The most recent iteration of the LockBit ransomware, version 5.0, now targets Linux, ESXi, and Windows systems This article explores lockbit ransomware uses. . This malware's multi-platform support greatly increases its threat, making it a major concern for companies, particularly those in industries with a variety of IT infrastructures.

With faster encryption, better anti-analysis tools, and advancements in defense-evasion strategies, LockBit 5.0 expands upon earlier iterations. To avoid detection and successfully encrypt its targets, the LockBit 5.0 ransomware uses a complex, multi-layered strategy. The ransomware uses a number of defense evasion strategies on Windows systems, such as patching Windows Event Tracing (ETW) functions, packing, process hollowing, and DLL unhooking. It also deletes system logs, which makes it harder for security software to detect problems.

The Linux and ESXi variants are quite similar in functionality but do not use packing, which makes them easier to detect. However, these versions still heavily encrypt their strings to hinder analysis. Both versions also feature unique functions tailored to virtualized environments, reflecting LockBit’s growing focus on targeting systems running in virtual machines.

LockBit data leak site (Source: acronis) This includes specialized logic for virtual machine environments, such as checking VMware versions and terminating virtual machines to ensure unhindered file encryption. Execution and Encryption Process LockBit 5.0 executes using command-line arguments, making it highly customizable depending on the environment. Once it infiltrates a system, it encrypts files using a hybrid encryption scheme that combines XChaCha20 (symmetric) and Curve25519 (asymmetric).

The encryption process is notably fast, leveraging the system’s CPU cores to maximize performance. After each file is encrypted, the ransomware appends a random extension, further complicating recovery efforts. LockBit 5.0 Targets Windows, Linux (Source: acronis) In Windows, LockBit checks system configuration, including the system language and geographic location, to avoid infecting systems in Russia.

The ransomware then initiates its encryption routine, leaving behind a ransom note demanding payment for decryption. The Linux and ESXi versions differ slightly in command-line arguments and in the inclusion of specific functions for interacting with virtualized systems. In the case of ESXi, LockBit searches for virtual machine files in the /vmfs/ directory and can halt virtual machines during encryption.

This functionality highlights ransomware’s ability to target critical infrastructure in virtualized environments, which are increasingly popular in enterprise IT setups. Widespread Impact LockBit 5.0 targets a wide range of sectors, with a particular emphasis on the U.S. business sector. Its victims include private companies, government agencies, educational institutions, and healthcare organizations.

LockBit 5.0 Targets Windows, Linux (Source: acronis) According to the LockBit data leak site, over 60 victims were already listed at the time of analysis, with a significant number of attacks occurring in late 2025. Despite ongoing law enforcement efforts to disrupt their operations, the LockBit group continues to thrive, leveraging historical infrastructure from other malware families, such as SmokeLoader.

Given the widespread impact and sophistication of LockBit 5.0, organizations must implement robust cybersecurity measures to protect all systems whether they are running Windows, Linux, or ESXi against this evolving ransomware threat. Category Indicator Windows x64 7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82, 180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38 Linux x64 4dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d, 98d8c7870c8e99ca6c8c25bb9ef79f71c25912fbb65698a9a6f22709b8ad34b6 ESXi x64 90b06f07eb75045ea3d4ba6577afc9b58078eafeb2cdd417e2a88d7ccf0c0273 SmokeLoader 1da6525ae1ef83b6f1dc02396ef0933732f9ffdfca0fda9b2478d32a54e3069b Infra 205.185.116.233, 205.185.116.233:3389, karma0.xyz Onion Sites lockbitfbinpwhbyomxkiqtwhwiyetrbkb4hnqmshaonqxmsrqwg7yad.onion/ + 24 mirrors Acronis EDR/XDR solutions can detect and block LockBit 5.0 ransomware. Indicators of Compromise (IoCs) for the various LockBit 5.0 samples are available to help threat analysts identify potential infections.

Businesses are urged to stay vigilant and ensure that their systems are up to date with the latest security patches to defend against such sophisticated ransomware attacks.