New LockBit 5.0 Ransomware Variant Attacking Windows, Linux, and ESXi Systems

Following a major law enforcement disruption in February 2024, the notorious LockBit ransomware group has resurfaced, marking its sixth anniversary with the release of a new version: LockBit 5.0.

Trend Micro has identified and analyzed binaries for Windows, Linux, and VMware ESXi, confirming the group’s continued focus on cross-platform attacks that can cripple entire enterprise networks.

The discovery of these new variants in early September 2025 signals a significant evolution of the ransomware. This latest version continues the group’s strategy of targeting multiple operating systems simultaneously, a tactic seen since LockBit 2.0 was released in 2021.

Advanced Cross-Platform Attacks

The LockBit 5.0 variants are tailored to their target operating systems, employing sophisticated techniques to evade detection and maximize damage.

• Windows Variant: This version uses heavy obfuscation and packing, loading its malicious payload through DLL reflection to complicate analysis. It also implements anti-analysis measures, such as patching the Event Tracing for Windows (ETW) API and terminating 63 different security-related services. The Windows variant also features a newly formatted and more user-friendly help menu.

• Linux Variant: The Linux version mirrors the functionality of its Windows counterpart, providing attackers with a consistent set of command-line options to target specific directories and file types. It can log its activities, showing which files are being encrypted and which folders are excluded.

• ESXi Variant: A dedicated variant specifically targets VMware’s ESXi virtualization infrastructure. This represents a critical threat, as compromising a single ESXi host can allow attackers to encrypt dozens or even hundreds of virtual machines at once, causing massive disruption. The ESXi variant includes parameters optimized for virtual machine encryption.

Trend Micro analysis shows that LockBit 5.0 is a direct evolution of its predecessor, LockBit 4.0. Both versions share identical hashing algorithms and methods for API resolution, indicating the same developers have built upon their existing codebase.

Key behaviors are consistent across the new variants. Encrypted files are appended with a randomized 16-character extension, making identification and recovery more difficult.

The ransomware also includes checks to avoid executing on systems with Russian language settings or geolocated in Russia. After the encryption process is complete, it clears event logs to cover its tracks.

The technical improvements in LockBit 5.0 make it significantly more dangerous than previous versions. The heavy obfuscation delays the development of detection signatures, while the focus on virtualized environments amplifies its potential impact.

The group’s ability to regroup and release an upgraded ransomware after Operation Cronos demonstrates its resilience.

Organizations are advised to enhance their security posture by proactively hunting for threats and reinforcing endpoint and network protections. Special attention should be given to securing virtualization infrastructure, as it has become a primary target.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.