LockBit 5.0 Resurfaces After Takedown: New Cross-Platform Ransomware Hits Linux and ESXi
Trend Micro has reported the emergence of a new iteration of one of the most notorious ransomware families — LockBit 5.0. Researchers describe it as “significantly more dangerous” than its predecessors, as it now possesses the capability to simultaneously target Windows, Linux, and VMware ESXi infrastructures.
An analysis of binaries obtained following recent attacks revealed that its developers have introduced major enhancements in stealth, anti-analysis techniques, and cross-platform execution. Researchers emphasize that the combination of heavy obfuscation and technical refinements across all builds makes LockBit 5.0 especially destructive.
In its Windows variant, the malware delivers its payload through DLL reflection and employs aggressive packing techniques that complicate reverse engineering. The Linux build supports command-line arguments, enabling attackers to specify particular directories and file types for encryption. The ESXi version is designed for virtualization platforms, halting virtual machines by encrypting their disk images. Additionally, all encrypted files are assigned a random 16-character extension, making recovery even more challenging.
Trend Micro stresses that this is not an incremental update but a full-scale evolution. The combination of modular architecture, covert encryption algorithms, and cross-platform reach allows LockBit 5.0 to cripple entire corporate infrastructures — from workstations and applications to hypervisors.
LockBit’s operators continue to pursue a strategy of simultaneous attacks across all critical network segments. The immediate release of three variants — Windows, Linux, and ESXi — underscores their intent to incapacitate the entire IT landscape of organizations, including databases, virtual environments, and application servers.
The launch of LockBit 5.0 comes just months after a large-scale law enforcement crackdown. In February, UK and US agencies dismantled servers, domains, and decryption keys as part of Operation Cronos, an effort to dismantle the group’s infrastructure. Yet the cybercriminals are attempting a comeback: their affiliate program has been relaunched, the platform rebuilt, and according to researchers, it is now more resilient to external disruption.
The LockBit model has always relied on a network of affiliates who conduct attacks using the core framework. In version 5.0, affiliate terms have been revised — likely to entice new operators after the losses inflicted by law enforcement.
For defenders, the challenge is heightened by LockBit 5.0’s ability to terminate security processes and delete backups. Its targeting of ESXi is particularly troubling, as the encryption of virtual machine backups severely undermines recovery efforts.
In a typical attack, adversaries can simultaneously compromise Windows, Linux, and ESXi, drastically shortening the window between initial intrusion and full-scale encryption. This leaves organizations with virtually no time for detection or response, while the attack surface spans every layer — from operating systems to virtualization and business applications.
Although Operation Cronos dealt a heavy blow to the gang’s infrastructure, Trend Micro confirms that all three variants of LockBit 5.0 are already in active use. Organizations must adopt multi-layered defenses across platforms, with special attention to virtualization environments. Experts warn that the latest version proves an unsettling truth: no operating system, and no platform, can be considered safe from modern ransomware campaigns.
The question remains whether the group can restore its reputation and regain its former scale of operations following February’s disruption. But one thing is clear: LockBit 5.0 marks the dawn of a new era of cross-platform, virtualization-focused ransomware — a threat every corporate IT department must reckon with.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
