New LockBit 5.0 Targets Windows, Linux, ESXi

Sept. 29, 2025, 8:53 a.m.

Description

Trend Research analyzed the latest version of LockBit ransomware, LockBit 5.0, which exhibits advanced obfuscation, anti-analysis techniques, and cross-platform capabilities for Windows, Linux, and ESXi systems. The Windows variant uses heavy obfuscation and packing, loading its payload through DLL reflection and implementing anti-analysis techniques. The Linux variant has similar functionality with command-line options for targeting specific directories and file types. The ESXi variant specifically targets VMware virtualization infrastructure. All variants use randomized 16-character file extensions, have Russian language system avoidance, and clear event logs post-encryption. The existence of multiple variants confirms LockBit's continued cross-platform strategy, enabling simultaneous attacks across entire enterprise networks including virtualized environments.

External References

https://www.trendmicro.com/en_gb/research/25/i/lockbit-5-targets-windows-linux-esxi.html
https://otx.alienvault.com/pulse/68da3f9ccd5b37095bdef492
Tags
obfuscation
ransomware
anti-analysis
encryption
cross-platform
esxi
virtualization
2025-09-29
dll reflection
lockbit 5.0

Date

  • Created: Sept. 29, 2025, 8:13 a.m.
  • Published: Sept. 29, 2025, 8:13 a.m.
  • Modified: Sept. 29, 2025, 8:53 a.m.

Indicators

  • 98d8c7870c8e99ca6c8c25bb9ef79f71c25912fbb65698a9a6f22709b8ad34b6
  • 90b06f07eb75045ea3d4ba6577afc9b58078eafeb2cdd417e2a88d7ccf0c0273
  • 4dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d
  • 7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82
  • 180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38
Download all indicators here!

Attack Patterns

  • LockBit 5.0
  • LockBit

Additional Informations

  • Russian Federation