Trend Micro has sounded the alarm over the new LockBit 5.0 ransomware strain, which it warns is “significantly more dangerous” than past versions due to its newfound ability to simultaneously target Windows, Linux, and VMware ESXi environments.
In a technical breakdown of source binaries obtained from recent attacks, Trend Micro researchers identified dramatically enhanced evasion, obfuscation, and cross-platform capabilities in the new iteration. “Heavy obfuscation and technical improvements across all variants make LockBit 5.0 significantly more dangerous than its predecessors,” the researchers warned.
The Windows variant now loads payloads via DLL reflection and employs aggressive anti-analysis packing; the Linux variant accepts command-line directives to tailor which directories and file types to hit; and the ESXi version is built to seize virtualization infrastructure by encrypting VMs. What’s more, each encrypted file is stamped with a random 16-character extension, a move designed to make restoring your data even more of a nightmare.
This is no incremental upgrade. Trend Micro warns that the combination of modular architecture, stealthy encryption routines and multi-OS targeting gives LockBit 5.0 the potential to paralyse entire enterprise stacks, from endpoints to hypervisor hosts.
“The existence of Windows, Linux, and ESXi variants confirms LockBit’s continued cross-platform strategy. This enables simultaneous attacks across entire enterprise networks, from workstations to critical servers hosting databases and virtualization platforms,” Trend Micro said.
LockBit’s revival, as seen in version 5.0, follows a dramatic law enforcement takedown earlier this year. In February, authorities in the UK and the US launched “Operation Cronos,” seizing servers, domain infrastructure, and decryption keys in an effort to dismantle the group. Despite that action, the ransomware crew appears to be attempting a comeback, reactivating its affiliate program under a rebranded and seemingly hardened platform.
Researchers note that LockBit’s resurgence relies heavily on its affiliate network: affiliates execute attacks using the core framework, enabling operators to scale both reach and flexibility. In 5.0, the affiliate incentive model has reportedly been refreshed, reflecting a strategy to re-recruit operators in the wake of disruption.
From a defender’s perspective, the stakes could not be higher. Traditional prevention tools may struggle, especially since LockBit 5.0 can terminate security processes and delete backups. The ESXi targeting further threatens recovery by impairing virtual backups and making any fallback option more unreliable.
And from the crim’s? Threat actors exploiting Windows, Linux and ESXi in one go could compress the time between breach and full encryption, leaving defenders little margin to detect and respond. Security teams now face a scenario where the threat surface spans virtualization infrastructure, operating systems and server applications in one campaign.
“Despite Operation Cronos, the criminals behind the group exhibit resilience with all three variants of version 5.0 now confirmed,” Trend Micro said. “Organizations must ensure comprehensive cross-platform defences are in place, with particular attention to protecting virtualization infrastructure. LockBit 5.0’s Windows, Linux, and ESXi variants reinforce that no operating system or platform can be considered safe from modern ransomware campaigns.”
It remains to be seen how widespread deployment of LockBit 5.0 will become, or whether the group can rebuild its reputation after its earlier disruption. But for now, enterprises and security teams must assume that ransomware is no longer confined to just Windows machines. The era of cross-OS, virtualization-aware ransomware is here. ®