{
	"id": "64155f6a-150c-4dc9-8f2d-92eea417666c",
	"created_at": "2026-04-06T00:21:23.722647Z",
	"updated_at": "2026-04-10T03:26:47.127701Z",
	"deleted_at": null,
	"sha1_hash": "6220a62f47f47d05299d1cf07fe2da655bd6400d",
	"title": "New LockBit 5.0 Targets Windows, Linux, ESXi",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1798726,
	"plain_text": "New LockBit 5.0 Targets Windows, Linux, ESXi\r\nBy By: Sarah Pearl Camiling, Jacob Santos Sep 25, 2025 Read time: 7 min (2008 words)\r\nPublished: 2025-09-25 · Archived: 2026-04-05 12:36:25 UTC\r\nRansomware\r\nTrend™ Research analyzed source binaries from the latest activity from notorious LockBit ransomware with their\r\n5.0 version that exhibits advanced obfuscation, anti-analysis techniques, and seamless cross-platform capabilities\r\nfor Windows, Linux, and ESXi systems.\r\nKey takeaways:\r\nThe LockBit 5.0 Windows variant uses heavy obfuscation and packing by loading its payload through DLL\r\nreflection while implementing anti-analysis technique. The Linux variant has similar functionality with\r\ncommand-line options for targeting specific directories and file types. The ESXi variant specifically targets\r\nVMware virtualization infrastructure, designed to encrypt virtual machines.\r\nThe new variants use randomized 16-character file extensions, has Russian language system avoidance,\r\nand event log clearing post-encryption.\r\nLockBit 5.0 also has a dedicated ESXi that targets VMware's ESXi virtualization infrastructure. \r\nThe existence of Windows, Linux, and ESXi variants confirms LockBit's continued cross-platform\r\nstrategy, enabling simultaneous attacks across entire enterprise networks including virtualized\r\nenvironments. Heavy obfuscation and technical improvements across all variants make LockBit 5.0\r\nsignificantly more dangerous than its predecessors.\r\nTrend Vision One™ detects and blocks the specific IoCs mentioned in this blog, and offers customers\r\naccess to hunting queries, threat insights, and intelligence reports related to LockBit 5.0.\r\nTrend™ Research has identified and analyzed the source binaries of a new LockBitnews article version in the\r\nwild, which is the latest from the group’s activities following the February 2024 law enforcement operation\r\n(Operation Cronos) that disrupted their infrastructure. In early September, the LockBit ransomware group\r\nreportedly resurfaced for their sixth anniversary, announcing the release of \"LockBit 5.0\". Trend Research\r\ndiscovered a binary available in the wild and began analysis that initially discovered a Windows variant and\r\nconfirmed the existence of Linux and ESXi variants of LockBit 5.0.\r\nThis latest news continues the group's established cross-platform strategy seen since LockBit 2.0 in 2021.\r\nTrend Research analysis found that the Windows binary uses heavy obfuscation and packing: it loads its payload\r\nthrough DLL reflection while implementing anti-analysis techniques like ETW patching and terminating security\r\nservices. Meanwhile, the newly discovered Linux variant maintains similar functionality with command-line\r\noptions for targeting specific directories and file types. The ESXi variant specifically targets VMware\r\nvirtualization environments, designed to encrypt entire virtual machine infrastructures in a single attack.\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 1 of 16\n\nOur investigation also reveals that these newer versions share key behaviors: randomized 16-character file\r\nextensions, Russian language system avoidance through geolocation checks, and event log clearing post-encryption. The 5.0 version also shares code characteristics with LockBit 4.0, including identical hashing\r\nalgorithms and API resolution methods, confirming this is an evolution of the original codebase rather than an\r\nimitation.\r\nLockBit 5.0 Windows analysis\r\nThe Windows version of Lockbit 5.0 uses the -h parameter to display help information; the new version features a\r\nbetter user interface with clean formatting, which has not been seen in previous versions. It describes various\r\noptions and settings for executing the ransomware, including basic options like specifying directories to encrypt or\r\nbypass, operation modes such as invisible mode and verbose mode, notes settings, encryption settings, filtering\r\noptions, and examples of usage. The detailed commands and parameters illustrate the flexibility and customization\r\navailable to the attacker.