One Code to Lock Them All: LockBit 5.0 Unifies Attacks on Windows, Linux, and ESXi

The notorious LockBit ransomware gang has released its latest iteration, LockBit 5.0, marking a significant technical evolution in one of the world’s most dangerous cybercrime operations. A new analysis by the Acronis Threat Research Unit (TRU) reveals that the group has moved to a “unified” codebase, streamlining its ability to hit Windows, Linux, and ESXi systems simultaneously with identical encryption standards.

The update comes just months after law enforcement actions attempted to disrupt the group, proving that LockBit is not only still active but actively developing its arsenal to target enterprise infrastructure.

The most striking feature of version 5.0 is its consistency. Previous iterations often had distinct differences between their operating system variants. Now, they are nearly identical.

“Analysis of LockBit 5.0 reveals a largely unified ransomware framework across its Windows, Linux and ESXi variants,” the report states.

All versions now share:

• Common Execution Logic: The way the malware runs is standardized across platforms.
• Identical Encryption: Every variant uses the same XChaCha20 and Curve25519 encryption scheme, ensuring that files are locked tight regardless of the OS.
• Same Ransom Note: Victims receive the exact same message, reinforcing the brand’s consistency.

Acronis researchers found that the Windows variant is packed with advanced anti-analysis tricks that are absent in the Linux and ESXi builds.

“The Windows sample exhibits the most extensive use of defense evasion and anti-analysis techniques, highlighting Windows as the primary development focus,” the TRU team noted.

These techniques include “DLL unhooking, process hollowing, patching Event Tracing for Windows (ETW) functions and clearing all available logs in the system,” all designed to blind security tools while the encryption takes place.

Perhaps the most intriguing finding is a potential link to another cybercrime heavyweight: SmokeLoader. During their investigation of the attack infrastructure, researchers noticed something familiar about where LockBit 5.0 was hosted.

“The LockBit site was hosted on infrastructure with historical ties to SmokeLoader, indicating possible infrastructure reuse or cooperation,” the report reveals.

This suggests that LockBit may be renting servers from SmokeLoader’s established network, a common practice in the cybercriminal underground where groups often collaborate to share resources and evade detection.

The update explicitly targets the backbone of modern corporate IT: virtualization. With mature variants for Linux and ESXi, and specific support for Proxmox, LockBit is gunning for the servers that run everything else.

“The presence of mature Linux and ESXi variants… underscores LockBit’s continued expansion toward enterprise and infrastructure focused targets,” the report concludes.

Related Posts:

• SmokeLoader Malware Deployed in Stealthy Campaign Targeting Major Banks
• SmokeLoader Rises From the Ashes with New, Evasive Variants
• Critical Flaws in Acronis Cyber Protect Expose Sensitive Data: CVSS 10 Vulnerabilities Patched
• Backup Breach: Critical Acronis Flaws (CVSS 10.0) Allow Data Manipulation