- Lockbit 5.0 Windows, Linux and Esxi target with obscure and anti-analysis techniques advanced
- Is built on Lockbit 4.0, adding furtive features such as DLL reflection and dynamic API resolution
- Found active in the wild, but no detail of confirmed victim or campaign success has yet been disclosed
The famous Lockbit malware is back and is more dangerous than ever, experts warned.
Trend Micro security researchers recently published an in -depth technical analysis of the last iteration of the Lockbit Ransomware family, discovered in September 2025, while Lockbit celebrated its sixth anniversary by publishing the last iteration of its stagger.
Called Lockbit 5.0, the new variant focuses on several platforms, is delivered with technical improvements at all levels and offers heavy obscure techniques, which makes it “much more dangerous than its predecessors”.
SEO and MALVISTE COMPANY
The researchers said that Lockbit 5.0 is based on the previous 4.0 version, so it is not built from zero. That being said, it is now delivered with major improvements, including the possibility of targeting Windows, Linux and VMware ESXI systems. It also uses heavy obscure and anta-analysis techniques, mainly by loading its payload via DLL reflection and deactivating Windows events by correcting the Etweventwrite API.
It also solves calls from the Windows API dynamically at the time of execution, which makes static analysis more difficult and puts an end to the security services using chopped comparisons with a hard coded list. In addition, unlike previous versions, it does not leave any infection marker based on the register. Ransomware calls for 16 -character randomized file extensions to encrypted files and integrates original file sizes in encrypted feet, among others. As before, it avoids encrypting systems in the Russian language.
The encryptor was found in nature, suggesting that Lockbit actively uses it in the attacks. However, there had been no discussion on the victims, their identities or the success of the campaign.
At the beginning of 2024, the police launched Operation Cronos, aimed at disrupting what was, at the time, one of the most destructive ransomware threats as a service (RAAS) – Lockbit.
Although the operation was mostly successful, no arrest was made, which meant that the group was back to rebuild what was lost immediately.
Via The register
