LockBit 5.0 Ransomware Emerges as a Major Cross-Platform Threat to Enterprises

Security researchers have discovered a new strain, LockBit 5.0, that raises the stakes in ransomware attacks. Unlike its predecessors, this variant can simultaneously target Windows, Linux, and VMware ESXi environments, which makes it a far more dangerous cross-platform threat.

According to Trend Micro researchers, this new iteration of the LockBit ransomware comes with enhanced evasion, obfuscation, and cross-platform capabilities. This version follows Operation Cronos, a law enforcement action in early 2024 that disrupted LockBit’s infrastructure.

“The existence of Windows, Linux, and ESXi variants confirms LockBit’s continued cross-platform strategy. This enables simultaneous attacks across entire enterprise networks, from workstations to critical servers hosting databases and virtualization platforms,” Trend Micro researchers explained.

Windows, Linux, and ESXi variants: A cross-platform strategy

The Windows version of LockBit 5.0 is highly obfuscated and uses stealthy techniques to avoid detection. It disables security tools, clears system logs, and encrypts files with randomized extensions. This new variant is controlled via command-line options that allow attackers to customize its behavior, such as excluding certain folders or choosing encryption modes.

Additionally, the Linux variant mirrors the Windows version in functionality but is tailored for Linux systems. It supports detailed logging and flexible execution parameters. The Linux version also encrypts files with random extensions and skips specific directories, which makes it adaptable for different Linux environments.

The ESXi version is designed to encrypt virtual machines in bulk and poses a serious threat to enterprise infrastructure. Like its Windows and Linux counterparts, it uses similar command-line controls and encryption methods, but also includes ESXi-specific capabilities to target virtualization platforms directly.

LockBit’s affiliate model

Trend Micro warned that LockBit 5.0 marks a major evolution in ransomware, which combines a modular design, stealthy encryption, and cross-platform capabilities to threaten entire enterprise infrastructures. This group has now resurfaced with a revamped affiliate program to regain momentum.

This affiliate-driven model allows widespread deployment and adaptability, which makes the ransomware harder to contain. LockBit 5.0 brings the ability to disable security tools, erase backups, and target ESXi environments. It poses a serious challenge to traditional defense mechanisms and recovery strategies.

How to protect organizations against LockBit 5.0

Trend Micro recommends organizations to strengthen their cybersecurity posture against LockBit 5.0 by adopting a multi-layered defense strategy. This includes enhancing endpoint protection, monitoring for suspicious activity, and implementing robust backup systems that are isolated from the main network.

Furthermore, LockBit 5.0 can disable security tools and target virtual environments like ESXi, and it’s important to secure virtualization platforms and ensure backup integrity. Administrators should actively monitor for potential threats and educate employees on recognizing and preventing ransomware attacks to strengthen overall cybersecurity.