LockBit 5.0 Ransomware: New Attacks on Windows, Linux, and ESXi

After several months of silence following the blow dealt by Operation Cronos in early 2024, LockBit—one of the most active and dangerous ransomware groups in the world—is back in the game. And it's not making a quiet return.

Despite authorities managing to dismantle part of its infrastructure and slow its activity, the group led by the notorious LockBitSupp has managed to reorganize, rebuild its operation from scratch, and launch a new and more advanced version: LockBit 5.0, also known internally as "ChuongDong."

This new variant marks a significant step forward in the evolution of ransomware. With more sophisticated techniques and the ability to target multiple platforms, LockBit 5.0 is aimed squarely at organizations running Windows, Linux, and ESXi systems.

A Strong Comeback in September 2025

In September 2025, LockBit proved its comeback was more than just talk. In just a few weeks, the new campaign managed to compromise a dozen organizations across Western Europe, the Americas, and Asia.

Half of these attacks were carried out using the newly released LockBit 5.0 variant, while the rest used LockBit Black, a still-active earlier version.

Most concerning: nearly 80% of the attacks affected Windows systems, which is no surprise given their widespread use in corporate environments. The other 20% targeted ESXi and Linux systems, demonstrating LockBit’s continued technical expansion and flexibility to adapt to diverse environments.

What’s Going On with the Ransomware-as-a-Service Model?

According to researchers at Check Point, this wave of attacks is a clear sign that LockBit’s Ransomware-as-a-Service (RaaS) model is still very much alive. In fact, what we’re seeing is a successful reorganization of its affiliate network.

In early September, LockBitSupp reappeared on underground forums announcing their return—this time with new rules: to join the program and gain access to the control panel and encryption tools, new affiliates must pay a $500 deposit in Bitcoin.

This move not only filters for serious candidates but also helps fund the group’s infrastructure. And it’s working: within weeks, the ransomware was operating with renewed strength and effectiveness.

What Makes LockBit 5.0 Different?

LockBit 5.0 isn’t just a flashy new version—it comes packed with technical upgrades that make it more dangerous, efficient, and harder to detect than ever before.

One of the most significant updates is its cross-platform compatibility. It now includes versions specifically designed to target Windows systems, Linux, and ESXi servers, allowing it to easily adapt to various types of enterprise infrastructures.

Faster Encryption = Less Time to React

A major improvement is the optimization of its encryption routines. LockBit 5.0 can encrypt files at a much faster rate than its previous versions, which means security teams have less time to detect and stop the attack before serious damage is done. This express encryption renders many traditional security solutions unable to respond in time.

Harder to Detect: Evasion and Anti-Analysis

LockBit 5.0 has also enhanced its ability to evade detection mechanisms, especially those based on signatures. It now uses random 16-character file extensions, making it harder for antivirus software and forensic tools to recognize clear patterns.

Additionally, it includes more advanced anti-analysis features that block reverse engineering attempts and make it significantly harder for researchers to dissect the malware. In short, understanding how LockBit 5.0 works is now much more complex, delaying defenses and extending its window of activity.

New Ransom Notes, Same Psychological Pressure

Each LockBit 5.0 attack leaves behind an updated ransom note clearly identifying the variant name. These notes include personalized links for negotiating with the attackers and a strict deadline: 30 days to pay, or the stolen data will be published.

This kind of pressure isn’t just about extracting money quickly—it also corners organizations from the outset, exploiting fears of reputational damage and legal penalties from data breaches.

Read more: Ransomware 2025: Threats, Costs, and How to Defend Your Business

What Can Companies Do to Protect Themselves from LockBit 5.0?

With LockBit 5.0 actively attacking and demonstrating increasingly sophisticated capabilities, strengthening cybersecurity is no longer optional—it’s an urgent necessity. For many organizations, especially those without large IT teams, having a clear defense plan can mean the difference between a minor disruption and a full-blown operational disaster.

Here are some key actions every company should consider:

1. Regular Updates: Keeping all systems and software up to date helps close vulnerabilities that attackers commonly exploit.
   
   
2. Effective Backups: Perform frequent backups, store them offline or in the cloud with restricted access, and regularly verify their integrity. This is essential for quick recovery.
   
   
3. Network Segmentation: Limiting permissions and dividing the network into independent segments can slow down ransomware’s spread within the infrastructure.
   
   
4. Staff Training: Most attacks begin with human error. Investing in cybersecurity awareness and training can prevent many incidents.
   
   
5. Early Detection Tools: Implementing solutions like EDR (Endpoint Detection and Response) or XDR can help detect abnormal behavior before irreversible damage occurs.
   
   
6. Incident Response Plans: Having a clear action protocol allows for quick reaction, minimizes losses, and ensures compliance with legal and regulatory requirements in case of an attack.

Solutions Like TecnetProtect and Managed Cybersecurity Services That Make a Difference

Beyond best practices, partnering with reliable tech providers can significantly raise protection levels. For example, at TecnetOne, we offer an ecosystem of solutions designed to proactively tackle threats like LockBit 5.0:

1. TecnetProtect, powered by Acronis' leading technology, delivers a comprehensive data protection solution with backup, disaster recovery, and active ransomware defense. It’s ideal for organizations seeking a modern, automated, and highly effective way to keep their systems and files safe.
   
   
2. SOC as a Service from TecnetOne enables companies to benefit from 24/7 monitoring, threat analysis, and early alerts—without the need to build their own infrastructure. This service shortens response times and improves overall security posture.
   
   
3. In the event of an attack, TecnetOne’s incident response service helps contain, investigate, and remediate the issue quickly, minimizing operational impact and reducing downtime.
   
   

These solutions are not only designed to prevent attacks but also to ensure operational continuity and fast recovery—two critical elements in the face of modern ransomware.

The return of LockBit 5.0 is a clear signal that ransomware groups don’t disappear easily. Even when law enforcement disrupts their operations, many of these groups have the ability to reorganize, learn from their mistakes, and come back stronger.

The key for organizations is to stay vigilant. Being prepared, investing in cybersecurity, and training personnel is more crucial than ever. And with the backing of experts like those at TecnetOne, the chances of withstanding and recovering from an attack increase significantly.