Duty Analyst: Moises Salas Lopez

Insights

LockBit 5.0: New Version Targets Windows, Linux, and ESXi Systems

LockBit has returned with its most ambitious release yet. Version 5.0 introduces purpose-built payloads for Windows, Linux, and VMware ESXi hypervisors, a rewritten codebase with advanced anti-analysis capabilities, and an expanded affiliate programme. This article provides a comprehensive threat intelligence assessment of LockBit 5.0, its technical capabilities, attack chains, and the defensive measures organisations must adopt to protect themselves.

Peter Bassill 16 February 2026
ransomware lockbit threat intelligence malware esxi linux

1. Executive Summary

The LockBit ransomware operation, one of the most prolific and damaging Ransomware-as-a-Service (RaaS) programmes in history, has released version 5.0 of its malware platform. Despite sustained law-enforcement pressure—including the landmark Operation Cronos takedown in February 2024—LockBit's core developers have demonstrated remarkable resilience, rebuilding their infrastructure and launching a significantly upgraded toolset. LockBit 5.0 introduces dedicated payloads for Windows, Linux, and VMware ESXi environments, reflecting a calculated strategy to maximise disruption across heterogeneous enterprise networks.

This article delivers a detailed technical and strategic assessment of LockBit 5.0 for security leaders, SOC analysts, and incident responders. It covers the malware's evolution, its cross-platform architecture, tactics techniques and procedures (TTPs), observed indicators of compromise (IOCs), and actionable defensive recommendations.

2. Background: LockBit's Evolution

LockBit first appeared in September 2019 under the name ABCD ransomware, distinguished by the .abcd extension it appended to encrypted files. The group quickly gained notoriety for the speed of its encryption engine and its business-like operational model. Over the following years, LockBit evolved through several major iterations, each raising the bar for ransomware sophistication.

  • LockBit 1.0 (2019–2021): Established the brand with fast encryption and automated propagation via Server Message Block (SMB) and Group Policy Objects (GPOs). Operated a standard single-extortion model.
  • LockBit 2.0 (2021–2022): Introduced the StealBit data-exfiltration tool, enabling double extortion. Added Active Directory reconnaissance and automated lateral movement. Claimed to be the fastest file-encrypting ransomware at the time.
  • LockBit 3.0 / LockBit Black (2022–2024): A major overhaul incorporating code from the BlackMatter ransomware. Introduced a bug bounty programme for its own malware, highly modular payloads, and anti-analysis protections. Operated a leak site with countdown timers and public victim shaming.
  • LockBit Green (2023): An intermediate variant that borrowed substantial code from the defunct Conti ransomware, signalling the absorption of former Conti affiliates into the LockBit ecosystem.
  • LockBit-NG-Dev / LockBit 4.0 (2024): A transitional build developed in .NET, representing an experimental rewrite that departed from the C/C++ foundation of earlier versions. This variant was partially recovered during Operation Cronos.

LockBit 5.0 represents the culmination of these evolutionary steps. It combines the lessons learned from each prior version—speed, modularity, cross-platform reach, and anti-forensic capability—into a single, cohesive platform purpose-built for the modern enterprise attack surface.

3. Operation Cronos and LockBit's Resurgence

In February 2024, a multinational law-enforcement effort dubbed Operation Cronos dealt a significant blow to the LockBit operation. Led by the UK's National Crime Agency (NCA) in coordination with the FBI, Europol, and agencies from ten countries, the operation seized LockBit's primary dark-web leak site, obtained decryption keys, froze cryptocurrency wallets, and led to the indictment of several alleged affiliates.

Operation Cronos also recovered the source code for LockBit-NG-Dev (the so-called version 4.0), providing researchers with unprecedented insight into the group's development roadmap. Dmitry Yuryevich Khoroshev, alleged to be the administrator known as LockBitSupp, was publicly identified and sanctioned.

However, within days of the takedown, LockBit's operators relaunched on new infrastructure, posted defiant messages to security researchers, and began recruiting affiliates once more. The rapid recovery underscored a reality that cybersecurity professionals have long recognised: dismantling ransomware operations through enforcement alone is insufficient when the underlying codebase, expertise, and financial incentives remain intact. LockBit 5.0 is the direct product of that resurgence.

4. Cross-Platform Architecture

The defining feature of LockBit 5.0 is its true cross-platform design. Rather than relying on a single payload adapted for different operating systems, LockBit 5.0 ships with three purpose-built variants, each optimised for its target environment.

