LockBit 5.0 ransomware targets Windows, Linux, ESXi
LockBit 5.0 ransomware targets Windows, Linux, ESXi
https://itbrief.co.uk/story/lockbit-5-0-ransomware-targets-windows-linux-esxi
Publish Date: 2026-02-17 23:00:00
Source Domain: itbrief.co.uk
Acronis Threat Research Unit (TRU) has identified a new version of the LockBit ransomware that is being used in active attacks and can target Windows, Linux and VMware ESXi in a single campaign.
Researchers refer to the strain as LockBit 5.0, describing it as an evolution of ransomware operations that provide tooling to affiliates. The update includes separate builds for different environments, signalling a focus on organisations with mixed infrastructure.
Security teams have tracked ransomware groups expanding beyond Windows for several years, bringing Linux servers and virtualisation layers into scope. ESXi has become a frequent target because compromising one host can disrupt many systems.
Cross-platform focus
LockBit 5.0 targets endpoints, servers and hypervisors, according to TRU’s analysis. This approach can increase the blast radius if attackers gain access to privileged credentials or management interfaces.
The Windows version includes techniques intended to complicate detection and analysis, including obfuscation and anti-analysis mechanisms. It also attempts to bypass security tools and interfere with monitoring.
Separate Linux and ESXi variants focus on infrastructure that hosts business services and virtual machines, allowing attackers to encrypt multiple workloads and cause broader disruption across IT estates.
The ransomware uses strong encryption routines and adds randomised file extensions after encryption. This can complicate recovery when organisations lack clean, recent backups. A hypervisor compromise can also affect numerous virtual machines on the same host.
Ransomware resilience
The latest version underscores the persistence of ransomware groups despite international law enforcement activity targeting parts of the ransomware ecosystem. TRU described LockBit 5.0 as evidence of adaptation to pressure on criminal infrastructure.
LockBit has been one of the most visible ransomware brands in recent years, using an affiliate…
