The LockBit ransomware group has re-emerged with a new variant, LockBit 5.0 (“ChuongDong”),marking its return after months of disruption caused by law enforcement operations earlier in 2024.
In September 2025, the group announced its comeback on underground forums, unveiling the upgraded version and inviting new affiliates to join its ranks. LockBit 5.0 introduces a multi-OS payload capable of encrypting:
· Windows workstations and servers
· Linux-based systems
· ESXi hypervisors
This all-in-one encryption capability allows attackers to launch a single campaign that paralyzes both production and virtual environments, reducing the time between compromise and full impact. Other updates include:
Multi-platform support: New builds for Windows, Linux, and ESXi systems.
Stronger evasion: Enhanced anti-analysis mechanisms to obstruct forensic investigation.
New identifiers: Randomized 16-character file extensions to evade detection.
Roughly 80%of recent attacks have targeted Windows systems, with Linux and ESXi comprising the rest, further highlighting LockBit’s continued focus on exploiting widely used enterprise environments.
Recommendation
With LockBit 5.0 now capable of targeting Windows, Linux, and ESXi platforms, organizations face a more coordinated and destructive ransomware threat. Defending against it requires a multi-layered security strategy that emphasizes:
· Segmentation and least privilege access to limit lateral movement.
· Comprehensive endpoint protection with behavioral and memory-based detection.
· Regular patching and hardening of hypervisors and management tools.
· Offline, immutable backups with routine recovery testing.
· Threat intelligence integration to identify and respond to early indicators of compromise.
In essence, stopping LockBit 5.0 demands strong coordination across network, endpoint, and virtualization defenses, not isolated controls.
.png)
.png)