- LockBit 5.0 targets Windows, Linux, and ESXi with advanced obfuscation and anti-analysis techniques
- Builds on LockBit 4.0, adding stealth features like DLL reflection and dynamic API resolution
- Found active in the wild, but no confirmed victim details or campaign success disclosed yet
The notorious LockBit malware is back, and is more dangerous than ever before, experts have warned.
Security researchers from Trend Micro recently published an in-depth technical analysis of the latest iteration of the LockBit ransomware family, discovered in September 2025, as LockBit celebrated its sixth anniversary by releasing the newest iteration of its encryptor.
Called LockBit 5.0, the new variant focuses on multiple platforms, comes with technical improvements across the board, and features heavy obfuscation techniques, making it “significantly more dangerous than its predecessors”.
SEO poisoning and malvertising
The researchers said LockBit 5.0 builds on the previous version 4.0, so it’s not built from scratch. That being said, it now comes with major improvements, including the ability to target Windows, Linux, and VMware ESXi systems. It also employs heavy obfuscation and anti-analysis techniques, mostly by loading its payload via DLL reflection and disabling Windows Event Tracing by patching the EtwEventWrite API.
It also resolves Windows API calls dynamically at runtime, making static analysis more difficult, and terminates security services using hashed comparisons against a hardcoded list. Also, unlike earlier versions, this one doesn’t leave a registry-based infection marker. The ransomware appends randomized 16-character file extensions to encrypted files, and embeds original file sizes in encrypted footers, among other things. As before, it avoids encrypting Russian-language systems.
The encryptor was found in the wild, suggesting that LockBit is actively using it in attacks. However, there was no talk of victims, their identities, or the success of the campaign.
In early 2024, law enforcement launched Operation Cronos, aimed at disrupting what was, at the time, one of the most destructive Ransomware-as-a-Service (RaaS) threats out there – LockBit.
While the operation was a success for the most part, no arrests were made, which meant the group was back at rebuilding what was lost straight away.
Via The Register
You might also like
The post LockBit malware is back – and nastier than ever, experts claim first appeared on TechToday.
This post originally appeared on TechToday.