Back Issues This Week → Calendar → Current Issue → Popular →

All issuesVolume 330, Issue 4IT Vendor NewsTrend Micro

New LockBit 5.0 Targets Windows, Linux, ESXi

Trend Micro, Thursday, September 25th, 2025

Trend Research analyzed source binaries from the latest activity from notorious LockBit ransomware with their 5.0 version that exhibits advanced obfuscation, anti-analysis techniques, and seamless cross-platform capabilities for Windows, Linux, and ESXi systems.

Key takeaways:

The LockBit 5.0 Windows variant uses heavy obfuscation and packing by loading its payload through DLL reflection while implementing anti-analysis technique. The Linux variant has similar functionality with command-line options for targeting specific directories and file types. The ESXi variant specifically targets VMware virtualization infrastructure, designed to encrypt virtual machines.

The new variants use randomized 16-character file extensions, has Russian language system avoidance, and event log clearing post-encryption.

LockBit 5.0 also has a dedicated ESXi that targets VMware's ESXi virtualization infrastructure.

The existence of Windows, Linux, and ESXi variants confirms LockBit's continued cross-platform strategy, enabling simultaneous attacks across entire enterprise networks including virtualized environments. Heavy obfuscation and technical improvements across all variants make LockBit 5.0 significantly more dangerous than its predecessors.

Trend Vision One detects and blocks the specific IoCs mentioned in this blog, and offers customers access to hunting queries, threat insights, and intelligence reports related to LockBit 5.0.

more →  ·  More from Trend Micro →