A new and dangerous variant of the LockBit ransomware has surfaced, posing a threat to businesses globally and targeting a variety of operating systems. Released in September 2025, LockBit 5.0 is a significant update to one of the most active ransomware families in recent memory. This version is a multifaceted threat that can target a variety of infrastructure environments because it supports the Windows, Linux, and ESXi platforms.

Using a double-extortion technique that encrypts files while also stealing data, the ransomware uses a ransomware-as-a-service model to coerce victims into paying ransoms. About 67% of recorded victims are private companies, indicating that the malware primarily targets the U.S. business sector. Manufacturing, healthcare, education, financial services, and government organizations are among the other industries impacted.

The extensive reach of this campaign is evidenced by the 60 victim entries recorded on the LockBit data leak website since December 2025. This version is especially worrisome because it claims to be compatible with all versions of Proxmox, an open-source virtualization platform that businesses are increasingly using in place of commercial hypervisors. Acronis is the source of the LockBit data leak.

LockBit 5.0, according to Acronis analysts, is similar to its predecessor, version 4, but it has faster encryption speeds and improved defense evasion capabilities. Among all versions, the Windows variant uses the most advanced anti-analysis techniques, such as Event Tracing for Windows patching, DLL unhooking, packing mechanisms, and process hollowing. To get rid of forensic evidence, the malware also deletes all system logs that are accessible.

Despite not being packed, the Linux and ESXi versions encrypt almost all of their strings to prevent detection. Backup-equipped server (Source: Acronis) The encryption algorithms used by all three platform versions are the same, combining Curve25519 for asymmetric encryption with XChaCha20 for symmetric encryption. To make identification more challenging, a randomly generated 16-character extension is added to each encrypted file.

In order to ensure quick file encryption across compromised environments, the ransomware generates multiple encryption threads based on the number of system processors. Advanced Persistence and Evasion Techniques The Windows version exhibits especially advanced evasion techniques meant to elude analysis and security software. The malware hides its actual purpose by enclosing return-address dependent hashing in Mixed Boolean-Arithmetic obfuscation.

As is typical of Russian-based malware families, it uses geolocation checks to prevent infecting systems in post-Soviet nations. LockBit verifies system language settings and compares them to Russian language identifiers prior to encryption starting. By inserting itself into the genuine Windows defrag.exe application, the ransomware uses process hollowing to run as a trusted system process.

The ".rdata" section is compressed, according to Detect It Easy (Source: Acronis). Following encryption, LockBit disables Event Tracing for Windows monitoring by patching the EtwEventWrite function by substituting a return instruction for its first byte. After that, it uses the EvtClearLog function to methodically remove any traces of its actions from all event logs.

An IP address previously linked to SmokeLoader malware operations was used to host LockBit's data leak website, according to an infrastructure analysis. Note of Ransom (Source: Acronis) This link raises the possibility of infrastructure sharing or collaboration between various cybercriminal organizations, which is typical in underground markets. Multi-layered security controls, such as network segmentation, endpoint detection and response tools, frequent offline backups, and prompt patch management, should be implemented by organizations.

To stop initial access through phishing campaigns, employee security awareness training is still essential. To get more immediate updates, set ZeroOwl as a preferred source in Google and keep an eye out for unusual file encryption activity, suspicious process behavior, and attempts to disable security logging mechanisms.