cross-platform, stealth-optimized variant that renders previous defenses obsolete.
Following the February 2024 disruption, which saw authorities compromise LockBit’s administration panel and release decryption keys, the group suffered a significant drop in infections. However, this silence was merely a regrouping phase.
In early September 2025, the group announced its return for its “sixth anniversary,” deploying LockBit 5.0. Security researchers now warn that “LockBit 5.0 is considered significantly more dangerous than its predecessors,” signaling that the group is actively evolving its codebase to bypass modern security controls.
The report details a clear lineage of technical escalation, moving from the C/C++ architecture of LockBit 3.0 to the experimental .NET-based “NG-Dev” variant, and finally to the polished LockBit 5.0.
1. LockBit 3.0 (Black): The Foundation
This version set the standard for the group’s operations, utilizing a “hybrid cryptographic approach” that combined a modified Salsa20 algorithm for file encryption with 1024-bit RSA keys for protecting the decryption keys.
Anti-Analysis: It employed “dynamic API resolution via hashing” and trampoline code to confuse security researchers attempting to reverse-engineer the malware.
Evasion: It aggressively targeted Windows protections, using the Trusted Installer token to “enumerate, stop, and delete predefined Windows Security Services,” including Windows Defender.
2. LockBit-NG-Dev: The Experimental Bridge
Discovered during the 2024 takedown, this “Next Gen” prototype marked a shift to .NET, compiled using CoreRT to evade static detection.
JSON Configuration: Unlike previous versions that hardcoded instructions, this variant relied on an “embedded JSON configuration that is decrypted at runtime,” dictating everything from target dates to encryption modes.
Anti-Forensics: It featured a “SelfDelete” flag that, when enabled, overwrote the executable’s on-disk data with null bytes to frustrate forensic recovery.
3. LockBit 5.0: The New Standard
The latest iteration is a true cross-platform threat, capable of targeting Windows, Linux, and VMware ESXi environments with a unified command-line interface.
New “Invisible” and “Wiper” Modes: LockBit 5.0 introduces terrifying new operational modes controlled via command-line arguments:
- Invisible Mode (-i): This activates a stealth state where the malware “encrypts files without appending the 16-character extension” and suppresses ransom notes, blending seamlessly with legitimate system activity.
- Anti-Forensics (-w): A new flag that triggers a routine to “overwrite free disk space after the encryption process is complete,” making file recovery impossible.
Blinding the Defenders: To operate undetected, LockBit 5.0 patches the EtwEventWrite API in user mode, overwriting the function’s beginning with a return instruction (0xC3). This effectively “disables Windows Event Tracing,” blinding security solutions that rely on these logs to detect anomalies. Furthermore, it executes the EvtClearLog API to wipe all event logs upon completion, scrubbing the crime scene clean.
LockBit continues to leverage the “double extortion” tactic—encrypting data while threatening to leak it. However, the report highlights a disturbing reality exposed during Operation Cronos: “stolen data was frequently retained even after ransoms had been paid,” dispelling the illusion of “honor among thieves”.
The emergence of LockBit 5.0 demonstrates that law enforcement disruption, while effective, is often temporary. “The current status of LockBit is characterized by its resilience and aggressive resurgence,” forcing organizations to adopt advanced behavioral detection and immutable backups to survive the next wave of attacks.
Donate