LockBit 5.0 represents a new generation of ransomware targeting Windows, Linux, and ESXi systems. This cross-platform, double-extortion attack threatens entire corporate infrastructures, including virtualization servers.
The LockBit ransomware group has released a new version, 5.0, which represents a significant leap forward in both technical capabilities and the scope of its attacks. This is not a routine update to existing malicious code, but a comprehensively redesigned tool capable of affecting virtually an organization’s entire IT environment—from endpoints to virtualization servers.
Multiplatform Attack
LockBit 5.0 supports Windows, Linux, and ESXi operating systems , enabling it to effectively target diverse infrastructures. It operates on the ransomware-as-a-service model , with attacks carried out by partner groups linked to the core of the operation.
The ransomware uses the so-called double extortion model —it not only encrypts data but also exfiltrates it. If the ransom is not paid, the data is threatened with publication.
According to available information, the group’s leak portal has recorded approximately 60 new victims since December 2025 . Most of these are private companies, but organizations in the healthcare, manufacturing, education, financial services, and public administration sectors have also been affected.
Technically Advanced Windows Version
- The Windows variant of the ransomware uses sophisticated techniques to evade detection, including:
- process hollowing (hiding malicious code within a legitimate process),
- disabling Event Tracing for Windows,
- systematic deletion of system logs,
- strong code obfuscation.
Although the Linux and ESXi versions do not use packer mechanisms, they heavily encrypt internal strings to make analysis and detection more difficult.
Data encryption combines the XChaCha20 and Curve25519 algorithms . Each encrypted file is assigned a randomly generated 16-character extension , which complicates identification and recovery.
Business Impact
An attack on a virtualization server can render dozens of virtual machines inoperable at once. If accounting systems, CRM systems, or production databases are encrypted, the organization’s operations can be immediately paralyzed.
Given the combination of encryption and data leakage, this is not merely an IT incident but a significant legal, reputational, and financial risk.
Recommended Preventive Measures
In today’s environment, it is essential to implement multi-layered protection, specifically:
- regular and tested offline backups,
- network segmentation,
- EDR solutions and behavioral monitoring,
- rigorous patch management,
- employee training focused on phishing prevention.
Cyberattacks of this type are now a matter of preparedness. Organizations that have both preventive and reactive mechanisms in place can significantly minimize the impact of an incident.