- Lockbit 5.0 Target windows, Linux and ESXI with Advanced Cloth
- Builds on Lockbit 4.0, adds stealth -features such as dll -reflection and dynamic API resolution
- Found actively in nature but no one confirmed victim information or campaign success revealed yet
The notorious Lockbit Malware is back and is more dangerous than ever before, experts have warned.
Trend Micro security researchers recently published an in-depth technical analysis of the latest iteration of the Lockbit Ransomware family, discovered in September 2025, when Lockbit celebrated its sixth anniversary by releasing the latest iteration of its encryption.
The new variant, called Lockbit 5.0, focuses on multiple platforms, comes with technical improvements everywhere and has heavy veiling techniques, making it “markedly more dangerous than its predecessors”.
SEO -Poisoning and Malverning
The researchers said Lockbit 5.0 is based on the previous version 4.0, so it’s not built from scratch. That said, it now comes with great improvements, including the opportunity to target Windows, Linux and VMware ESXI systems. It also uses powerful clearing and antianalysis techniques, mostly by loading its payload via DLL reflection and deactivating Windows event tracking by patching Etweventwrite API.
It also solves the Windows API call dynamic when driving, making static analysis more difficult and ending security services using Hashed comparisons with a hard -code list. Unlike previous versions, this does not leave a registry-based infection marker. Ransomware adds randomized 16-character file extensions to encrypted files and integrates original file sizes into encrypted side feet, among other things. As before, it avoids encrypting Russian-language systems.
The encrypter was found in nature, suggesting that Lockbit actively uses it in attack. However, there were no victims, their identity or the success of the campaign.
At the beginning of 2024, law enforcement launched Operation Cronos, which aimed to disrupt what was at that time one of the most destructive Ransomware-as-A-Service (RAAS) threats out there-Lockbit.
While the operation was mostly a success, no arrests were made, which meant the group was left to rebuild what was lost immediately.
Via Registered
