LockBit 5.0 Variant Expands Attacks on Windows Linux and Virtual Infrastructure
Threat Group – LockBit operators
Threat Type – Ransomware as a Service
Exploited Vulnerabilities – Exposed remote access services, unpatched internet facing infrastructure, valid credential reuse, weak virtualisation hardening
Malware Used – LockBit 5.0 Windows Linux and ESXi variants
Threat Score – 7.5 🔴 High – Cross platform impact with ESXi targeting, rapid encryption, and layered EDR neutralisation reduce defender visibility and recovery options
Last Threat Observation – 30 September 2025
Overview
Recent vendor and threat research confirms a renewed LockBit programme with a 5.0 line that restores operations after the 2024 takedown. The new variant emphasises speed and stealth across Windows, Linux, and VMware ESXi, with design choices that shorten detection windows and degrade common telemetry. Expanded modularity lets affiliates tailor builds and behaviours per campaign, while resilient negotiation infrastructure and refreshed incentives seek to rapidly regrow the affiliate base.
Observed behaviours include heavier packing and reflection in memory, API unhooking and event tracing tampering, and systematic disruption of security and backup services before encryption. Encrypted files are frequently stamped with random sixteen character extensions, complicating triage and recovery playbooks. A dedicated ESXi encryptor focuses on virtual machine datastores, raising the blast radius well beyond endpoints when hypervisors or vCenter are in scope.
Key Details
Delivery Method
- Exploitation of externally exposed remote access and device management surfaces
- Abuse of valid credentials obtained via leaks, brute force, or prior compromises
- Phishing and social engineering to gain initial footholds or harvest credentials
- Quiet staging and in memory execution to minimise disk artefacts
Target
- Hybrid environments with centralised virtualisation and shared storage
- Organisations where vCenter and ESXi management planes are reachable from broad internal networks
- Environments with permissive egress and limited behavioural detection
Functions
- Cross platform encryptors for Windows, Linux, and ESXi with campaign specific toggles
- Faster time to impact via intermittent or chunk based encryption and multi threading
- Service kill lists targeting security agents and backup software prior to encryption
- Ransom note delivery with resilient, multi channel negotiation workflows
Obfuscation
- Heavy packing and obfuscation to delay static analysis
- Reflection in memory to execute within trusted processes
- User land API unhooking and event tracing interference that blind common telemetry paths
- Randomised post encryption file extensions that hinder automated response
- Locale and region checks consistent with prior lines
Attack Vectors
Initial Access
- Remote access exploitation and weaknesses in internet facing services
- Credential stuffing, password reuse, or brute force against VPN and management portals
- Phishing to deploy loaders or capture credentials
Establishment
- Payloads executed in memory or staged quietly on disk
- Persistence through scheduled tasks, services, or registry entries aligned to routine admin patterns
Command and Control
- Negotiation and operator access maintained over anonymised infrastructure and peer to peer secure messengers
- Low and slow patterns to evade rate or volume based detections
Lateral Movement
- Administrative protocols such as PsExec, WMI, SMB, and domain or virtualisation credentials
- Rapid reach into server and hypervisor tiers once privileged access is obtained
Pre Encryption Disruption
- Broad termination of security and backup services
- Local recovery point deletion and event log clearing to delay discovery
- Inhibit recovery actions designed to prolong downtime
Encryption and Impact
- High speed encryption with intermittent modes to preserve responsiveness during the early phase
- Random extension stamping across file servers, application servers, and VM datastores
Known Indicators of Compromise (IoCs)
FileHash MD5
- 5e1f61b9c1c27cad3b7a81c804ac7b86
- 95daa771a28eaed76eb01e1e8f403f7c
- 9bcff8da7165977f973ace12dd4c0ce0
- a1539b21e5d6849a3e0cf87a4dc70335
- ca93d47bcc55e2e1bd4a679afc8e2e25
FileHash SHA1
- 41e1e094c19fffde494c24ef4cab0d7577d5a025
- 561db92000409fe7093964452143ec371f930681
- 801a97a2fe5c3749b713d71172de6eafb961a888
- c1888ba296f57e87a84411ddfce3cabc4536b142
- cdd5717fd3bfd375c1c34237c24073e92ad6dccc
FileHash SHA256
- 180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38
- 4dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d
- 7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82
- 90b06f07eb75045ea3d4ba6577afc9b58078eafeb2cdd417e2a88d7ccf0c0273
- 98d8c7870c8e99ca6c8c25bb9ef79f71c25912fbb65698a9a6f22709b8ad34b6
Mitigation and Prevention
User Awareness
- Train personnel to report unusual remote admin prompts and credential challenges
- Caution around attachments, macros, and unsolicited links with reinforcement through exercises
Email Filtering
- Enforce DMARC, DKIM, and SPF
- Use attachment detonation and URL rewriting with follow on blocking
Antivirus Protection and EDR
- Tune for memory only execution, reflection in trusted processes, and abnormal thread creation
- Detect mass service termination and recovery deletion as priority events
- Monitor integrity of critical modules where API unhooking or patching would occur
Two Factor Authentication
- Enforce phishing resistant MFA on remote access, privileged accounts, vCenter, and management consoles
- Require bastion paths for administrative access and restrict local admin usage
Log Monitoring
- Centralise logs to tamper resistant storage and alert on sudden log clearing or telemetry drop offs
- Prefer sequence based detections that correlate discovery, service stop, and recovery inhibition
- Monitor for persistent low volume TLS sessions from servers and admin hosts
Regular Updates
- Patch internet facing services, remote access appliances, vCenter, and ESXi urgently
- Apply virtualisation hardening guidance and disable unused host services such as remote shells
Detection Engineering
Effective defence against LockBit 5.0 requires pivoting from signature reliance to behavioural, memory, and sequence based visibility.
