Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Microsoft Flaws Let Attackers Gain Privileges, Steal Data
July 2, 2026
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Home/Threats/LockBit 5.0 Ransomware Targets Windows, Linux, and ESXi Systems
Threats

LockBit 5.0 Ransomware Targets Windows, Linux, and ESXi Systems

Key Takeaways A new and highly advanced version of the LockBit ransomware, LockBit 5.0, was launched in September 2025. This iteration targets Windows, Linux, and ESXi systems, including Proxmox...

Sarah simpson
Sarah simpson
February 16, 2026 3 Min Read
77 0

Key Takeaways

  • A new and highly advanced version of the LockBit ransomware, LockBit 5.0, was launched in September 2025.
  • This iteration targets Windows, Linux, and ESXi systems, including Proxmox virtualization platforms, making it a versatile threat to diverse IT infrastructures.
  • LockBit 5.0 employs sophisticated evasion techniques, faster encryption, and a double-extortion model, with a primary focus on the U.S. business sector.
  • Over 60 victims have been documented on LockBit’s data leak site since December 2025, affecting sectors like manufacturing, healthcare, and government.

LockBit 5.0 Emerges as a Multi-Platform Ransomware Threat

A formidable new variant of the LockBit ransomware, designated LockBit 5.0, began operations in September 2025, posing a significant global risk to organizations across various sectors. This updated version represents a substantial enhancement for one of the most prolific ransomware groups active today, expanding its reach to multiple operating systems and virtualization environments.

Table Of Content

  • Key Takeaways
  • LockBit 5.0 Emerges as a Multi-Platform Ransomware Threat
  • Technical Advancements and Evasion Tactics
  • Advanced Evasion and Persistence Mechanisms
  • What You Should Do

LockBit 5.0 is engineered to compromise Windows, Linux, and ESXi platforms, enabling it to attack a broad spectrum of enterprise infrastructure. Operating as a ransomware-as-a-service (RaaS) model, it employs a double-extortion strategy: encrypting victim files while simultaneously exfiltrating sensitive data to exert maximum pressure for ransom payments.

The primary target of LockBit 5.0 campaigns has been the U.S. business sector, with private companies accounting for approximately 67% of documented victims. Other affected industries include manufacturing, healthcare, education, financial services, and government agencies. Since December 2025, the LockBit data leak site has listed over 60 victim entries, underscoring the widespread impact of this latest campaign.

A particularly concerning feature of this version is its advertised compatibility with all iterations of Proxmox, an open-source virtualization platform that is gaining traction among enterprises as an alternative to proprietary hypervisors.

Technical Advancements and Evasion Tactics

Analysts at Acronis have observed that LockBit 5.0 builds upon its predecessor, version 4, by incorporating enhanced defense evasion capabilities and significantly faster encryption speeds. The Windows variant, in particular, showcases the most advanced anti-analysis techniques among all versions. These include sophisticated packing mechanisms, DLL unhooking, process hollowing, and patching of Event Tracing for Windows (ETW).

Furthermore, the malware is designed to clear all accessible system logs, effectively erasing forensic evidence of its activities. While the Linux and ESXi versions do not employ packing, they encrypt nearly all their internal strings to hinder detection and analysis.

Across all three platform versions, LockBit 5.0 utilizes identical robust encryption algorithms: XChaCha20 for symmetric encryption and Curve25519 for asymmetric encryption. Each encrypted file is appended with a randomly generated 16-character extension, complicating identification efforts. The ransomware also leverages multiple encryption threads, scaled to the number of system processors, to ensure rapid data encryption across compromised environments.

Advanced Evasion and Persistence Mechanisms

The Windows version of LockBit 5.0 exhibits remarkably sophisticated evasion tactics, specifically designed to bypass security software and analysis tools. It employs Mixed Boolean-Arithmetic obfuscation, wrapped around return-address dependent hashing, to mask its true operational logic.

A common characteristic of Russian-based malware families, LockBit 5.0 performs geolocation checks to avoid infecting systems within post-Soviet countries. Before initiating encryption, it verifies system language settings against known Russian language identifiers.

For persistence and stealth, the ransomware uses process hollowing, injecting its malicious code into the legitimate Windows defrag.exe utility. This allows it to execute under the guise of a trusted system process, making it harder to detect.

Upon completing encryption, LockBit 5.0 actively disables Event Tracing for Windows (ETW) monitoring by patching the EtwEventWrite function, replacing its first byte with a return instruction. Subsequently, it systematically clears all event logs using the EvtClearLog function, meticulously removing any traces of its presence and activities.

Infrastructure analysis has revealed that LockBit’s data leak site shares an IP address previously linked to SmokeLoader malware operations. This connection suggests potential infrastructure sharing or collaborative efforts between different cybercriminal syndicates, a prevalent practice within underground cybercrime ecosystems.

What You Should Do

  • Implement a multi-layered security strategy, including robust endpoint detection and response (EDR) solutions.
  • Maintain regular, isolated, and offline backups of critical data to ensure recovery options outside the network.
  • Segment networks to limit lateral movement of ransomware within the infrastructure.
  • Ensure all systems and software are kept up-to-date with the latest security patches.
  • Conduct continuous employee security awareness training to educate staff on phishing and social engineering tactics, which are common initial access vectors.
  • System administrators should actively monitor for unusual process behavior, unexpected file encryption activity, and any attempts to disable security logging mechanisms.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarePatchphishingransomwareSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Critical FileZen Vulnerability Lets Attackers Execute Arbitrary Commands

Next Post

Palo Alto Networks Completes CyberArk Acquisition to Boost Identity Security

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us