The inner workings of LockBit 5.0, a sophisticated ransomware variant targeting Windows, Linux, and VMware ESXi systems simultaneously.
This latest version represents a significant evolution in the cyber threat landscape, demonstrating how ransomware operators are refining their tools to maximize damage across diverse enterprise environments.
LockBit operates on a “Ransomware-as-a-Service” (RaaS) model, where a core team maintains the malicious software while affiliates carry out the attacks.
This division of labor has turned ransomware into an industrial-scale business. Intelligence suggests the group is moving toward a “cartel-style” consolidation, potentially aligning with other threats like DragonForce and Qilin to pool resources and infrastructure.
This three-part blog series noted an analysis of 19 samples of a cross-platform LockBit 5.0 ransomware payload.
Technical Analysis: Targeting ESXi
The most alarming aspect of this release is its specialized focus on VMware ESXi, a system widely used by companies to manage virtual servers.
By targeting the hypervisor itself rather than just individual computers, attackers can disrupt dozens of virtual machines (VMs) at once.
The LockBit 5.0 ESXi variant follows a strict, automated process to ensure maximum impact:
- Validation: The malware first checks if it is running on a legitimate ESXi server using commands like vmware -v.
- Virtual Machine Shutdown: To encrypt files successfully, they must not be in use. The malware uses the built-in vim-cmd tool to list all active VMs and forcibly power them off.
- Targeted Encryption: Once the machines are down, the ransomware encrypts critical files such as virtual hard disks (.vmdk), configuration files (.vmx), and snapshot data (.vmsn).
Faster, Stealthier Encryption
LockBit 5.0 has replaced the standard AES encryption standard with ChaCha20, a stream cipher known for its high speed and simplicity.
VMware ESXi targeting and has been observed labeled as “LINUX Locker v1.06”, that may indicate an unchanged build from a prior release or a version counter oversight by the operator.
This switch allows the malware to process massive amounts of data quickly a crucial requirement when encrypting terabytes of server data.
The malware also features a “Fast Mode” that encrypts only a small percentage of each file to render it unusable in seconds before a full encryption pass begins.
The malware is built to avoid detection. At the time of analysis, only one out of 65 security engines on VirusTotal could identify the sample.
It employs several “anti-analysis” tricks, such as checking for debugging tools and deleting itself after execution to leave no trace.
This cross-platform compatibility and focus on speed highlight the need for defenders to secure not just their Windows endpoints, but their entire virtualization infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.