LockBit 5.0 Actively Attacking Windows, Linux, and ESXi Environments

The notorious LockBit ransomware operation has resurfaced with a vengeance after months of dormancy following Operation Cronos takedown efforts in early 2024. Despite law enforcement disruptions and infrastructure seizures, the group’s administrator, LockBitSupp, has successfully rebuilt the operation and launched LockBit 5.0, internally codenamed “ChuongDong.” This latest variant represents a significant evolution in the group’s ransomware capabilities, targeting organizations across multiple platforms with enhanced technical sophistication.

Check Point analysts identified these campaigns as clear evidence that LockBit’s Ransomware-as-a-Service model has successfully reactivated its affiliate network. The rapid return highlights the resilience of established cybercriminal enterprises. After announcing its comeback on underground forums in early September, LockBitSupp recruited new affiliates by requiring roughly 00 in Bitcoin deposits for access to the control panel and encryption tools.

The malware now supports multi-platform deployments with dedicated builds for Windows, Linux, and ESXi environments. Its encryption routines have been optimized to reduce the response window available to defenders, enabling faster system-wide file encryption. The variant employs randomized 16-character file extensions to evade signature-based detection mechanisms. Enhanced anti-analysis features obstruct forensic investigation and reverse engineering attempts, making it significantly more challenging for security researchers to analyze the malware’s behavior. Updated ransom notes identify themselves as LockBit 5.0 and provide personalized negotiation links with a 30-day deadline before stolen data publication.

To read the complete article see: Cyber Security News.