Trend Micro has identified a new LockBit ransomware variant that is “significantly more dangerous” than previous versions and is being deployed in the wild.

The notorious LockBit ransomware gang reportedly announced the release of “LockBit 5.0” in September 2025 to mark the group’s sixth anniversary.

Trend Micro researchers have since discovered a Windows binary. The cybersecurity firm has also confirmed the existence of Linux and ESXi variants of LockBit 5.0 in a blog published on September 25.

“The existence of Windows, Linux, and ESXi variants confirms LockBit's continued cross-platform strategy. This enables simultaneous attacks across entire enterprise networks, from workstations to critical servers hosting databases and virtualization platform,” the researchers noted.

The variants provide more detailed deployment options and settings for affiliates.

Additionally, LockBit 5.0 versions contain significant technical improvements, including the removal of infection markers, faster encryption and enhanced evasion.

The Trend Micro researchers warned that despite the law enforcement takedown operation of LockBit infrastructure in early 2024, the group has demonstrated resilience and an ability to stay ahead of competitors through an “aggressive evolution” of its tactics, techniques and procedures (TTPs).

Technical Analysis of LockBit 5.0

The LockBit 5.0 Windows version was found to have a better user interface with clean formatting for affiliates compared to previous versions.

It describes various options and settings for executing the ransomware, including basic options like specifying directories to encrypt or bypass, operation modes such as invisible mode and verbose mode, notes settings, encryption settings, filtering options and examples of usage.

“The detailed commands and parameters illustrate the flexibility and customization available to the attacker,” the researchers commented.

Upon execution, the ransomware generates its signature ransom note and directs victims to a dedicated leak site. The infrastructure maintains LockBit's established victim interaction model, featuring a streamlined "Chat with Support" section for ransom negotiations.

Notably, the variant adds randomized 16-character file extensions to files following encryption, further complicating recovery. LockBit 5.0 also omits traditional markers at file endings, making analysis harder.

The malware deploys other anti-forensic techniques. This includes patching the EtwEventWrite API by overwriting it with a 0xC3 (return) instruction, disabling Windows Event Tracing capabilities.

As with previous LockBit versions, the new iteration uses geolocation checks, terminating execution when detecting Russian language settings or Russian geolocation.

The features observed in the Windows version were similar to those in the Linux and ESXi variants analyzed.

The ESXi variant specifically targets VMware virtualization infrastructure, which the researchers said represents a “critical escalation” in LockBit’s capabilities.

This is because ESXi servers typically host multiple virtual machines, allowing attackers to encrypt entire virtualized environments with a single payload execution.

New Ransomware Version an “Evolutionary Development”

The report also highlighted significant code reuse between LockBit 4.0 and 5.0, demonstrating that the new version is an “evolutionary development” rather than a complete rewrite.

As a result, it is likely that 5.0 is a continuation of the LockBit ransomware family and not an imitation or rebrand by other threat actors.

“Both versions share identical hashing algorithms for string operations, a critical component for API resolution, and service identification. The code structure for dynamic API resolution remains remarkably similar between versions, suggesting the developers built upon the existing LockBit 4.0 codebase,” the researchers noted.

A Timeline of LockBit Ransomware Versions