After a major blow from authorities in February 2024, many thought LockBit was out of the game. But that wasn’t the case. The most active ransomware group in recent years is back—just in time for its sixth anniversary—introducing its new and dangerous version: LockBit 5.0.
Researchers at Trend Micro have detected and analyzed malware samples designed for Windows, Linux, and VMware ESXi, confirming that the group remains firmly committed to cross-platform attacks. This means they're not only aiming to encrypt Windows systems, but are also prepared to compromise critical servers and virtualized environments.
The discovery of these new variants in September 2025 marks a significant evolution in the group’s strategy. LockBit continues to refine its approach: targeting multiple operating systems simultaneously—a technique they’ve been using since version 2.0 launched in 2021, now perfected with even more advanced and harder-to-stop capabilities.
With LockBit 5.0, the group behind the ransomware has taken things a step further, tailoring their attacks to adapt to each operating system. This new version is designed to evade detection using advanced techniques, while maximizing damage in every compromised environment.
The Windows version of LockBit 5.0 arrives with a series of enhancements that make it harder to analyze and detect. It uses a combination of advanced obfuscation and heavy packing, making its technical behavior more difficult to understand.
Instead of traditional methods, it loads its malicious code via DLL reflection—a technique that hides its intent from both the system and security analysts. To further shield itself, it applies anti-analysis techniques such as modifying the Windows Event Tracing API (ETW) and automatically shutting down up to 63 security-related services.
Additionally, this new Windows variant comes with a redesigned help menu that is clearer and easier to use—likely intended to facilitate ransom payment instructions for victims.
Windows Variant
The Linux version of LockBit 5.0 doesn’t fall behind. In fact, it replicates much of the functionality seen in its Windows counterpart, giving attackers a consistent and easy-to-use set of commands to customize their attacks.
With this variant, cybercriminals can choose exactly which directories or file types to encrypt, excluding anything they’re not interested in. Additionally, the tool can log its activities in real time, clearly showing which files are being locked and which have been excluded from the attack.
In short: ransomware on Linux is now just as flexible and dangerous as on Windows, making LockBit 5.0 a serious threat to servers and critical enterprise environments.
Linux Variant
LockBit 5.0 also comes with a variant specifically designed to target VMware ESXi environments—one of the most widely used virtualization platforms in businesses of all sizes. And here’s the real issue: if a single ESXi host is compromised, attackers can encrypt dozens or even hundreds of virtual machines at once, causing massive disruptions in a matter of minutes.
To make the attack even more efficient, this version includes custom-built parameters for encrypting virtual machines, allowing it to act quickly and precisely on an organization’s most critical resources.
In short, if LockBit was already a nightmare, this new ESXi variant can turn into a true chaos scenario for any cloud-based or virtualized infrastructure.
ESXi Variant
Read more: Top Zero-Day Vulnerabilities Exploited in 2025
LockBit 5.0 didn’t appear out of nowhere. It’s a direct evolution of its previous version, LockBit 4.0, and inherits much of its codebase. Both share nearly identical encryption algorithms and hash methods, making it clear that the same developers are behind this new variant.
Behavior patterns are also consistent across all its versions. Encrypted files receive a random 16-character extension, making them harder to identify and complicating any manual recovery attempts.
Another notable feature is its refusal to run on systems configured in Russian or geolocated in Russia. Additionally, once the encryption process is complete, it erases system event logs to cover its tracks and hinder forensic analysis.
The technical improvements in LockBit 5.0 make it a far more dangerous threat than its predecessors. Its strong code obfuscation delays the development of detection signatures, while its ability to target virtualized environments amplifies its impact on businesses that rely on such infrastructures.
The fact that the group was able to regroup and launch a revamped version after Operation Cronos is proof of its resilience and organization.
For all these reasons, organizations must immediately strengthen their security posture. Key measures include:
Proactive threat hunting to detect suspicious activity before it’s too late.
Advanced endpoint and network protections capable of identifying attack patterns in real time.
Heightened focus on security in virtualized environments, which have become one of the group’s main targets.
At this point, specialized solutions like TecnetProtect, powered by Acronis technology, offer an extra layer of protection against ransomware. Its approach combines secure backups with active defense tools, enabling not only prevention of infections but also fast and reliable data recovery in the event of an attack.