New LockBit 5.0 Targets Windows, Linux, ESXi
Trend Micro Research has identified LockBit 5.0 in the wild with Windows, Linux, and ESXi variants, featuring heavy obfuscation, cross-platform targeting, and improved evasion techniques.
Trend Micro Research has identified and analyzed the source binaries of a new LockBit version in the wild, marking the latest evolution of the ransomware group following the February 2024 law enforcement operation (Operation Cronos) that disrupted their infrastructure. In early September, the LockBit ransomware group reportedly resurfaced for their sixth anniversary, announcing the release of "LockBit 5.0". Trend Research discovered a binary available in the wild and began analysis that initially discovered a Windows variant and confirmed the existence of Linux and ESXi variants of LockBit 5.0.
The Windows variant uses heavy obfuscation and packing, loading its payload through DLL reflection while implementing anti-analysis techniques like ETW patching and terminating security services. The Linux variant maintains similar functionality with command-line options for targeting specific directories and file types. The ESXi variant specifically targets VMware virtualization environments, designed to encrypt entire virtual machine infrastructures in a single attack. This cross-platform strategy has been a hallmark of LockBit since version 2.0 in 2021.
All variants share key behaviors: randomized 16-character file extensions, Russian language system avoidance through geolocation checks, and event log clearing post-encryption. The 5.0 version also shares code characteristics with LockBit 4.0, including identical hashing algorithms and API resolution methods, confirming this is an evolution of the original codebase rather than an imitation. The Windows version features a better user interface with clean formatting, describing various options and settings for executing the ransomware, including basic options like specifying directories to encrypt or bypass, operation modes such as invisible mode and verbose mode, notes settings, encryption settings, filtering options, and examples of usage.
Upon execution, the ransomware generates its signature ransom note and directs victims to a dedicated leak site. The infrastructure maintains LockBit's established victim interaction model, featuring a streamlined "Chat with Support" section for ransom negotiations. The encryption process appends randomized 16-character extensions to files, complicating recovery efforts. Unlike some ransomware variants that use common infection markers, LockBit 5.0 omits traditional markers at file endings, but consistent patterns including the original file size embedded in the encrypted file footer were observed.
The existence of Windows, Linux, and ESXi variants confirms LockBit's continued cross-platform strategy, enabling simultaneous attacks across entire enterprise networks including virtualized environments. Heavy obfuscation and technical improvements across all variants make LockBit 5.0 significantly more dangerous than its predecessors. Trend Vision One detects and blocks the specific IoCs mentioned in the blog, and offers customers access to hunting queries, threat insights, and intelligence reports related to LockBit 5.0.
This development underscores the resilience of the LockBit group despite law enforcement takedowns, and highlights the ongoing threat posed by sophisticated ransomware-as-a-service operations. Organizations are advised to ensure robust backup strategies, patch management, and endpoint detection capabilities to defend against these evolving threats.