The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

LockBit 5.0

Oct 10, 2025 2:50:07 PM / by The Hivemind

LOCKBIT2025Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: LockBit

Executive Summary

LockBit 5.0, the latest evolution of the notorious ransomware, targets Windows, Linux, and VMware ESXi systems with advanced obfuscation, DLL reflection, and anti-analysis techniques. Its cross-platform capabilities and enhanced encryption methods make it a formidable threat to enterprise networks.

Key Takeaways

  • LockBit 5.0 targets Windows, Linux, and VMware ESXi, enabling attacks across diverse enterprise environments.  
  • The ransomware employs heavy obfuscation, DLL reflection, and anti-analysis techniques like ETW patching.  
  • It uses randomized 16-character file extensions and clears event logs to complicate recovery.  
  • It shares code with LockBit 4.0, indicating an evolutionary upgrade of the ransomware.

What is LockBit 5.0?

The LockBit ransomware group, a leading player in the ransomware-as-a-service (RaaS) landscape, has released LockBit 5.0, a highly sophisticated iteration targeting Windows, Linux, and VMware ESXi systems. Trend Micro’s research, analyzing source binaries, reveals LockBit 5.0’s advanced obfuscation, cross-platform capabilities, and refined tactics, making it a critical concern for malware analysts and enterprise leaders.

LockBit 5.0’s Windows variant employs heavy obfuscation through packing, loading its payload via DLL reflection, a technique that decrypts a PE binary in memory to evade static analysis. It implements anti-forensics measures, such as patching the EtwEventWrite API with a 0xC3 (return) instruction to disable Windows Event Tracing and terminating security services by comparing hashed service names against a hardcoded list of values. Post-encryption, it clears event logs using the EvtClearLog API, further hindering forensic investigations. The ransomware also features a user-friendly command-line interface with options like invisible mode, verbose mode, and directory-specific encryption, enhancing attacker flexibility.

The Linux variant mirrors the Windows version’s functionality, offering similar command-line options to target specific directories and file types. It provides detailed logging during execution, displaying targeted files and excluded folders, which may assist affiliates in testing or monitoring. Like its Windows counterpart, it appends randomized 16-character file extensions to encrypted files, complicating recovery efforts. This consistency across platforms underscores LockBit’s commitment to a unified cross-platform strategy.

The ESXi variant is particularly concerning, targeting VMware’s virtualization infrastructure to encrypt entire virtual machine environments in a single attack. Its command-line interface includes ESXi-specific parameters, optimizing it for virtualized environments. This capability amplifies the ransomware’s impact, as compromising a single ESXi host can disrupt dozens or hundreds of virtual machines, crippling enterprise operations.

LockBit 5.0 incorporates geopolitical safeguards, terminating execution on systems with Russian language settings or geolocation, a common trait among Eastern European ransomware groups. It also omits traditional infection markers, embedding original file sizes in encrypted file footers instead, further complicating detection and recovery. Compared to LockBit 4.0, this version shares identical hashing algorithms and API resolution methods, confirming it as an evolutionary upgrade rather than a rebrand. PolySwarm analysts consider LockBit 5.0 to be an evolving threat.

IOCs

PolySwarm has multiple samples of LockBit 5.0.

 

7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82

180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38

4dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d

90b06f07eb75045ea3d4ba6577afc9b58078eafeb2cdd417e2a88d7ccf0c0273

98d8c7870c8e99ca6c8c25bb9ef79f71c25912fbb65698a9a6f22709b8ad34b6

 

You can use the following CLI command to search for all LockBit 5.0 samples in our portal:

$ polyswarm link list -f LockBit5.0

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Cybercrime, Linux Malware, Windows Malware, LockBit Ransomware, double extortion, VMware virtualization, ESXi attacks, ransomware trends, data encryption, anti-analysis techniques

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More