\r\nFigure 1. Help command shows the parameters and their respective uses\r\nTable 1 shows the command line arguments observed in Trend Research threat hunting analysis and their\r\nrespective descriptions.\r\nOption Description\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 2 of 16\n\nBasic Options\r\n-h Show help\r\n-d \u003cdirs\u003e Semicolon-separated list of directories to encrypt\r\n-b \u003cdirs\u003e Semicolon-separated list of directoriees to bypass\r\nOperation Modes\r\n-i Invisible mode (don't change extensions, no notes, don't change modiciationdate)\r\n-p Run in verbose visible mode with status bar inc onsole (not available when using -i)\r\n-v Run in visible mode with debug output\r\nNotes Settings\r\n-n \u003c0/1/2\u003e\r\nNotes storage mode:\r\n0: None\r\n1: Everywhere\r\n2: C:\\ only\r\nIgnored when using -i (invisible mode)\r\nEncryption Settings\r\n-m \u003cmode\u003e -w\r\nEncryption mode:\r\nall: Encrupt all files\r\nlocal: Encrypt local files\r\nnet: Encrypt network files\r\nEnable wipe free space after encryption\r\nFiltering\r\n-k Don'r delete .exe files\r\n-nomutex Allow multiple instances\r\nTimeout\r\n-t \u003cseconds\u003e Set timeout before starting encryption\r\nTable 1. A summary of the command line arguments in our analysis of the LockBit 5.0 Windows version.\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 3 of 16\n\nUpon execution, the ransomware generates its signature ransom note and directs victims to a dedicated leak site.\r\nThe infrastructure maintains LockBit's established victim interaction model, featuring a streamlined \"Chat with\r\nSupport\" section for ransom negotiations.\r\nFigure 2. The ransom note generated by LockBit 5.0\r\nFigure 3. The leak site where link on the ransom note directs to when visited by victims\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 4 of 16\n\nFigure 4. The data leak site provides a direct communication channel with the victims in the \"Chat\r\nwith Support\" section.\r\nThe encryption process appends randomized 16-character extensions to files, complicating recovery efforts.\r\nUnlike some ransomware variants that use common infection markers, LockBit 5.0 omits traditional markers at\r\nfile endings. However, our analysis revealed consistent patterns including the original file size embedded in the\r\nencrypted file footer.\r\nFigure 5. LockBit 5.0 encrypted files are appended with unique and seemingly randomly generated\r\nextensions with 16 characters which complicates the decryption process.\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 5 of 16\n\nFigure 6. End part of encrypted file A\r\nFigure 7. End part of encrypted file B\r\nThe sample Trend Research analyzed employs heavy obfuscation through packing. During debugging, we\r\ndiscovered it functions as a binary loader, decrypting a PE binary in memory and loading it via DLL reflection\r\nmethods. This sophisticated loading mechanism significantly complicates static analysis.\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 6 of 16\n\nFigure 8. Decrypted PE binary in the memory of loader\r\nAside from that, the malware implements multiple anti-forensics techniques. It patches the EtwEventWrite API by\r\noverwriting it with a 0xC3 (return) instruction, disabling Windows Event Tracing capabilities. Additionally, it\r\nterminates security-related services by comparing hashed service names against a hardcoded list of 63 values, then\r\nclears all event logs using the EvtClearLog API after encryption completion.\r\nFigure 9. Before patching of EtwEventWrite\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 7 of 16\n\nFigure 10. After patching EtwEventWrite, the malware shows a C3 byte forcing it to immediately\r\nreturn.\r\nIt compares all the services if they run the system by hashing the service name and comparing it with the\r\nhardcoded list. Service names that match are then terminated.\r\nFEF56F15, BEC3470B, 9757464D, 88CE6B8E, 826AC445, 83143F70, 8685D050, 493AEE1F, 35BE2F4E,\r\n23FA53E4, FEF56F16, 10D06066, 1370CEA3, E11A285C, DBECA3C2, BEC3470C, C347B317, CA6C4394,\r\n732AA0BF, 60B29D13, 493AEE20, 5E5F1954, 5EF504FC, A49FA5E2, 9757464E, 9A768D62, A1816235,\r\n41278146, 35BE2F4F, 369D7114, 3B6794E3, E7AA4056, E11A285D, E5C9CC93, E66A2C63, 7B39B584,\r\n732AA0C0, 739BF272, 7ABD1404, 88CE6B8F, 9439954E, 9655130F, 23FA53E5, 26336765, 2C1F8E5F,\r\nDBECA3C3, DCF04E8C, DEED0E56, 60B29D14, 62C32884, 6337AD82, A49FA5E3, A8F16BAB, BD071334,\r\n41278147, 4292EDD8, 47F1286A, E7AA4057, E7BF305D, F82A288D, 7B39B585, 7F480CF7, 7DD43601\r\nFigure 11. Event log clearing using EvtClearLog API\r\nConsistent with previous versions, LockBit 5.0 includes geopolitical safeguards, terminating execution when\r\ndetecting Russian language settings or Russian geolocation. This is a common practice among Eastern European\r\nransomware groups.