New LockBit 5.0 Targets Windows, Linux, ESXi

216.73.216.6

New LockBit 5.0 Targets Windows, Linux, ESXi

· Published 29/09/2025 08:13 · Modified 29/09/2025 08:53

Essential information

Published: 29/09/2025 08:13
Modified: 29/09/2025 08:53
Tags: 2025-09-29 anti-analysis cross-platform dll reflection encryption esxi lockbit 5.0 obfuscation ransomware virtualization
Related entities: 5 observables, 1 intrusion sets (apt), 9 techniques (mitre), 1 malware, 1 others

Description

Trend Research analyzed the latest version of LockBit ransomware, LockBit 5.0, which exhibits advanced obfuscation, anti-analysis techniques, and cross-platform capabilities for Windows, Linux, and ESXi systems. The Windows variant uses heavy obfuscation and packing, loading its payload through DLL reflection and implementing anti-analysis techniques. The Linux variant has similar functionality with command-line options for targeting specific directories and file types. The ESXi variant specifically targets VMware virtualization infrastructure. All variants use randomized 16-character file extensions, have Russian language system avoidance, and clear event logs post-encryption. The existence of multiple variants confirms LockBit's continued cross-platform strategy, enabling simultaneous attacks across entire enterprise networks including virtualized environments.