New LockBit 5.0 Targets Windows, Linux, ESXi

Trend Research believes that these similarities are a clear indication that LockBit 5.0 represents a continuation of the LockBit ransomware family and is not an imitation or rebrand by different threat actors. The preservation of core functionalities while adding new evasion techniques demonstrates the group’s strategy of incremental improvement to their ransomware platform.

Conclusion

The existence of Windows, Linux, and ESXi variants confirms LockBit’s continued cross-platform strategy. This enables simultaneous attacks across entire enterprise networks, from workstations to critical servers hosting databases and virtualization platforms, with the ESXi variant designed to cripple entire virtual infrastructures. Heavy obfuscation across these new variants significantly delays detection signature development, while technical improvements including removed infection markers, faster encryption, and enhanced evasion make LockBit 5.0 significantly more dangerous than its predecessors.

LockBit is among the most notorious ransomware-as-a-service (RaaS) groups that consistently stayed ahead of its competitors with an aggressive evolution of its techniques and tactics. Despite Operation Cronos, the criminals behind the group exhibit resilience with all three variants of version 5.0 now confirmed. Organizations must ensure comprehensive cross-platform defenses are in place, with particular attention to protecting virtualization infrastructure. LockBit 5.0’s Windows, Linux, and ESXi variants reinforce that no operating system or platform can be considered safe from modern ransomware campaigns.

Mitigating risk from LockBit 5.0 

Organizations are highly encouraged to evaluate and enhance their security posture by proactively conducting threat hunting activities tailored to group-specific tools, tactics, and procedures. It is essential to reinforce both endpoint and network protections, as well as early detection of defense evasion techniques aimed at compromising security solutions.

Proactive security with Trend Vision One™

Trend Vision One️™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This holistic approach helps enterprises predict and prevent threats, accelerating proactive security outcomes across their respective digital estate. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.

Trend Vision One™ Threat Intelligence

To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which provides the latest insights from Trend Research on emerging threats and threat actors. 

Trend Vision One Threat Insights

Trend Vision One Intelligence Reports (IOC Sweeping) 

LockBit Strikes Again: Updates in Version 5.0

Hunting Queries

Trend Vision One Search App 

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.    

LockBit File Renaming with 16-Character Extension

eventSubId: 106 AND objectFilePath: /\.[a-f0-9]{16}$/ AND NOT srcFilePath: /.+\.[a-f0-9]{16}$/

LockBit 5 Ransom Note — ReadMeForDecrypt.txt

eventSubId: 101 AND objectFilePath: ReadMeForDecrypt.txt

More hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled.

Indicators of Compromise

Indicators of compromise can be found here. 

Read More HERE