New LockBit 5.0 Targets Windows, Linux, ESXi www.trendmicro.com/en_us/res…

Trend Research analysis found that the Windows binary uses heavy obfuscation and packing: it loads its payload through DLL reflection while implementing anti-analysis techniques like ETW patching and terminating security services. Meanwhile, the newly discovered Linux variant maintains similar functionality with command-line options for targeting specific directories and file types. The ESXi variant specifically targets VMware virtualization environments, designed to encrypt entire virtual machine infrastructures in a single attack.

Our investigation also reveals that these newer versions share key behaviors: randomized 16-character file extensions, Russian language system avoidance through geolocation checks, and event log clearing post-encryption. The 5.0 version also shares code characteristics with LockBit 4.0, including identical hashing algorithms and API resolution methods, confirming this is an evolution of the original codebase rather than an imitation.