Cross-platform LockBit 5.0 ransomware examined

Windows, Linux, and VMware ESXi systems have been targeted by the new LockBit 5.0 ransomware, which has also been touted to target all Proxmox versions, GBHackers News reports.

Despite having identical cryptographic logic combining XChaCha20 and Curve25519 encryption, as well as the same ransom notes and free-space wiping capability, the LockBit 5.0 ransomware for Windows had the most comprehensive defense bypass abilities, according to an Acronis Threat Research Unit report. Aside from leveraging DLL unhooking and process hollowing, the packed Windows variant also crafts mutexes, conducts locale and geography checks, and removes free disk space, while allowing multiple command-line switches.

The two other samples, on the other hand, were not packed but still featured robust string encryption and anti-analysis logic, with the ESXi variant focusing on virtualization. Further analysis of LockBit 5.0 revealed that one of the IPs hosting its sites to be linked to the SmokeLoader malware, indicating potential infrastructure reuse.