4.1 Windows Payload

The Windows variant remains the flagship payload. It is compiled in C/C++ and continues to leverage the proven encryption engine from LockBit 3.0, using a combination of AES-256 in CTR mode for file content and RSA-2048 for key wrapping. Key enhancements in version 5.0 include:

  • Improved credential harvesting: Integration with LSASS memory dumping techniques (MITRE T1003.001) and Kerberos ticket extraction for seamless lateral movement.
  • Enhanced EDR evasion: Kernel callback removal, direct syscall invocation to bypass user-mode API hooks, and timestomping of encrypted files to confuse forensic timelines (T1070.006).
  • Shadow copy and backup destruction: Automated deletion of Volume Shadow Copies (T1490), Windows Recovery partitions, and detection of third-party backup agents for targeted termination.
  • Group Policy propagation: Ability to deploy the ransomware payload across an Active Directory domain via Group Policy Objects, enabling organisation-wide encryption from a single compromised domain controller.

4.2 Linux Payload

The Linux variant marks a significant maturation of LockBit's cross-platform ambitions. Written in a combination of C and Go, it targets enterprise Linux servers—the backbone of modern data centres, cloud infrastructure, and containerised workloads. Capabilities include:

  • Multi-threaded encryption: Uses OpenSSL libraries with AES-256-CBC and Curve25519 elliptic-curve cryptography for key exchange, delivering high-speed encryption on multi-core server hardware.
  • Database targeting: Enumerates and terminates MySQL, PostgreSQL, MongoDB, and Redis processes before encrypting their data directories, ensuring maximum data loss.
  • Container awareness: Detects Docker and Kubernetes environments, attempting to stop containers and encrypt persistent volumes.
  • NFS and CIFS share encryption: Scans for mounted network file systems and encrypts accessible shares, extending the blast radius beyond the local host.
  • Cron-based persistence: Installs cron jobs and systemd service units to survive reboots and re-execute if the initial encryption is interrupted.

4.3 VMware ESXi Payload

The ESXi variant is arguably the most strategically significant component of LockBit 5.0. VMware ESXi hypervisors underpin virtualised infrastructure in enterprises worldwide, and encrypting a single ESXi host can simultaneously destroy dozens of virtual machines. The ESXi payload features:

  • Direct VMDK encryption: Targets Virtual Machine Disk (VMDK) files, snapshot files (.vmsn), and virtual swap files (.vswp) at the datastore level, bypassing guest operating system protections entirely.
  • ESXi shell command execution: Uses esxcli and vim-cmd commands to enumerate running VMs, force-shutdown guest operating systems, and disable lockdown mode before encryption begins.
  • Selective VM targeting: Configurable allow-lists and deny-lists enable affiliates to exclude specific VMs (such as the attacker's own C2 relay) from encryption.
  • SSH-based propagation: Harvests SSH keys and known-hosts files from the ESXi host to propagate laterally to other hypervisors, storage appliances, and management planes within the same vSphere environment.

5. Tactics, Techniques, and Procedures (TTPs)

LockBit 5.0 affiliates employ a sophisticated, multi-stage attack chain that reflects years of operational refinement. The following breakdown maps observed behaviours to the MITRE ATT&CK framework.

5.1 Initial Access

LockBit 5.0 campaigns have been observed using a broad range of initial access vectors, reflecting the diversity of the affiliate base:

  • Exploitation of public-facing applications (T1190): Affiliates actively exploit vulnerabilities in VPN appliances (Fortinet FortiOS, Citrix NetScaler, Ivanti Connect Secure), web servers, and remote management tools. Particular focus has been observed on vulnerabilities with available proof-of-concept exploits.
  • Phishing with malicious attachments (T1566.001): Spear-phishing emails delivering macro-laden Office documents, ISO images containing LNK shortcuts, or HTML smuggling payloads that drop initial-stage loaders.
  • Valid accounts (T1078): Purchasing stolen credentials from initial access brokers (IABs) on dark-web marketplaces. RDP credentials, VPN accounts, and Citrix credentials are commonly traded commodities.
  • Supply chain compromise (T1195): In select campaigns, affiliates have compromised managed service providers (MSPs) to gain simultaneous access to multiple downstream customer environments.

