- Lockbit 5.0 is aimed at Windows, Linux and ESXI with advanced obfuscation and anti-analysis techniques
- It is based on Lockbit 4.0, adding stealth characteristics such as DLL reflection and API dynamic resolution
- Found active in nature, but there are no details of confirmed victims or success of the campaign revealed still
The notorious Malware Lockbit has returned and is more dangerous than ever, experts have warned.
Trend Micro’s security researchers recently published an in -depth technical analysis of the last iteration of the Ransomware Lockbit family, discovered in September 2025, when Lockbit celebrated its sixth anniversary by publishing the new iteration of its encrypter.
Called Lockbit 5.0, the new variant focuses on multiple platforms, comes with technical improvements in all areas and presents intense obfuscation techniques, which makes it “significantly more dangerous than its predecessors.”
SEO and evil poisoning
The researchers said that Lockbit 5.0 is based on version 4.0 previous, so it is not built from scratch. That said, now comes with important improvements, including the ability to point to Windows, Linux and VMware ESXI systems. It also uses intense obfuscation and anti-analysis techniques, mainly loading its payload by reflection of DLL and the deactivation of Windows event tracking when patching the API Etweventwrite.
It also solves the calls of the Windows API dynamically in execution time, which makes the static analysis more difficult, and ends security services using Hashed comparisons with a encoded list. In addition, unlike the previous versions, it does not leave a registry -based infection marker. The ransomware adds random archives extensions of 16 characters to encrypted files and incorporates original file sizes on encrypted feet, among other things. As before, avoid encrypting systems in Russian language.
The encrypper was found in nature, which suggests that Lockbit actively uses it in attacks. However, there was no talk of victims, their identities or the success of the campaign.
In early 2024, the Police launched Operation Cronos, with the aim of interrupting what was, at that time, one of the most destructive threats of ransomware as a service (RAAS): Lockbit.
Although the operation was a success for the most part, there were no arrests, which meant that the group rebuilt what was lost immediately.
Through The registration
