LockBit 5.0: Latest dangerous version endangers Windows, Linux and ESXi
LockBit is a notorious ransomware group, known for large-scale attack campaigns and advanced attack techniques. Recently, this group launched LockBit version 5.0, which has been researched and analyzed by Trend Micro, revealing many improvements over previous versions, with multi-platform attack capabilities and sophisticated detection evasion mechanisms.
Multi-Platform Strategy and Expanded Attack Capabilities
LockBit 5.0 has been developed with three separate variants for Windows, Linux, and VMware ESXi systems—a popular server virtualization platform in enterprises. The existence of all three versions shows the group's strategy to simultaneously attack an organization's entire infrastructure, from personal workstations to servers and complex virtualization systems.
The Windows variant of LockBit 5.0 uses payload loading via DLL reflection, combined with packing and anti-analysis techniques like disabling Windows event logging (ETW patching), while also terminating running security services. The Linux variant has similar functions with a command-line interface that allows the attacker to select target directories or file types, providing detailed information during execution. The ESXi variant focuses on encrypting virtualization infrastructure, enabling the locking of multiple virtual machines in a single attack, increasing the effectiveness of business disruption.
Main Obfuscation Mechanisms in LockBit 5.0
- Code Packing and Dynamic Code Loading via DLL Reflection
The Windows version of LockBit 5.0 uses heavy code packing, meaning it compresses or encrypts the initial malicious code to avoid static analysis. When executed, the ransomware does not run the packed code directly but instead decrypts it internally and loads the main payload in a memory-only format using DLL reflection. DLL reflection is a trick to load a dynamic DLL in memory without writing the DLL file to disk, helping the ransomware evade file-based detection measures.
- Dead Code Insertion and Instruction Substitution
LockBit can insert non-functional code (dead code) or fake instructions to dilute and confuse code analyzers when reading binary code. Code instructions can be replaced with different combinations of instructions that have the same effect, making it difficult to understand the ransomware's actual behavior.
- Using XOR Encryption, Payload Encryption
Encrypting data within the payload component is a common technique to hide important strings and execution commands. LockBit 5.0 uses this technique to protect the main payload along with sensitive parameters, only decrypting them when the ransomware runs under the right conditions, such as entering the decryption password.
- Anti-analysis and anti-debug
LockBit 5.0 uses several techniques to prevent dynamic analysis, such as:
Patching the Windows Event Tracing (ETW) API to stop event logging, making debugging difficult.
Terminating security services by comparing the hash of service names with a fixed blacklist and then shutting down the service.
Not recording traditional markers at the end of encrypted files (a common ransomware identifier) to avoid file analysis.
- Anonymity and avoiding detection based on language and geography
Checking the system language (especially avoiding languages related to Russia) and geographic location limits execution to certain environments, creating complex branching conditions in the code to confuse analyzers.
Impact of Obfuscation Mechanisms on Analysis and Prevention
Advanced obfuscation mechanisms make traditional static analysis methods almost unreadable or unable to accurately identify malware characteristics. Additionally, encrypting and dynamically loading code in memory complicates dynamic analysis, especially with sandbox tools or network security firewalls.
Anti-analysis measures like disabling event logs and terminating security services also reduce the ability to record and investigate incidents. Therefore, LockBit 5.0 requires enhanced protection measures, using machine learning and AI technology to detect unusual behavior and specific indicators of compromise (IOC).
Comparison with Previous Version and Current Risk
Compared to LockBit 4.0, version 5.0 inherits many core components like string hashing algorithms and API resolution methods. However, it has been enhanced with stronger anti-analysis measures and better trace-covering capabilities. This makes LockBit 5.0 harder to detect and more dangerous for network security systems.
The existence of a variant specifically for ESXi shows a focus on attacking virtualization environments, where a single attack can cause significant damage by disabling multiple virtual machines at once. This is a new trend that ransomware groups are pursuing to maximize impact.
Recommendations
To prevent risks from LockBit 5.0, organizations need to maintain a comprehensive cybersecurity strategy that includes:
Regular updates and patches on all systems, especially VMware ESXi servers and Linux systems.
Enhanced monitoring to detect early evasion techniques and ransomware attack behaviors.
Hardening for ESXi/vCenter, disable SSH when not needed, separate management networks, enable lockdown mode, and limit administrative access to reduce the risk of encrypting multiple VMs from a compromised host.
Review backup/replica configurations for VMs following the 3-2-1 rule and regularly test recovery capabilities to handle scenarios where the entire virtualization infrastructure is encrypted.
LockBit 5.0 marks a new advancement in the ransomware battle as the group continuously improves techniques to expand attack scope and increase the damage caused to businesses. Researching, detecting, and timely preventing these new variants play a crucial role in protecting modern network security.