5.2 Execution and Persistence

Once inside the network, LockBit 5.0 affiliates establish persistence and prepare the environment for encryption:

  • Command and scripting interpreters (T1059): PowerShell, Bash, and Python scripts are used to automate reconnaissance, disable security tools, and stage payloads.
  • Scheduled tasks and services (T1053): Windows scheduled tasks, Linux cron jobs, and systemd units ensure the ransomware re-executes after reboot.
  • Boot or logon autostart (T1547): Registry Run keys, startup folder shortcuts, and Group Policy logon scripts provide additional persistence mechanisms on Windows.
  • Process injection (T1055): Reflective DLL injection and process hollowing are used to execute the payload within trusted system processes, evading application whitelisting and behavioural detection.

5.3 Lateral Movement and Privilege Escalation

LockBit 5.0 affiliates are adept at moving through enterprise networks to maximise the scope of encryption:

  • Remote services (T1021): RDP, SSH, SMB, and WinRM are used to hop between systems. Cobalt Strike, Brute Ratel C4, and Sliver are the most commonly observed post-exploitation frameworks.
  • Domain controller compromise (T1484): Affiliates prioritise compromising Active Directory domain controllers using tools such as Mimikatz, SharpHound, and BloodHound to map trust relationships and escalate to Domain Admin.
  • Exploitation of vulnerabilities (T1068): Local privilege escalation exploits targeting unpatched Windows kernels, Linux polkit, and sudo misconfigurations are routinely deployed.

5.4 Data Exfiltration

In keeping with the double-extortion model, LockBit 5.0 affiliates systematically exfiltrate sensitive data before encryption begins. This data is used as leverage: victims who refuse to pay the decryption ransom face public release of their stolen files on LockBit's leak site.

  • Exfiltration over web service (T1567): Data is uploaded to cloud storage services including Mega.nz, pCloud, and attacker-controlled Amazon S3 buckets using tools such as Rclone and WinSCP.
  • Exfiltration over C2 channel (T1041): Smaller datasets are exfiltrated directly through the command-and-control channel, often using encrypted tunnels to avoid data-loss-prevention (DLP) systems.
  • Automated data discovery (T1083): Scripts enumerate file shares, databases, email archives, and document repositories, prioritising financial records, HR data, intellectual property, and legal documents.

6. Anti-Analysis and Evasion Capabilities

LockBit 5.0 incorporates a substantial suite of anti-analysis and defence-evasion techniques, making it significantly harder for security teams to detect, reverse-engineer, and respond to active intrusions.

  • Code obfuscation and packing: The Windows payload uses custom packers, control-flow flattening, and string encryption to hinder static analysis. API calls are resolved dynamically at runtime using hash-based function resolution.
  • Debugger and sandbox detection: The malware checks for virtualised environments, debugging tools, and analysis sandboxes using techniques such as CPUID instruction analysis, timing checks, and registry artefact detection (T1497).
  • Impair defences (T1562): LockBit 5.0 aggressively targets endpoint security products, using Bring Your Own Vulnerable Driver (BYOVD) techniques to load signed but vulnerable kernel drivers that can be exploited to terminate EDR and antivirus processes from kernel space.
  • Log and evidence destruction (T1070): Windows Event Logs, Sysmon logs, and PowerShell transcription logs are cleared or corrupted. On Linux, bash history files and syslog entries are purged.
  • Indicator removal (T1070.004): The ransomware binary self-deletes after execution, and intermediate staging tools are wiped from disk to complicate forensic recovery.

7. Affiliate Programme and RaaS Model

LockBit's affiliate programme remains one of the most structured and lucrative in the ransomware ecosystem. LockBit 5.0 has expanded the programme with new features designed to attract high-calibre affiliates, including those displaced from rival operations such as BlackCat/ALPHV and Hive following their respective law-enforcement takedowns.

  • Revenue split: Affiliates retain 75–80% of each ransom payment, with the remainder going to LockBit's core operators. Top-performing affiliates may negotiate even more favourable terms.
  • Builder panel: A web-based panel allows affiliates to generate customised payloads for each target, configuring encryption scope, file extension filters, ransom note text, kill lists for processes and services, and self-deletion behaviour.
  • Cross-platform payload generation: The panel now supports generating Windows, Linux, and ESXi payloads from a single campaign configuration, lowering the technical barrier for affiliates to attack diverse environments.
  • Negotiation infrastructure: LockBit operates dedicated Tor-based chat portals for ransom negotiation, with multi-language support and automated pricing based on the victim's estimated revenue.

8. Observed Indicators of Compromise (IOCs)

The following indicators have been observed in confirmed LockBit 5.0 intrusions. These should be integrated into SIEM detection rules, EDR custom indicators, and threat intelligence platforms. Note that IOCs are perishable and affiliates frequently rotate infrastructure.