Key LockBit 5.0 Evasion Techniques and Detection Opportunities
| MITRE ATT&CK TTP | LockBit 5.0 Behavior | Host Detection Focus (EDR/Agent) | Recommended Sensor Visibility |
|---|---|---|---|
| T1027 (Obfuscated Files) | Heavy packing, reflective DLL injection into memory | Anomalous process memory allocation, unusual thread creation in benign processes | User/Kernel EDR, Memory Integrity Modules |
| T1070.004 (Indicator Removal) | Clearing Windows Event Logs (Security/System) | Monitor for wevtutil cl or similar executed by unexpected processes | Centralised, immutable log aggregation |
| T1490 (Inhibit System Recovery) | vssadmin deletion; mass killing of backup/AV/EDR services | Alerts on service termination bursts or VSS tool abuse | EDR/Process Monitoring |
| T1055.003 (Process Injection) | API unhooking and ETW patching to blind EDR | Integrity checks on DLLs, detection of function pointer restoration | Advanced EDR/Endpoint Forensics |
| T1036.003 (Masquerading) | Command line arguments (e.g. -i, -d, -b) with disguised binaries | Flag uncommon parameters or short/random names | Command Line Monitoring |
Hardening Virtualisation Infrastructure
LockBit 5.0 devotes significant resources to ESXi targeting. Host level protection requires strict hardening, auditing, and isolation.
ESXi Hardening Commands and Rationale
| Objective | Recommended Action/Setting | Rationale (Mitigating LockBit TTP) | Context |
|---|---|---|---|
| Restrict Management | Enable VMware Lockdown Mode (Strict or Normal) | Prevents direct SSH/API access, forces audited vCenter management | Blocks direct CLI execution by affiliates |
| Disable Unused Protocols | Set SSH Service Policy to Off or Manual | Removes a common lateral movement vector | Limits access post initial compromise |
| Network Segmentation | Strict firewall rules limiting ESXi/vCenter to admin subnets | Blocks lateral movement from endpoints | Enforces least privilege |
| Outbound C2 Prevention | Deny outbound internet traffic from ESXi hosts | Prevents Tor/Tox comms and data exfiltration | Containment at hypervisor layer |
| Prevent Unauthorised Execution | Restrict execution of unsigned scripts via host profiles | Blocks execution of encryptor binaries | Mitigates ransomware run-on-host |
Practical Hunting Playbook
- Memory integrity anomalies in benign processes with unusual call stacks
- Service termination bursts, shadow deletion, and file rename floods within short timeframes
- Unsigned, rare binaries with outbound connections and persistence
- Sudden PsExec/WMI surges from unexpected hosts
- ESXi logs showing enumeration, VM kills, and autostart changes followed by ransom note appearance
Risk Assessment
Threat Score – 7.5 🔴 High
Likelihood is elevated where remote access is exposed, identity controls are weak, and virtualisation management planes are broadly reachable. Impact is severe when ESXi or shared storage layers are involved, as a single host event can disable many workloads at once. Visibility can be degraded by reflection in memory, API unhooking, and event tracing interference, compressing the time available for effective containment.
Exposure factors
- Internet facing services without hardened configuration and rapid patch cadence
- Weak privileged credential hygiene and lack of bastion requirements
- Permissive egress from server and management networks
- Insufficient retention and integrity of logging for reconstruction
Compensating strengths
- Phishing resistant MFA across remote access and all privileged identities including virtualisation management
- Network segmentation isolating hypervisors, management, and storage
- Behaviour tuned EDR plus immutable logging with integrity checks for tampering
- Immutable backups with credential and network separation and routine restoration testing
Conclusion
LockBit 5.0 is an evolutionary step that blends reliable tradecraft with a renewed focus on virtualisation impact and affiliate scale. Faster encryption, layered evasion, and resilient negotiation channels reduce defender reaction time and raise recovery costs. Treat hypervisors and management planes as primary targets. Assume partial blindness in early minutes and use sequence driven analytics to detect hostile chains rather than isolated events. Pair that with immutable backups, strict administrative pathways, and rapid isolation to cut the chance of catastrophic downtime.
Sources
Trend Micro – New LockBit 5.0 Targets Windows Linux ESXi – https://www.trendmicro.com/en_us/research/25/i/lockbit-5-targets-windows-linux-esxi.html
The Register – LockBit’s New Variant is Most Dangerous Yet – https://www.theregister.com/2025/09/26/lockbits_new_variant_is_most/
CSO Online – Meet LockBit 5.0 Faster ESXi Drive Encryption Better at Evading Detection – https://www.csoonline.com/article/4064250/meet-lockbit-5-0-faster-esxi-drive-encryption-better-at-evading-detection.html
Vectra AI – LockBit is Back Whats New in Version 5.0 – https://www.vectra.ai/blog/lockbit-is-back-whats-new-in-version-5-0
Infosecurity Magazine – New LockBit Ransomware Variant Emerges as Most Dangerous Yet – https://www.infosecurity-magazine.com/news/lockbit-ransomware-most-dangerous/
SOCRadar – LockBit 5.0 and Ransomware Cartel What You Need To Know – https://socradar.io/lockbit-5-0-ransomware-cartel-what-you-need-to-know
OTX AlienVaul – Indicators Of Compromise – https://otx.alienvault.com/pulse/68da3f9ccd5b37095bdef492