\r\nFigure 12. This code terminates if the language is Russian\r\nFigure 13. This code terminates if the geolocation is Russia\r\nLockBit 5.0 Linux analysis\r\nThe 5.0 Linux variant has similar features with its Windows counterpart, demonstrating LockBit's commitment to\r\ncross-platform capabilities. The command-line interface mirrors the Windows version's formatting and\r\nfunctionality, providing attackers with the same operational flexibility across both platforms.\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 8 of 16\n\nFigure 14. The LockBit 5.0 Linux version shows similar formatting of help options\r\nDuring execution, the Linux variant provides detailed logging of its activities, displaying files targeted for\r\nencryption and folders designated for exclusion. This transparency in operation logs suggests the variant can be\r\nused in testing environments or by affiliates requiring detailed execution feedback.\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 9 of 16\n\nFigure 15. Logging activity shows the files to be encrypted\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 10 of 16\n\nFigure 16. Logs show the list of folders to be skipped on wiping\r\nUpon completion, the ransomware generates a comprehensive summary showing the total number of files\r\nencrypted and their cumulative size. Like the Windows version, it applies randomized extensions to encrypted\r\nfiles, maintaining consistency in post-encryption file handling across platforms.\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 11 of 16\n\nFigure 17. A summary shows the total of number of files and size encrypted\r\nFigure 18. A list of files encrypted that have random extensions\r\nLockBit 5.0 ESXi analysis\r\nFurther investigation revealed a dedicated ESXi variant of LockBit 5.0, specifically targeting VMware\r\nvirtualization infrastructure. This variant represents a critical escalation in LockBit's capabilities, as ESXi servers\r\ntypically host multiple virtual machines, allowing attackers to encrypt entire virtualized environments with a\r\nsingle payload execution.\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 12 of 16\n\nThe ESXi variant maintains the same command-line interface structure as its Windows and Linux counterparts,\r\nensuring operational consistency for attackers across all platforms. The help menu reveals ESXi-specific\r\nparameters optimized for virtual machine encryption, including options to target specific directories and VM\r\nconfiguration files.\r\nFigure 19. ESXi variant help command showing virtualization-specific parameters\r\nThis ESXi variant demonstrates LockBit's strategic focus on maximizing impact through virtualization\r\ninfrastructure, where a single compromised ESXi host can result in dozens or hundreds of encrypted virtual\r\nmachines, significantly amplifying the attack's business disruption potential. \r\nLockBit 4.0 versus LockBit 5.0\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 13 of 16\n\nA comparative analysis between LockBit 4.0 and 5.0 reveals significant code reuse and evolutionary development\r\nrather than a complete rewrite. Both versions share identical hashing algorithms for string operations, a critical\r\ncomponent for API resolution, and service identification. The code structure for dynamic API resolution remains\r\nremarkably similar between versions, suggesting the developers built upon the existing LockBit 4.0 codebase. The\r\nscreenshots on the left in figures 20 and 21 are from chuong dong blog.\r\nFigure 20. Similarities of hashing algorithm of string of LockBit 4.0 (left – screenshot from chuong\r\ndong blog) and LockBit 5.0 (right)\r\nFigure 21. Dynamic API resolution of LockBit 4.0(left – screenshot from blog) and LockBit 5\r\n(right)\r\nTrend Research believes that these similarities are a clear indication that LockBit 5.0 represents a continuation of\r\nthe LockBit ransomware family and is not an imitation or rebrand by different threat actors. The preservation of\r\ncore functionalities while adding new evasion techniques demonstrates the group's strategy of incremental\r\nimprovement to their ransomware platform.