Ddos 
LockBit attack with Linux variant fully exposed inside ANY.RUN sandbox
In September 2025, on its sixth anniversary, the LockBit ransomware group released LockBit 5.0, marking one of its most significant evolutions yet. This new version introduces stronger obfuscation, flexible configurations, and advanced anti-analysis techniques, but its most alarming development lies elsewhere.
The group has now expanded operations beyond Windows, introducing dedicated builds for Linux and VMware ESXi, signaling a clear pivot toward critical infrastructure and virtualized environments.
The Shift from Endpoints to Servers
LockBit’s latest campaign represents a broader trend: ransomware operators moving from targeting endpoints to directly disrupting core business infrastructure. A single intrusion can now cripple dozens of virtual servers, leading to widespread outages and severe financial and reputational damage.
LockBit 5.0 is divided into three primary builds, optimized for its operating system but maintaining nearly identical core functionality. Each of them are executed and recorded inside a safe ANY.RUN sandbox environment, with full attack chain exposed in under one minute.
VMware ESXi: Hypervisor Encryptor
Perhaps the most dangerous variant yet, LockBit 5.0’s ESXi encryptor is tailored for hypervisors and capable of simultaneously disabling all VMs on a host. Its CLI resembles the other builds but adds functions targeting VM datastores and configuration files, allowing maximum disruption across virtual environments.
Windows: Main Variant
The main variant runs through DLL reflection, supports both GUI and console modes, and executes a full range of ransomware tactics: encrypting local and network files, removing shadow copies, stopping critical services, clearing event logs, and leaving ransom notes with live chat links.
|
See how interactive analysis helps you detect threats faster and cut investigation time in half |
Linux: Console Encryptor
This console-based variant mirrors the Windows version’s core functions but adds unique checks, including mount point filtering, post-encryption disk wiping, geolocation restrictions, and build expiry timers designed to complicate reverse engineering.
How to Detect LockBit 5.0 in Under One Minute
Detecting LockBit 5.0 is a tough, time-consuming problem for security teams. The group packed heavy obfuscation, modular builds, and anti-analysis checks into this release specifically to slow investigators and slip past automated defenses. That means long investigations, mounting alert queues, and analysts wasting hours trying to recreate execution environments instead of stopping attacks.
Sandboxes like ANY.RUN change that equation. By combining automated observation with interactive control, the platform surfaces the full attack chain fast so analysts can triage and respond rather than chase artifacts.
See the live execution inside ANY.RUN sandbox
For instance, in the following analysis session the LockBit attack with Linux variant was traced and fully exposed in just 33 seconds, producing a complete process tree, mapped TTPs, extracted IOCs, and a downloadable analyst report ready to share with detection engineers, SOC managers, or IR teams.
Detection gets faster thanks to ANY.RUN’s automated interactivity: routine, fragile steps are handled by the service (things like CAPTCHA solving, staged input injection, automated snapshots, and IOC extraction), so analysts don’t have to run each step manually.
That saves time, reduces human error, and helps junior analysts reach reliable findings quicker, while still letting experienced analysts jump in, pause the run, inject commands, or dig deeper whenever needed.
What you get in under a minute with ANY.RUN:
- Process tree with parent/child relationships and execution timestamps (easy to paste into hunting playbooks).
- TTPs and behavior mapping ready for MITRE ATT&CK tagging.
- IOC extraction (file hashes, suspicious command-lines, dropped filenames, registry keys, IPs/domains).
- Snapshots & artifacts for forensic handoff.
- Shareable report with a concise executive summary plus technical appendices for detection engineers and IR teams.
These outputs let teams enrich EDR/XDR rules, update detection signatures, and block malicious infrastructure faster.
Cut Investigation Time: Act on LockBit 5.0 Faster
LockBit 5.0 shows how quickly ransomware tactics evolve, and how much pressure that puts on analysts to keep up. Speed now matters as much as accuracy. The faster you can move from alert to understanding, the sooner you can contain the damage and refine your defenses.
Solutions like ANY.RUN give teams that advantage by cutting through the noise and surfacing what matters: the attack chain, IOCs, and behavioral context; all visible within seconds. Whether you’re validating a new sample, tuning rules, or training your SOC team, real-time analysis turns complex threats into clear, actionable insight.
Try ANY.RUN now and discover how fast you can go from alert to verdict.