New Analysis Uncovers LockBit 5.0 Key Capabilities and Two-Stage Execution Model

   November 7, 2025  Posted in CyberSecurityNews

New Analysis Uncovers LockBit 5.0 Key Capabilities and Two-Stage Execution Model

LockBit 5.0 made its debut in late September 2025, marking a significant upgrade for one of the most notorious ransomware-as-a-service (RaaS) groups.

With roots tracing back to the ABCD ransomware in 2019, LockBit rapidly grew in sophistication, consistently updating its tactics despite facing aggressive law enforcement efforts and affiliate panel leaks.

The latest version is built on the existing v4.0 codebase, yet it introduces new methods designed to maximize evasion and destructive impact across diverse organizational networks.

FlashPoint security analysts identified LockBit 5.0’s uniquely modular architecture as a notable innovation in the ransomware’s ongoing evolution.

Their detailed technical analysis highlights how this malware continues to threaten critical infrastructure by leveraging advanced execution and obfuscation strategies.

Large-scale attacks have been observed targeting industries irrespective of their geographic and operational boundaries, ensuring LockBit’s continued reputation for stealth and resilience.

google

One standout advancement in LockBit 5.0 is its two-stage execution model, which expertly divides the infection process into loader and payload phases.

The initial stage involves a stealthy loader built for persistence and anti-analysis, employing control flow obfuscation to dynamically calculate execution paths and complicate reverse engineering.

The loader dynamically resolves API calls using a hashing algorithm, then reloads fresh copies of core libraries—such as NTDLL and Kernel32—effectively bypassing hooks placed by security tools.

Ransom note decryption using RC4 (Source - FlashPoint)
Ransom note decryption using RC4 (Source – FlashPoint)

After creating a suspended instance of defrag.exe, it injects the decrypted payload through process hollowing, updating the instruction pointer with ZwWriteProcessMemory and resuming execution in memory, all while evading standard detection mechanisms.

// Process hollowing code snippet excerpt
HANDLE hProcess = CreateProcess("defrag.exe", ...);
ZwWriteProcessMemory(hProcess, ...); // Inject LockBit payload
ResumeThread(hProcess);

This technical breakdown demonstrates LockBit’s commitment to maximizing operational stealth and survivability.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

googlenews



Source link