-
- |
-
Here's LockBit's Latest Target: The Most Vulnerable Operating System Platforms.
Here's LockBit's Latest Target: The Most Vulnerable Operating System Platforms.
The LockBit cybercrime group is back in action following a global law enforcement operation in February 2025, having released their latest version, LockBit 5.0.
Security researchers from Trend Micro found that this new version is far more aggressive, as it is designed to simultaneously attack three main platforms: Windows, Linux, and VMware ESXi. This multi-platform attack capability makes defense and recovery efforts significantly more difficult for victims.
Increased Aggressiveness and Targets
According to the report, every LockBit 5.0 attack is customized to exploit specific weaknesses in the target environment.
- On Windows Systems: LockBit 5.0 now uses a DLL reflection technique to inject the payload and employs multiple layers of packing to make it harder for security software to detect and to slow down forensic analysis.
- On Linux Systems: This variant offers affiliates more flexibility to target specific file types or directories via command-line options.
- On VMware ESXi (Virtualization): This is the most alarming change. The attack now directly targets virtualization infrastructure, encrypting virtual machines (VMs) and even the host hypervisor itself. This means that backup and redundancy systems, typically relied upon by companies, can be completely crippled in a single attack.
Modular Strategy and Affiliate Operations
LockBit 5.0 is described as a modular ransomware, where the encryption components, evasion techniques, and payloads for each platform work in a coordinated manner. All encrypted files will be given a random 16-character extension, further complicating the decryption process.
This evolution demonstrates LockBit's mature strategy in crippling entire IT infrastructures, from workstations to virtualized data centers.
Despite being temporarily disabled during Operation Cronos, where their servers were seized and decryption keys were shared, LockBit developers have rebuilt their infrastructure, released version 5.0, and are once again recruiting affiliates with the promise of financial gain.
As before, the affiliate model remains the core of their operation. Core operators provide the ransomware software, while affiliates are responsible for executing the attacks broadly.
In conclusion: LockBit 5.0 is highly dangerous due to its ability to shut down security processes, disrupt backup systems, and specifically target the ESXi environment, which is the backbone of business continuity for many companies.
Popular article
Need Any Technology Solution
Let’s Work Together on Project
