LockBit 5.0 Ransomware Targets Windows, Linux, and ESXi Systems
Key Takeaways A new and highly advanced version of the LockBit ransomware, LockBit 5.0, was launched in September 2025. This iteration targets Windows, Linux, and ESXi systems, including Proxmox...
Key Takeaways
- A new and highly advanced version of the LockBit ransomware, LockBit 5.0, was launched in September 2025.
- This iteration targets Windows, Linux, and ESXi systems, including Proxmox virtualization platforms, making it a versatile threat to diverse IT infrastructures.
- LockBit 5.0 employs sophisticated evasion techniques, faster encryption, and a double-extortion model, with a primary focus on the U.S. business sector.
- Over 60 victims have been documented on LockBit’s data leak site since December 2025, affecting sectors like manufacturing, healthcare, and government.
LockBit 5.0 Emerges as a Multi-Platform Ransomware Threat
A formidable new variant of the LockBit ransomware, designated LockBit 5.0, began operations in September 2025, posing a significant global risk to organizations across various sectors. This updated version represents a substantial enhancement for one of the most prolific ransomware groups active today, expanding its reach to multiple operating systems and virtualization environments.
Table Of Content
LockBit 5.0 is engineered to compromise Windows, Linux, and ESXi platforms, enabling it to attack a broad spectrum of enterprise infrastructure. Operating as a ransomware-as-a-service (RaaS) model, it employs a double-extortion strategy: encrypting victim files while simultaneously exfiltrating sensitive data to exert maximum pressure for ransom payments.
The primary target of LockBit 5.0 campaigns has been the U.S. business sector, with private companies accounting for approximately 67% of documented victims. Other affected industries include manufacturing, healthcare, education, financial services, and government agencies. Since December 2025, the LockBit data leak site has listed over 60 victim entries, underscoring the widespread impact of this latest campaign.
A particularly concerning feature of this version is its advertised compatibility with all iterations of Proxmox, an open-source virtualization platform that is gaining traction among enterprises as an alternative to proprietary hypervisors.
Technical Advancements and Evasion Tactics
Analysts at Acronis have observed that LockBit 5.0 builds upon its predecessor, version 4, by incorporating enhanced defense evasion capabilities and significantly faster encryption speeds. The Windows variant, in particular, showcases the most advanced anti-analysis techniques among all versions. These include sophisticated packing mechanisms, DLL unhooking, process hollowing, and patching of Event Tracing for Windows (ETW).
Furthermore, the malware is designed to clear all accessible system logs, effectively erasing forensic evidence of its activities. While the Linux and ESXi versions do not employ packing, they encrypt nearly all their internal strings to hinder detection and analysis.
Across all three platform versions, LockBit 5.0 utilizes identical robust encryption algorithms: XChaCha20 for symmetric encryption and Curve25519 for asymmetric encryption. Each encrypted file is appended with a randomly generated 16-character extension, complicating identification efforts. The ransomware also leverages multiple encryption threads, scaled to the number of system processors, to ensure rapid data encryption across compromised environments.
Advanced Evasion and Persistence Mechanisms
The Windows version of LockBit 5.0 exhibits remarkably sophisticated evasion tactics, specifically designed to bypass security software and analysis tools. It employs Mixed Boolean-Arithmetic obfuscation, wrapped around return-address dependent hashing, to mask its true operational logic.
A common characteristic of Russian-based malware families, LockBit 5.0 performs geolocation checks to avoid infecting systems within post-Soviet countries. Before initiating encryption, it verifies system language settings against known Russian language identifiers.
For persistence and stealth, the ransomware uses process hollowing, injecting its malicious code into the legitimate Windows defrag.exe utility. This allows it to execute under the guise of a trusted system process, making it harder to detect.
Upon completing encryption, LockBit 5.0 actively disables Event Tracing for Windows (ETW) monitoring by patching the EtwEventWrite function, replacing its first byte with a return instruction. Subsequently, it systematically clears all event logs using the EvtClearLog function, meticulously removing any traces of its presence and activities.
Infrastructure analysis has revealed that LockBit’s data leak site shares an IP address previously linked to SmokeLoader malware operations. This connection suggests potential infrastructure sharing or collaborative efforts between different cybercriminal syndicates, a prevalent practice within underground cybercrime ecosystems.
What You Should Do
- Implement a multi-layered security strategy, including robust endpoint detection and response (EDR) solutions.
- Maintain regular, isolated, and offline backups of critical data to ensure recovery options outside the network.
- Segment networks to limit lateral movement of ransomware within the infrastructure.
- Ensure all systems and software are kept up-to-date with the latest security patches.
- Conduct continuous employee security awareness training to educate staff on phishing and social engineering tactics, which are common initial access vectors.
- System administrators should actively monitor for unusual process behavior, unexpected file encryption activity, and any attempts to disable security logging mechanisms.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.