• Home
  • cyber
  • VMware: LockBit Ransomware Unleashes Devastating 5.0 Version Targeting Windows, Linux, and ESXi
cyber Ransomware

VMware: LockBit Ransomware Unleashes Devastating 5.0 Version Targeting Windows, Linux, and ESXi

Dec 1, 2025 2 min read
VMware: LockBit Ransomware Unleashes Devastating 5.0 Version Targeting Windows, Linux, and ESXi

LockBit 5.0 Ransomware Expands Threat with Multi-Platform Attacks

LockBit ransomware has evolved with the release of version 5.0, now targeting Windows, Linux, and ESXi systems, broadening its impact across diverse IT infrastructures. The updated malware introduces enhanced defense-evasion techniques, faster encryption, and anti-analysis measures, making it a formidable threat to enterprises, government agencies, and critical sectors.

Key Features and Tactics

LockBit 5.0 employs a multi-layered evasion strategy to bypass detection. On Windows, it uses packing, process hollowing, DLL unhooking, and ETW function patching, while also clearing system logs to obscure its activity. The Linux and ESXi variants skip packing but rely on heavily encrypted strings to hinder analysis.

The ransomware leverages hybrid encryption (XChaCha20 + Curve25519), optimizing speed by utilizing multiple CPU cores. It appends random extensions to encrypted files and leaves a ransom note demanding payment. Notably, the malware avoids infecting systems in Russia by checking language and geographic settings.

Targeting Virtualized Environments

LockBit 5.0 includes specialized functions for virtual machines, particularly VMware ESXi. It scans the /vmfs/ directory for virtual machine files and can terminate VMs mid-encryption, disrupting critical infrastructure in enterprise environments.

Execution and Impact

The ransomware executes via command-line arguments, allowing customization per environment. Over 60 victims were listed on LockBit’s data leak site by late 2025, with attacks spanning private companies, healthcare, education, and government agencies, primarily in the U.S.

Despite law enforcement efforts, LockBit remains active, repurposing infrastructure from malware like SmokeLoader. Indicators of Compromise (IoCs) for Windows, Linux, and ESXi variants have been identified to aid detection.

Infrastructure Details

"id": "vmw1771316866",
"linkid": "vmware-vdefend",
"type": "Ransomware",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['Healthcare',
                                     'Education',
                                     'Government',
                                     'Private Sector'],
                        'location': 'Primarily U.S.',
                        'type': 'Private companies, healthcare, education, '
                                'government agencies'}],
 'attack_vector': 'Command-line execution, hybrid encryption (XChaCha20 + '
                  'Curve25519)',
 'data_breach': {'data_encryption': 'Yes (XChaCha20 + Curve25519)',
                 'sensitivity_of_data': 'High (enterprise and critical '
                                        'infrastructure data)',
                 'type_of_data_compromised': 'Encrypted files, virtual machine '
                                             'files'},
 'description': 'LockBit ransomware has evolved with the release of version '
                '5.0, now targeting Windows, Linux, and ESXi systems, '
                'broadening its impact across diverse IT infrastructures. The '
                'updated malware introduces enhanced defense-evasion '
                'techniques, faster encryption, and anti-analysis measures, '
                'making it a formidable threat to enterprises, government '
                'agencies, and critical sectors.',
 'impact': {'data_compromised': 'Encrypted files, virtual machine data',
            'operational_impact': 'Disruption of critical infrastructure, '
                                  'termination of virtual machines '
                                  'mid-encryption',
            'systems_affected': 'Windows, Linux, ESXi systems'},
 'motivation': 'Financial gain',
 'post_incident_analysis': {'root_causes': 'Evolved ransomware tactics, '
                                           'multi-platform targeting, '
                                           'defense-evasion techniques'},
 'ransomware': {'data_encryption': 'Yes (hybrid encryption)',
                'ransom_demanded': True,
                'ransomware_strain': 'LockBit 5.0'},
 'references': [{'source': 'LockBit data leak site',
                 'url': 'http://lockbitfbinpwhbyomxkiqtwhwiyetrbkb4hnqmshaonqxmsrqwg7yad.onion'},
                {'source': 'C2 Infrastructure'}],
 'threat_actor': 'LockBit ransomware group',
 'title': 'LockBit 5.0 Ransomware Expands Threat with Multi-Platform Attacks',
 'type': 'Ransomware'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.