LockBit’s Newest Ransomware Is Its Most Dangerous Threat Yet
▼ Summary
– Trend Micro has identified a new, more dangerous LockBit 5.0 ransomware variant with confirmed Windows, Linux, and ESXi versions.
– The ransomware features significant technical improvements, including faster encryption, enhanced evasion, and the removal of infection markers.
– LockBit 5.0 enables simultaneous attacks across entire enterprise networks, representing a critical escalation by targeting virtualization infrastructure like ESXi servers.
– The new version is an evolutionary development built on the LockBit 4.0 codebase, confirming the group’s resilience despite law enforcement actions.
– The variant includes anti-forensic techniques, such as patching Windows Event Tracing and using randomized file extensions to complicate recovery.
A newly identified variant of the LockBit ransomware, designated as LockBit 5.0, has been flagged by cybersecurity experts as posing a substantially greater risk than its predecessors. This development underscores the persistent threat from the group, which announced the new version to coincide with its sixth anniversary. Researchers have confirmed the existence of binaries targeting Windows, Linux, and VMware ESXi platforms, confirming the gang’s commitment to a cross-platform attack strategy that threatens entire enterprise infrastructures simultaneously.
The discovery of these variants reveals a more dangerous toolkit. The ransomware now operates with faster encryption speeds and incorporates enhanced evasion techniques, including the removal of traditional infection markers. This makes detection and analysis significantly more difficult for defenders. The group has demonstrated remarkable resilience, aggressively evolving its methods even after a major law enforcement operation targeted its infrastructure last year.
Technical analysis of the Windows version shows a more refined interface for the criminals who deploy it, known as affiliates. It provides extensive configuration options, allowing attackers to specify which directories to encrypt, activate stealth modes, and customize ransom notes. A notable change is the use of randomized 16-character file extensions after encryption, which complicates recovery efforts. The malware also employs anti-forensic measures, such as patching a key Windows API to disable event logging.
A critical escalation is observed in the ESXi variant, which specifically targets virtualization servers. This is particularly dangerous because a single ESXi server often hosts numerous virtual machines. An attack on this platform can lead to the encryption of an entire virtualized environment from one execution, causing widespread disruption.
Despite these advancements, the report indicates that LockBit 5.0 is an evolutionary step rather than a complete overhaul. Significant code reuse with the LockBit 4.0 version suggests the same developers are building upon their existing codebase. This continuity makes it unlikely that the new variant is an imitation by a different threat actor, confirming the ongoing operational capacity of the original LockBit group.
(Source: Info Security)
