LockBit 5.0 ransomware targets Windows, Linux, ESXi
Acronis Threat Research Unit (TRU) has identified a new version of the LockBit ransomware that is being used in active attacks and can target Windows, Linux and VMware ESXi in a single campaign.
Researchers refer to the strain as LockBit 5.0, describing it as an evolution of ransomware operations that provide tooling to affiliates. The update includes separate builds for different environments, signalling a focus on organisations with mixed infrastructure.
Security teams have tracked ransomware groups expanding beyond Windows for several years, bringing Linux servers and virtualisation layers into scope. ESXi has become a frequent target because compromising one host can disrupt many systems.
Cross-platform focus
LockBit 5.0 targets endpoints, servers and hypervisors, according to TRU's analysis. This approach can increase the blast radius if attackers gain access to privileged credentials or management interfaces.
The Windows version includes techniques intended to complicate detection and analysis, including obfuscation and anti-analysis mechanisms. It also attempts to bypass security tools and interfere with monitoring.
Separate Linux and ESXi variants focus on infrastructure that hosts business services and virtual machines, allowing attackers to encrypt multiple workloads and cause broader disruption across IT estates.
The ransomware uses strong encryption routines and adds randomised file extensions after encryption. This can complicate recovery when organisations lack clean, recent backups. A hypervisor compromise can also affect numerous virtual machines on the same host.
Ransomware resilience
The latest version underscores the persistence of ransomware groups despite international law enforcement activity targeting parts of the ransomware ecosystem. TRU described LockBit 5.0 as evidence of adaptation to pressure on criminal infrastructure.
LockBit has been one of the most visible ransomware brands in recent years, using an affiliate model in which partners breach victims and deploy malware. These operations typically combine data theft with encryption, using extortion threats to pressure organisations to pay.
TRU said the update reflects a continuing shift towards virtualised environments and other systems used in larger organisations, and a broader trend of targeting points in the stack that provide administrative reach across many machines.
Defence measures
TRU urged organisations to adopt a layered approach to security, including endpoint and server protection, network segmentation and strong access controls such as multi-factor authentication. It also emphasised offline backups and regular testing.
The recommendations align with standard incident response guidance that prioritises limiting lateral movement, reducing credential exposure and maintaining recovery options that do not rely on decryptors. For attacks that hit ESXi and other virtualisation layers, rapid isolation and restoration planning can be critical because many business services share the same underlying platform.
Acronis sells cyber protection and backup products used by managed service providers and IT departments in small businesses and large organisations. It operates in multiple countries and supports a large service provider base.