{
  "name": "New LockBit 5.0 Targets Windows, Linux, ESXi",
  "slug": "new-lockbit-50-targets-windows-linux-esxi",
  "description": "Trend Research analyzed the latest version of LockBit ransomware, LockBit 5.0, which exhibits advanced obfuscation, anti-analysis techniques, and cross-platform capabilities for Windows, Linux, and ESXi systems. The Windows variant uses heavy obfuscation and packing, loading its payload through DLL reflection and implementing anti-analysis techniques. The Linux variant has similar functionality with command-line options for targeting specific directories and file types. The ESXi variant specifically targets VMware virtualization infrastructure. All variants use randomized 16-character file extensions, have Russian language system avoidance, and clear event logs post-encryption. The existence of multiple variants confirms LockBit's continued cross-platform strategy, enabling simultaneous attacks across entire enterprise networks including virtualized environments.",
  "published": "2025-09-29T06:13:16+00:00",
  "created_at": "2025-09-29T06:13:16+00:00",
  "modified_at": "2025-09-29T06:53:22+00:00",
  "created_at_opencti": "2025-09-29T06:13:16+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-09-29",
    "anti-analysis",
    "cross-platform",
    "dll reflection",
    "encryption",
    "esxi",
    "lockbit 5.0",
    "obfuscation",
    "ransomware",
    "virtualization"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "98d8c7870c8e99ca6c8c25bb9ef79f71c25912fbb65698a9a6f22709b8ad34b6"
      },
      {
        "id": "",
        "name": "90b06f07eb75045ea3d4ba6577afc9b58078eafeb2cdd417e2a88d7ccf0c0273"
      },
      {
        "id": "",
        "name": "4dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d"
      },
      {
        "id": "",
        "name": "7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82"
      },
      {
        "id": "",
        "name": "180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38"
      }
    ],
    "malware": [
      {
        "id": "c3a3b48c-6292-4f52-8163-b7a8c3a196af",
        "name": "LockBit 5.0",
        "slug": "lockbit-50"
      }
    ],
    "intrusion_sets": [
      {
        "id": "c090a8e5-3b6b-4f4c-b382-414d2658c36b",
        "name": "LockBit",
        "slug": "lockbit"
      }
    ],
    "attack_patterns": [
      {
        "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f",
        "name": "T1490"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Russian Federation"
      }
    ]
  },
  "external_refs": [
    "https://www.trendmicro.com/en_gb/research/25/i/lockbit-5-targets-windows-linux-esxi.html",
    "https://otx.alienvault.com/pulse/68da3f9ccd5b37095bdef492"
  ]
}