The LockBit cybercrime group is back in action following a global law enforcement operation in February 2025, having released their latest version, LockBit 5.0.
Security researchers from Trend Micro found that this new version is far more aggressive, as it is designed to simultaneously attack three main platforms: Windows, Linux, and VMware ESXi. This multi-platform attack capability makes defense and recovery efforts significantly more difficult for victims.
Increased Aggressiveness and Targets
According to the report, every LockBit 5.0 attack is customized to exploit specific weaknesses in the target environment.
Modular Strategy and Affiliate Operations
LockBit 5.0 is described as a modular ransomware, where the encryption components, evasion techniques, and payloads for each platform work in a coordinated manner. All encrypted files will be given a random 16-character extension, further complicating the decryption process.
This evolution demonstrates LockBit's mature strategy in crippling entire IT infrastructures, from workstations to virtualized data centers.
Despite being temporarily disabled during Operation Cronos, where their servers were seized and decryption keys were shared, LockBit developers have rebuilt their infrastructure, released version 5.0, and are once again recruiting affiliates with the promise of financial gain.
As before, the affiliate model remains the core of their operation. Core operators provide the ransomware software, while affiliates are responsible for executing the attacks broadly.
In conclusion: LockBit 5.0 is highly dangerous due to its ability to shut down security processes, disrupt backup systems, and specifically target the ESXi environment, which is the backbone of business continuity for many companies.
Need Any Technology Solution