LockBit’s new 5.0 version is actively attacking Windows, Linux, and ESXi systems, using a unified yet highly optimized ransomware framework that significantly increases the risk to enterprise environments.
Analysis by the Acronis Threat Research Unit (TRU) shows that while all variants share the same core encryption and extortion logic, the Windows build carries the most aggressive defense‑evasion capabilities, with Linux and ESXi versions tuned for virtualization and server-side impact.
LockBit 5.0 was released in September 2025 and quickly adopted by affiliates targeting mainly U.S. businesses, following the group’s traditional ransomware‑as‑a‑service (RaaS) model and double‑extortion tactics that combine file encryption with data exfiltration.
Operators promote this version as faster, more modular and capable of working on “all versions of Proxmox,” positioning it directly against modern virtualization deployments used as cheaper alternatives to commercial hypervisors.
The campaign continues LockBit’s long‑running evolution from its early “ABCD” branding in 2019 through versions 2.0, 3.0 (“LockBit Black”), and 4.0, each adding new features such as StealBit for data theft and bug‑bounty style incentives for vulnerability reporting.
Victim data from LockBit’s leak site lists at least 60 organizations as of early December 2025, spanning private businesses, healthcare, financial services, manufacturing, government, and education, with a clear concentration in the U.S. alongside cases in other regions.
The group allows affiliates to hit virtually any target including critical infrastructure and medical facilities while prohibiting attacks in post‑Soviet countries and pushing responsibility for victim choice entirely onto its partners.
Despite repeated law‑enforcement takedowns of its leak sites, LockBit keeps mirrors that preserve historical dumps from previous versions, underlining its resilience and focus on brand continuity.
Windows, Linux and ESXi internals
TRU’s analysis confirms that LockBit 5.0 for Windows, Linux and ESXi uses the same cryptographic design, combining XChaCha20 for fast symmetric encryption with Curve25519 for key exchange, and appending a random 16‑character extension plus a trailing metadata block to every encrypted file.
All variants drop an identical ransom note, differ only in victim ID, and support free‑space wiping by creating temporary files filled with zero bytes to hinder recovery from disk slack space.The LockBit 5.0 Windows sample is a PE64 file with a fake compilation timestamp.
The Windows sample stands out for extensive defense evasion: it is packed, uses DLL unhooking and process hollowing, and patches Event Tracing for Windows (ETW) by overwriting EtwEventWrite with a return instruction, then clears Windows event logs via EvtClearLog to blind monitoring tools.
It also performs locale and geography checks to avoid systems associated with Russian‑speaking regions, creates mutexes to control execution, supports numerous command‑line switches (for skipping injection, mutex creation, or enabling verbose mode), and can wipe free disk space even when run inside an injected process such as defrag.exe.
Self‑deletion is handled via file rename and disposition calls, allowing the binary to remove itself after encryption unless explicitly instructed otherwise.
In contrast, the Linux and ESXi variants are not packed, but they heavily encrypt strings and still implement strong anti‑analysis logic, including checks against common debugging and tracing tools such as gdb, lldb, strace, ltrace and rr.
Both expose execution progress in the console by default, and the Linux version can save logs and tune the percentage of each file to encrypt, supporting partial‑encryption strategies for speed.
Additionally, it retrieves information about the geographical location and compares it with the ‘C9’ value.
The ESXi build adds virtualization‑specific behavior: it verifies it is running on VMware ESXi, scans the /vmfs/ directory for virtual machine assets, can terminate VMs to release locked files and offers parameters to skip or target specific VM IDs, making it capable of crippling dozens of virtual servers from a single host.
Shared infrastructure and enterprise impact
TRU also links LockBit 5.0 infrastructure to historical SmokeLoader activity: one of the IPs hosting LockBit sites was previously associated with SmokeLoader samples and the rodericwalter[.]com domain, suggesting infrastructure acquisition or cooperative reuse between different malware operators.
If a ‘-w’ argument was passed, it will create a ‘.tmp’ file in C: drive and start writing ‘00’ bytes to it, 4194304 bytes per write until the free space ends.
Since SmokeLoader itself is a widely used backdoor and loader, this overlap highlights how criminal ecosystems increasingly share or rent servers to accelerate campaigns and obscure true ownership.
Collectively, the unified codebase, common crypto stack and strong support for Windows, Linux, ESXi and Proxmox environments show that LockBit 5.0 is engineered for broad enterprise impact rather than single‑platform hits.
With Windows receiving the heaviest obfuscation and anti‑forensic tooling and mature Linux/ESXi variants optimized for virtual infrastructure, defenders need visibility and hardening across endpoints, hypervisors and backups, not just traditional Windows workstations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
