LockBit 5.0 is back; targets Linux, Windows, and ESXi

Posted on 2025-09-30 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]The LockBit infrastructure was supposed to have been dismantled with Operation Cronos. Trend Micro is now sounding the alarm because a new variant, LockBit 5.0, has been discovered. The malware attacks systems running Linux, Windows, and VMware ESXi instances. Here is an overview.

LockBit review

Lockbit is a Russian-speaking group that operates ransomware-as-a-service (RaaS). In this model, the ransomware and infrastructure are made available to other cybercriminals, known as affiliates, who then carry out the attacks. This allows LockBit to scale its operations and reach a larger number of victims. LockBit also uses double extortion tactics, publishing stolen data on its blog if the ransom is not paid.

The group first became known in 2019 through malware called ABCD. Since 2020, there has been ransomware called Lockbit, which also has an affiliate program. Security researchers now refer to Lockbit 2.0 and Lockbit 3.0 to describe the individual versions of the ransomware.

The group is blamed for numerous cyber incidents (the linked Wikipedia article names victims, and there are also numerous posts about victims of the group here in the blog). Individual members of the group have already been indicted (in absentia) by the US Department of Justice. A bounty of $10 million has been placed on Russian hacker Mikhail Pavlovich Matveev.

In February 2024, it was announced that law enforcement agencies, including the US FBI, had dismantled the LockBit group's infrastructure (see Operation Cronos: FBI & Co. seized infrastructure of the Lockbit ransomware gang)). This should have put an end to their activities.

But as I mentioned earlier, the group subsequently reopened three of its darknet sites. The group was working on getting its infrastructure back up and running. Furthermore, in May 2025, it was announced that the LockBit group's onion website had been hacked (see ockBit Onion website has been hacked). This was the website through which the LockBit group conducted negotiations with its victims. The hacker allegedly extracted and leaked the database. The database contained Bitcoin wallet addresses, private keys, chat logs of the group, and information about their partners.

LockBit 5.0 is back and targeting Linux, Windows, and ESXi

Trend Micro is now sounding the alarm because there is a new ransomware variant called LockBit 5.0. According to Trend Micro, this variant is significantly more dangerous than previous versions. This is because the new variant can now attack Windows, Linux, and VMware ESXi environments simultaneously. In an article published on September 25, 2025, they released the latest findings on LockBit 5.0. Here are the key points:

  • The Windows variant of LockBit 5.0 uses strong obfuscation and loads its payload via DLL reflection while implementing anti-analysis techniques.
  • The Linux variant has similar features with command line options for specific directories and file types.
  • The ESXi variant specifically targets VMware's virtualization infrastructure and is designed to encrypt virtual machines.
  • The new variants use random 16-digit file extensions, have a bypass for the Russian language system, and delete event logs after encryption.
  • LockBit 5.0 also has a special ESXi variant that targets VMware's ESXi virtualization infrastructure.

The existence of Windows, Linux, and ESXi variants confirms LockBit's continued cross-platform strategy, which enables simultaneous attacks on entire corporate networks, including virtualized environments. With strong obfuscation and technical improvements across all variants, LockBit 5.0 is significantly more dangerous than its predecessors. Trend Micro provides further details in its article and also lists the specific indicators of compromise (IoCs) of an infection. The Register has picked up on this here.

Similar articles:
Russian-Canadian lockbit affiliate arrested in Canada
LockBit ransomware group back? And new findings
FBI recovers 7,000 LockBit keys; ransomware victims could contact the FBI
Operation Cronos: FBI & Co. seized infrastructure of the Lockbit ransomware gang
Lockbit attackers abuse Windows Defender to load Cobalt Strike
Shimano is a victim of the Lockbit 3.0 ransomware (Nov. 2023)
Accenture victim of Lockbit ransomware
Nagoya port (Japan) victim of Lockbit 3.0
LockBit Onion website has been hacked

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).