  • File extensions: Encrypted files are appended with randomised 9-character extensions (e.g., .HLJkNskOq) rather than the predictable .lockbit extension used in earlier versions.
  • Ransom note filenames: [random_extension].README.txt dropped in every encrypted directory.
  • Process termination targets: veeam, sql, oracle, exchange, backup, vss, sophos, crowdstrike, sentinel, carbon, cylance, and other security and backup processes.
  • Execution artefacts: Use of rundll32.exe, mshta.exe, and regsvr32.exe for payload execution on Windows (T1218).
  • Network indicators: Connections to Tor hidden services for C2 communications and Mega.nz, pCloud, and custom SFTP servers for data exfiltration.
  • BYOVD drivers: Loading of vulnerable signed drivers such as RTCore64.sys (Micro-Star MSI Afterburner) and dbutil_2_3.sys (Dell BIOS utility) to disable endpoint protection.

9. Impact Assessment

The release of LockBit 5.0 represents a material escalation in the threat landscape for several reasons.

First, the cross-platform capability means that a single affiliate intrusion can now encrypt Windows workstations, Linux database servers, and ESXi hypervisors hosting dozens of virtual machines—all within a single attack campaign. The blast radius of a successful LockBit 5.0 deployment is significantly larger than that of any prior version.

Second, the targeting of ESXi hypervisors is particularly devastating for organisations that rely on virtualised infrastructure. Encrypting VMDK files at the hypervisor layer bypasses all guest-level security controls, and recovering from an ESXi-level attack typically requires complete infrastructure rebuilds rather than simple file restoration.

Third, the continued sophistication of LockBit's anti-forensic and evasion capabilities—particularly the use of BYOVD techniques—means that many organisations' existing endpoint protection stacks may be insufficient to prevent or detect an active intrusion.

For UK organisations in particular, the threat is acute. LockBit has historically been one of the most active ransomware families targeting British businesses, public-sector bodies, and critical national infrastructure. The NHS, local councils, law firms, and financial services firms have all been previous LockBit targets.

10. Defensive Recommendations

Defending against LockBit 5.0 requires a layered, defence-in-depth approach that addresses the full attack chain—from initial access through to encryption and extortion. UK Cyber Defence recommends the following measures:

10.1 Reduce the Attack Surface

  • Patch all internet-facing systems promptly, with particular attention to VPN appliances, remote access gateways, and web application frameworks. Maintain an accurate asset inventory.
  • Enforce multi-factor authentication (MFA) on all remote access services, including RDP, VPN, SSH, and cloud management consoles.
  • Disable unnecessary services and protocols. Remove RDP exposure from the public internet wherever possible.
  • Segment networks to limit lateral movement. Place ESXi management interfaces on dedicated, isolated VLANs with strict access controls.

10.2 Strengthen Detection and Response

  • Deploy advanced EDR/XDR solutions with kernel-level tamper protection and BYOVD detection capabilities on all endpoints, including servers.
  • Implement 24/7 SOC monitoring with detection rules for known LockBit TTPs, including mass file renaming, shadow copy deletion, and anomalous esxcli or vim-cmd execution.
  • Enable and centralise logging: Windows Event Logs, Sysmon, PowerShell Script Block logging, Linux auditd, and ESXi hostd/vpxd logs should all feed into a SIEM platform.
  • Conduct regular threat-hunting exercises focused on post-exploitation framework indicators (Cobalt Strike, Brute Ratel, Sliver beacons).

10.3 Protect Backup and Recovery Infrastructure

  • Maintain offline, air-gapped backups that are tested regularly. Ensure backup infrastructure is not domain-joined or accessible from the production network.
  • Implement immutable backup storage where backup data cannot be modified or deleted, even by administrators.
  • Develop and rehearse incident response and disaster recovery plans that specifically address ransomware scenarios, including ESXi-level encryption.
  • Verify backup restoration procedures at least quarterly and maintain documented recovery time objectives (RTOs) for critical systems.

10.4 Harden ESXi and Virtualisation Infrastructure

  • Disable SSH access to ESXi hosts unless actively required for maintenance, and enforce key-based authentication.
  • Enable ESXi lockdown mode to restrict management access to vCenter Server only.
  • Keep ESXi hosts updated with the latest security patches. VMware regularly publishes advisories for critical vulnerabilities.
  • Monitor ESXi host logs for suspicious esxcli commands, unexpected VM shutdowns, and unauthorised SSH sessions.
  • Isolate vSphere management networks and apply least-privilege access controls to vCenter administrative accounts.