\r\nConclusion\r\nThe existence of Windows, Linux, and ESXi variants confirms LockBit's continued cross-platform strategy. This\r\nenables simultaneous attacks across entire enterprise networks, from workstations to critical servers hosting\r\ndatabases and virtualization platforms, with the ESXi variant designed to cripple entire virtual infrastructures.\r\nHeavy obfuscation across these new variants significantly delays detection signature development, while technical\r\nimprovements including removed infection markers, faster encryption, and enhanced evasion make LockBit 5.0\r\nsignificantly more dangerous than its predecessors.\r\nLockBit is among the most notorious ransomware-as-a-service (RaaS) groups that consistently stayed ahead of its\r\ncompetitors with an aggressive evolution of its techniques and tactics. Despite Operation Cronos, the criminals\r\nbehind the group exhibit resilience with all three variants of version 5.0 now confirmed. Organizations must\r\nensure comprehensive cross-platform defenses are in place, with particular attention to protecting virtualization\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 14 of 16\n\ninfrastructure. LockBit 5.0's Windows, Linux, and ESXi variants reinforce that no operating system or platform\r\ncan be considered safe from modern ransomware campaigns.\r\nMitigating risk from LockBit 5.0 \r\nOrganizations are highly encouraged to evaluate and enhance their security posture by proactively conducting\r\nthreat hunting activities tailored to group-specific tools, tactics, and procedures. It is essential to reinforce both\r\nendpoint and network protections, as well as early detection of defense evasion techniques aimed at compromising\r\nsecurity solutions.\r\nProactive security with Trend Vision One™\r\nTrend Vision One️™one-platform is the only AI-powered enterprise cybersecurity platform that centralizes cyber\r\nrisk exposure management, security operations, and robust layered protection. This holistic approach helps\r\nenterprises predict and prevent threats, accelerating proactive security outcomes across their respective digital\r\nestate. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and\r\nelevate security into a strategic partner for innovation.\r\nTrend Vision One™ Threat Intelligence\r\nTo stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insightsproducts, which\r\nprovides the latest insights from Trend Research on emerging threats and threat actors. \r\nTrend Vision One Threat Insights\r\nEmerging Threats:  LockBit Strikes Again: Updates in Version 5.0\r\nTrend Vision One Intelligence Reports (IOC Sweeping) \r\nLockBit Strikes Again: Updates in Version 5.0\r\nHunting Queries\r\nTrend Vision One Search App \r\nTrend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this\r\nblog post with data in their environment.    \r\nLockBit File Renaming with 16-Character Extension\r\neventSubId: 106 AND objectFilePath: /\\.[a-f0-9]{16}$/ AND NOT srcFilePath: /.+\\.[a-f0-9]{16}$/\r\nLockBit 5 Ransom Note — ReadMeForDecrypt.txt\r\neventSubId: 101 AND objectFilePath: ReadMeForDecrypt.txt\r\nMore hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabledone-platform.\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 15 of 16\n\nIndicators of Compromise\r\nIndicators of compromise can be found here. \r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nhttps://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html"
	],
	"report_names": [
		"lockbit-5-targets-windows-linux-esxi.html"
	],
	"threat_actors": [
		{
			"id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5",
			"created_at": "2022-10-25T16:07:23.797925Z",
			"updated_at": "2026-04-10T02:00:04.752608Z",
			"deleted_at": null,
			"main_name": "LockBit Gang",
			"aliases": [
				"Bitwise Spider",
				"Operation Cronos"
			],
			"source_name": "ETDA:LockBit Gang",
			"tools": [
				"3AM",
				"ABCD Ransomware",
				"CrackMapExec",
				"EmPyre",
				"EmpireProject",
				"LockBit",
				"LockBit Black",
				"Mimikatz",
				"PowerShell Empire",
				"PsExec",
				"Syrphid"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434883,
	"ts_updated_at": 1775791607,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6220a62f47f47d05299d1cf07fe2da655bd6400d.pdf",
		"text": "https://archive.orkl.eu/6220a62f47f47d05299d1cf07fe2da655bd6400d.txt",
		"img": "https://archive.orkl.eu/6220a62f47f47d05299d1cf07fe2da655bd6400d.jpg"
	}
}