LockBit malware is back - and nastier than ever, experts claim

News
By published

New LockBit version comes with cross-platform capabilities

Code Skull
(Image credit: Shutterstock)
  • LockBit 5.0 targets Windows, Linux, and ESXi with advanced obfuscation and anti-analysis techniques
  • Builds on LockBit 4.0, adding stealth features like DLL reflection and dynamic API resolution
  • Found active in the wild, but no confirmed victim details or campaign success disclosed yet

The notorious LockBit malware is back, and is more dangerous than ever before, experts have warned.

Security researchers from Trend Micro recently published an in-depth technical analysis of the latest iteration of the LockBit ransomware family, discovered in September 2025, as LockBit celebrated its sixth anniversary by releasing the newest iteration of its encryptor.

Called LockBit 5.0, the new variant focuses on multiple platforms, comes with technical improvements across the board, and features heavy obfuscation techniques, making it “significantly more dangerous than its predecessors”.

SEO poisoning and malvertising

The researchers said LockBit 5.0 builds on the previous version 4.0, so it’s not built from scratch. That being said, it now comes with major improvements, including the ability to target Windows, Linux, and VMware ESXi systems. It also employs heavy obfuscation and anti-analysis techniques, mostly by loading its payload via DLL reflection and disabling Windows Event Tracing by patching the EtwEventWrite API.

It also resolves Windows API calls dynamically at runtime, making static analysis more difficult, and terminates security services using hashed comparisons against a hardcoded list. Also, unlike earlier versions, this one doesn’t leave a registry-based infection marker. The ransomware appends randomized 16-character file extensions to encrypted files, and embeds original file sizes in encrypted footers, among other things. As before, it avoids encrypting Russian-language systems.

The encryptor was found in the wild, suggesting that LockBit is actively using it in attacks. However, there was no talk of victims, their identities, or the success of the campaign.

In early 2024, law enforcement launched Operation Cronos, aimed at disrupting what was, at the time, one of the most destructive Ransomware-as-a-Service (RaaS) threats out there - LockBit.

While the operation was a success for the most part, no arrests were made, which meant the group was back at rebuilding what was lost straight away.

Via The Register

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.