The Acronis Threat Research Unit (TRU) has identified a significantly enhanced version of the notorious LockBit ransomware, designated LockBit 5.0, actively being deployed in campaigns against enterprise environments. The latest variant introduces expanded cross-platform capabilities, enabling attackers to target Windows, Linux, and VMware ESXi systems within a single coordinated attack.
A New Chapter in Ransomware Evolution
LockBit 5.0, released in September 2025, continues the group’s long-running evolution from its early “ABCD” branding in 2019 through versions 2.0, 3.0 (“LockBit Black”), and 4.0. Each iteration has added new features, and this latest version is no exception. The group’s operators promote version 5.0 as faster, more modular, and capable of working on “all versions of Proxmox,” positioning it directly against modern virtualization deployments.
According to analysis, LockBit 5.0 introduces dedicated builds tailored for enterprise environments, reflecting the continued evolution of ransomware-as-a-service (RaaS) operations. By supporting multiple operating systems and virtualization platforms, the threat actors are positioning themselves to compromise endpoints, servers, and hypervisors simultaneously—significantly increasing the potential scale and severity of attacks.
Technical Analysis: Three Variants, One Goal
Unified Cryptographic Design
All three variants—Windows, Linux, and ESXi—share the same cryptographic design, combining XChaCha20 for fast symmetric encryption with Curve25519 for key exchange. Encrypted files receive a random 16-character extension plus trailing metadata, and all variants drop an identical ransom note. The ransomware also supports free-space wiping by creating temporary files filled with zero bytes, hindering recovery from disk slack space.
Windows: Heavy Defense Evasion
The Windows variant stands out for its extensive defense evasion capabilities:
- DLL Unhooking and Process Hollowing: Evades endpoint detection tools
- ETW Patching: Overwrites EtwEventWrite with a return instruction to blind security monitoring
- Event Log Clearing: Uses EvtClearLog to wipe Windows event logs
- Locale Checks: Avoids systems associated with Russian-speaking regions
- Self-Deletion: Removes itself via file rename and disposition calls after encryption
Linux and ESXi: Targeting Virtualization
The Linux and ESXi variants are not packed but heavily encrypt strings and implement strong anti-analysis logic, including checks against debugging tools like gdb, lldb, strace, and ltrace. The ESXi build adds virtualization-specific behavior:
- Verifies it is running on VMware ESXi
- Scans the /vmfs/ directory for virtual machine assets
- Can terminate VMs to release locked files
- Offers parameters to skip or target specific VM IDs
This makes the ESXi variant capable of crippling dozens of virtual servers from a single hypervisor host.
Victim Scope and Targeting
Victim data from LockBit’s leak site lists at least 60 organizations as of early December 2025, spanning private businesses, healthcare, financial services, manufacturing, government, and education. There is a clear concentration of victims in the United States, though cases appear in other regions as well.
The group allows affiliates to hit virtually any target—including critical infrastructure and medical facilities—while prohibiting attacks in post-Soviet countries and pushing responsibility for victim choice entirely onto its partners.
Infrastructure Overlaps
TRU researchers linked LockBit 5.0 infrastructure to historical SmokeLoader activity: one of the IPs hosting LockBit sites was previously associated with SmokeLoader samples and the rodericwalter[.]com domain. Since SmokeLoader is a widely used backdoor and loader, this overlap highlights how criminal ecosystems increasingly share or rent servers to accelerate campaigns and obscure true ownership.
Recommendations for Defenders
Acronis TRU advises organizations to adopt a layered security strategy:
- Comprehensive endpoint and server protection across all platforms
- Network segmentation to limit lateral movement
- Strong access controls including multi-factor authentication
- Regularly tested offline backups—critical for recovery
- Cross-environment visibility across Windows, Linux, and virtualized infrastructure
- Hypervisor-specific hardening for ESXi and Proxmox environments
The unified codebase, common crypto stack, and strong support for Windows, Linux, ESXi, and Proxmox environments show that LockBit 5.0 is engineered for broad enterprise impact rather than single-platform hits. Defenders need visibility and hardening across endpoints, hypervisors, and backups—not just traditional Windows workstations.
Source: Help Net Security, GBHackers
