Every Server in Your Office is a Potential Victim. LockBit "Hired" Windows, Linux, and VMware to Work Against You Simultaneously
The malware has recovered from a law enforcement crackdown and is now encrypting everything from desktops to hypervisors.
Trend Micro has reported the emergence of a new version of one of the most notorious ransomware families—LockBit 5.0. Researchers consider it "significantly more dangerous" than previous variants, as the malware can now simultaneously attack Windows, Linux, and virtual VMware ESXi infrastructure.
An analysis of binary files obtained from recent attacks revealed that the developers have introduced serious improvements in hiding their activity, complicating analysis, and enabling cross-platform functionality. Researchers emphasize that strong obfuscation and technical refinements across all modifications make LockBit 5.0 particularly destructive.
In the Windows version, the malware loads its payload via DLL reflection and uses aggressive packing methods that hinder reverse engineering. The Linux build supports command-line argument passing, allowing attackers to select specific directories and file types for encryption. The ESXi variant targets virtualization platforms: it disrupts the operation of virtual machines by encrypting their images. Additionally, all encrypted files receive a random 16-character extension, making recovery even more difficult.
Trend Micro notes that this is not a gradual update but a complete transition to a new level. The combination of a modular architecture, stealthy encryption algorithms, and cross-platform reach allows LockBit 5.0 to paralyze entire company infrastructures—from workstations and applications to hypervisors.
The LockBit developers continue to adhere to a strategy of simultaneous attacks on all key network segments. The simultaneous appearance of three variants—for Windows, Linux, and ESXi—confirms the criminals' intention to disable the entire IT landscape of organizations, including databases, virtual environments, and application servers.
The launch of LockBit 5.0 comes just months after a large-scale law enforcement operation against the group. In February, UK and US authorities, as part of "Operation Cronos," seized servers, domains, and decryption keys in an attempt to dismantle the ransomware's infrastructure. However, the cybercriminals are attempting a comeback: the affiliate program has been restarted, the platform has been updated, and according to researchers, it has become more resilient to external interference.
The LockBit model has traditionally been built on a network of partners (affiliates) who directly carry out attacks using the core framework. In the fifth version, the terms for affiliates have been changed, apparently aimed at re-recruiting operators after the law enforcement strike.
For defenders, the situation is further complicated by the fact that LockBit 5.0 can stop security software processes and delete backup copies. Targeting ESXi additionally threatens recovery: locking virtual backups makes infrastructure rollback extremely unreliable.
In an attack scenario, threat actors can simultaneously hit Windows, Linux, and ESXi, thereby reducing the time between initial penetration and complete data encryption. This leaves almost no room for response and detection, and the attack surface covers all layers—from operating systems to virtualization and business applications.
Despite "Operation Cronos" dealing a serious blow to the group's infrastructure, Trend Micro confirms that all three variants of LockBit 5.0 have already been verified and are being actively used. Organizations need to ensure multi-layered protection for different platforms and pay special attention to the virtualized environment. Experts emphasize that the new version proves that no OS and no platform can any longer be considered safe from modern ransomware campaigns.
The question remains whether the group can restore its reputation and scale of attacks after the February events. But it is already obvious: LockBit 5.0 marks the beginning of an era of cross-platform, virtualization-focused ransomware that every corporate IT department will have to contend with.
