LockBit 5.0 Ransomware Expands Cross-Platform Attacks on Windows, Linux, and VMware ESXi
Acronis Threat Research Unit reported active campaigns using LockBit 5.0, a major update to the LockBit ransomware-as-a-service (RaaS) operation that broadens targeting across Windows, Linux, and VMware ESXi in coordinated intrusions. The variant continues double extortion (data theft plus encryption) and is positioned for enterprise impact by enabling attackers to hit endpoints, servers, and hypervisors—where a single ESXi compromise can disrupt many virtual machines at once. Reporting also notes the group’s claimed ability to operate against Proxmox virtualization environments, further expanding the potential attack surface in organizations adopting alternative hypervisors.
Technical analysis highlights stronger and more enterprise-focused builds, with the Windows payload using advanced defense-evasion and anti-analysis techniques such as packing/obfuscation, DLL unhooking, process hollowing, and ETW (Event Tracing for Windows) patching, alongside log-clearing to reduce forensic visibility. The Linux/ESXi builds are described as less reliant on packing but use extensive string encryption to hinder detection, while maintaining strong encryption routines and using randomized file extensions; Acronis-linked reporting also cites faster encryption and continuity with LockBit 4’s design. Victimology cited in coverage indicates a heavy focus on the U.S. business sector and a broad spread across industries (including manufacturing, healthcare, education, financial services, and government), with dozens of recent leak-site postings used to pressure victims and demonstrate ongoing operational tempo despite law-enforcement disruption efforts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Acronis publishes technical analysis of LockBit 5.0
Acronis Threat Research Unit reported identifying LockBit 5.0 in active campaigns and detailed its enhanced defense evasion, anti-analysis, and faster encryption capabilities. The analysis also described its use of XChaCha20 and Curve25519, randomized file extensions, multi-threaded encryption, and infrastructure links involving an IP previously associated with SmokeLoader activity.
LockBit 5.0 begins cross-platform attacks on Windows, Linux, and ESXi
Active campaigns using LockBit 5.0 targeted Windows, Linux, and VMware ESXi systems, expanding the group's reach across endpoints, servers, and virtualized infrastructure. Reporting also said the malware was advertised as working on all versions of Proxmox.
LockBit leak site reaches 60 listed victims
Since December 2025, the LockBit leak site reportedly accumulated 60 victim entries, indicating sustained activity by the operation. The reported victimology was centered on U.S. businesses, especially private companies, with additional impact across manufacturing, healthcare, education, financial services, and government.
LockBit 5.0 introduced as a new ransomware version
LockBit 5.0 was introduced in September 2025 as a major new release of the LockBit ransomware family. The variant was positioned for enterprise-focused attacks and operated under the group's ransomware-as-a-service model.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LockBit 5.0 Ransomware Introduces Advanced Encryption and Maintains Global Dominance
LockBit 5.0 has emerged as the latest evolution of the notorious ransomware-as-a-service operation, introducing sophisticated encryption algorithms and advanced anti-analysis techniques that significantly complicate detection and recovery efforts for targeted organizations. The malware now employs a combination of ChaCha20-Poly1305 for file encryption and X25519 with BLAKE2b for secure key exchange, while also terminating Volume Shadow Copy Service processes to prevent system recovery. LockBit 5.0’s runtime flexibility allows it to operate even without specific parameters, and its use of advanced packing and obfuscation further hinders static analysis by security professionals. Despite increased law enforcement pressure, LockBit has sustained its position as a dominant global ransomware threat, accounting for a substantial share of attacks worldwide. The group’s operations have impacted a wide range of sectors, including IT, electronics, law firms, and religious institutions, resulting in billions of dollars in ransom payments and recovery costs. LockBit continues to leverage its dark web platform to publicly list compromised organizations and stolen data, using these tactics to pressure victims into paying ransoms.
Mar 21, 2026
LockBit 5.0 Ransomware Variants and Updated Affiliate Panel Exposed
Security researchers reported that **LockBit** has continued operating after the law-enforcement disruption known as **Operation Cronos**, releasing multiple new **LockBit 5.0** payload variants and maintaining an active ransomware-as-a-service (RaaS) affiliate ecosystem. Reporting citing *Flare.io* analysis described four newly observed builds labeled `LB_Black_14_01_2026` (Windows), `LB_Linux_14_01_2026` (Linux), `LB_ESXi_14_01_2026` (VMware ESXi), and `LB_ChuongDong_14_01_2026` (specialized deployments), indicating an ongoing multi-platform targeting strategy. Analysis of the latest **LockBit 5.0 affiliate panel** indicated the operation’s core workflows remain largely intact, with only minor cosmetic/interface changes (including **holiday-themed** elements). The panel reportedly supports coordination of multiple concurrent campaigns and includes capabilities for attack management, affiliate onboarding, and victim payment/negotiation handling—signaling continued operational maturity despite reputational damage and prior takedown pressure. Researchers recommended organizations prioritize updated detection/signatures and closely monitor EDR alerts for activity consistent with these new LockBit 5.0 variants.
Mar 21, 2026
Kyber ransomware hit Windows and ESXi in coordinated cross-platform attacks
Rapid7 reported that a **Kyber ransomware** affiliate deployed two distinct payloads in the same March 2026 intrusion, targeting both **VMware ESXi** infrastructure and **Windows file servers** to maximize operational disruption. The ESXi variant encrypted VMware datastore files, could optionally terminate virtual machines, and defaced SSH and web management interfaces with ransom notes. The Windows variant targeted core file systems and added broader impact features, including killing backup-, database-, and IIS-related services, deleting shadow copies, disabling recovery options, clearing event logs, and testing an experimental **Hyper-V** shutdown capability. The two samples shared the same campaign ID and **Tor-based** negotiation and leak infrastructure, linking them to the same affiliate, but their internals differed sharply. Rapid7 found the ESXi payload falsely advertised post-quantum protection with `Kyber1024`; in practice, it used **ChaCha8** with **RSA-4096** key wrapping. By contrast, the Windows variant, written in **Rust**, appeared to implement the claimed hybrid scheme using **AES-256-CTR**, `Kyber1024`, and **X25519**. Public reporting indicates the group remains relatively new, with limited prior technical analysis and only one victim publicly listed on its extortion site: a large U.S. defense contractor and IT services provider.
Apr 27, 2026