11. Broader Threat Landscape Context

LockBit 5.0 does not exist in isolation. It is part of a broader trend in the ransomware ecosystem towards cross-platform payloads and virtualisation-layer attacks. Other ransomware families including Royal, Black Basta, Akira, and Play have all developed ESXi-targeting capabilities in recent years. The emergence of LockBit 5.0 with mature ESXi support will likely accelerate this trend and raise the baseline expectation for ransomware families seeking to compete for top-tier affiliates.

Additionally, the fragmentation of the ransomware ecosystem following the takedowns of BlackCat/ALPHV and Hive has driven experienced affiliates to migrate to surviving platforms. LockBit, despite its own brush with law enforcement during Operation Cronos, remains one of the most recognisable and trusted brands in the criminal underground, making it a natural destination for displaced operators.

The evolution of initial access broker (IAB) marketplaces continues to lower the barrier to entry for ransomware affiliates. Compromised VPN credentials, RDP access, and webshell implants for organisations of all sizes are readily available for purchase, enabling affiliates to skip the most technically demanding phase of the attack chain.

12. Conclusion

LockBit 5.0 represents a significant and dangerous advancement in the ransomware threat landscape. Its cross-platform design—with dedicated payloads for Windows, Linux, and VMware ESXi—enables affiliates to inflict maximum damage across the full spectrum of enterprise infrastructure. The enhanced evasion capabilities, refined encryption algorithms, and expanded affiliate programme make it one of the most formidable ransomware platforms currently in operation.

For UK organisations, the message is clear: proactive preparation is not optional. The combination of robust patching, network segmentation, advanced endpoint protection, ESXi hardening, offline backups, and 24/7 SOC monitoring provides the best available defence against the LockBit 5.0 threat. Organisations that have not yet tested their incident response and disaster recovery plans against a ransomware scenario should do so immediately.

UK Cyber Defence continues to monitor LockBit activity through our Threat Intelligence and SOC operations. Updated detection signatures, YARA rules, and IOC feeds for LockBit 5.0 are available to our managed-service customers. Contact us to discuss how we can help strengthen your organisation's resilience.

Author: Threat Intelligence Team, UK Cyber Defence Ltd. All intelligence current as of February 2026.

Stay Informed. Stay Secure.

All Posts Get in Touch

More to explore

Related insights

Discover more perspectives from our cyber defence team.

Insights 17 February 2026

What Should a Board Expect from a Modern SOC Provider?

Cyber security has moved from the server room to the boardroom. Regulators, insurers, and shareholders now expect boards to demonstrate active oversight of cyber risk — and for most organisations, that means understanding what their Security Operations Centre provider is actually delivering. This article sets out the ten areas every board should scrutinise when evaluating a modern SOC provider, from detection engineering and threat intelligence to transparent reporting, compliance alignment, and measurable outcomes.

SOC Board Governance Managed Security
Peter Bassill
Insights 12 February 2026

How SOC as a Service Supports FCA, DORA and NIS2 Compliance

The regulatory environment for cyber security has undergone a fundamental shift. The FCA's PS21/3 operational resilience framework is now fully enforceable, DORA has been in effect since January 2025, and NIS2 transposition is reshaping obligations across the EU — with the UK's own Cyber Security and Resilience Bill following close behind. For organisations navigating these overlapping requirements, a well-structured SOC as a Service engagement is no longer a convenience. It is a compliance enabler. This article maps the specific requirements of each framework to the capabilities a modern managed SOC should deliver.

SOC FCA DORA
Peter Bassill
Insights 10 February 2026

Integrating EDR, XDR and SIEM Within a Managed SOC

The modern security operations landscape is drowning in acronyms — EDR, XDR, SIEM, SOAR, NDR, MDR — each promising to solve the detection and response problem. For organisations working with a managed SOC provider, the question is not which technology to choose, but how these technologies should work together to deliver unified visibility, high-fidelity detection, and rapid response across the entire attack surface. This article cuts through the marketing noise and examines the practical architecture of how EDR, XDR and SIEM integrate within a well-engineered managed SOC, where each technology adds value, where the overlaps create either strength or waste, and what the board and security leadership should understand about the stack beneath their SOC service.

SOC EDR XDR
Peter Bassill