{"id":5079,"date":"2025-09-26T21:19:14","date_gmt":"2025-09-26T21:19:14","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5079"},"modified":"2025-09-26T21:19:14","modified_gmt":"2025-09-26T21:19:14","slug":"meet-lockbit-5-0-faster-esxi-drive-encryption-better-at-evading-detection","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5079","title":{"rendered":"Meet LockBit 5.0: Faster ESXi drive encryption, better at evading detection"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>The LockBit gang has released a new version of its ransomware with improved ESXi drive encryption speed. However, a security researcher who has talked to senior gang members in the past says LockBit 5.0 is more \u201cfine tuning some basic features \u2026 and a lot of propaganda\u201d than a major leap in capabilities.<\/p>\n<p>In 2023, <a href=\"https:\/\/analyst1.com\/team\/jon-dimaggio\/\" target=\"_blank\" rel=\"noopener\">Jon DiMaggio<\/a>, chief security strategist at US-based Analyst1, <a href=\"https:\/\/analyst1.com\/ransomware-diaries-volume-1\/\" target=\"_blank\" rel=\"noopener\">revealed in a series of reports<\/a> how he spent months developing several online personas to gain access to the gang\u2019s operation, and then got leaders to give up details of how it worked. And while the <a href=\"https:\/\/www.csoonline.com\/article\/1308503\/lockbit-ransomware-operations-seized-by-law-enforcement-in-operation-cronos.html\" target=\"_blank\" rel=\"noopener\">February 2024 takedown<\/a> of much of the gang\u2019s IT infrastructure in Operation Cronos didn\u2019t put the ransomware as a service operation out of business, it did much to damage gang\u2019s credibility among crooks, he said in an interview.<\/p>\n<p>So launching a new version, as well as broadening the gang\u2019s profit sharing with affiliates, is a way of getting some of that reputation back.<\/p>\n<p>LockBit 5.0 \u201cis not a massive undertaking,\u201d he said. \u201cIt does encrypt faster, which will make attacks a little bit smoother\u201d for subscribing crooks. \u201cIt is better at evading detection \u2014 but so is every new ransomware variant,\u201d he added. \u201cBut what is an accomplishment is that LockBit has always been good at self-branding, and that\u2019s why there\u2019s some noise\u201d about this new version.<\/p>\n<p>DiMaggio was commenting on this week\u2019s <a href=\"https:\/\/www.trendmicro.com\/en_gb\/research\/25\/i\/lockbit-5-targets-windows-linux-esxi.html\" target=\"_blank\" rel=\"noopener\"> report from Trend Micro<\/a> on LockBit 5.0, which has Windows, Linux and Vmware ESXi variants.<\/p>\n<h2 class=\"wp-block-heading\">What\u2019s new in LockBit 5.0<\/h2>\n<p>In its analysis, Trend Micro discovered that:<\/p>\n<p>the Windows binary uses heavy obfuscation and packing: it loads its payload through DLL reflection while implementing anti-analysis techniques like Event Tracing for Windows (ETW) patching and terminating security services;<\/p>\n<p>the Linux variant maintains similar functionality with command-line options for targeting specific directories and file types;<\/p>\n<p>the ESXi variant specifically targets VMware virtualization environments, and is designed to encrypt entire virtual machine infrastructures in a single attack.<\/p>\n<p>Damage done to an ESXi drive can be significant for an organization. Trend Micro notes that a single ESXi host often runs dozens of critical servers. Encrypting at the hypervisor level can take many business services down at once.<\/p>\n<p>These new LockBit versions share key behaviors, including randomized 16-character file extensions, Russian language system avoidance through geolocation checks, and event log clearing post-encryption, Trend Micro says. The 5.0 version also shares code characteristics with LockBit 4.0, including identical hashing algorithms and API resolution methods, confirming this is an evolution of the original codebase rather than an imitation.<\/p>\n<p>\u201cRansomware actors and their affiliates are regularly changing their TTPs [tactics, techniques, and procedures] nowadays to stay ahead of defenses as well as law enforcement,\u201d said <a href=\"https:\/\/www.trendmicro.com\/en\/about\/leading-experts.html\" target=\"_blank\" rel=\"noopener\">Jon Clay,<\/a> Trend Micro\u2019s vice-president of threat intelligence. \u201cOrganizations need to consider adopting newer cybersecurity models that get ahead of an attack by implementing a proactive approach versus the traditional detection and response reactive approach.\u00a0Implementing a risk-based approach that can discover their entire attack surface, identify and prioritize the risks associated with these attack surfaces, and enabling mitigating controls that can minimize their risk will go a long way in improving their security posture.\u201d<\/p>\n<p>After the February 2024 takedown of the LockBit infrastructure, <a href=\"https:\/\/www.csoonline.com\/article\/2099042\/administrator-of-ransomware-operation-lockbit-named-charged-has-assets-frozen.html\" target=\"_blank\" rel=\"noopener\">a Russian national alleged to have been the administrator<\/a> was indicted in the US, but is still at large.<\/p>\n<p>Five days later, the crew brought back new servers, and restored admin panels for subscribers. \u201cBut what happened behind the scenes is everybody bailed on them. The top affiliates don\u2019t trust them, won\u2019t work with them. It was really hard to work for LockBit. It got so bad he (the leader) was giving away access,\u201d DiMaggio said, noting that a subscription that used to cost $10,000 plunged to $700. \u201cHe started lying and putting out fake victims [on the gang\u2019s dark web site]\u201d to show the gang\u2019s reach hadn\u2019t diminished.<\/p>\n<p>It didn\u2019t help that, earlier this year, someone <a href=\"https:\/\/blog.qualys.com\/vulnerabilities-threat-research\/2025\/05\/08\/inside-lockbit-defense-lessons-from-the-leaked-lockbit-negotiations\" target=\"_blank\" rel=\"noopener\">leaked a file from LockBit\u2019s affiliate panel database<\/a> with details including over 4,400 victim negotiation messages.<\/p>\n<p>Even the few victims that now get hit by LockBit aren\u2019t paying out the way they used to. DiMaggio cited a case this year where a victim paid a mere $800 to get access back.<\/p>\n<p>\u201cIt is not business as usual\u201d for the gang, DiMaggio said. \u201cThose $100 million years are long gone. But he\u2019s trying to rebuild. That\u2019s what this effort is. He\u2019s trying to restore trust and lure people to come back and work for him, which is why he\u2019s trying to make the profit-sharing with affiliates better and making the malware work a little bit faster.\u201d<\/p>\n<h2 class=\"wp-block-heading\">What should CSOs do now?<\/h2>\n<p>Asked what mistakes CSOs are making in the fight against ransomware, DiMaggio said many still believe that attacks start with phishing and social engineering. However, today gangs are focusing more on compromising IT infrastructure through poorly-patched publicly-available servers and applications, as well as by getting into applications through brute-forced or stolen credentials.<\/p>\n<p>Trend Micro says to better protect ESXi drives, CSOs should treat virtualization as critical and follow these guidelines:<\/p>\n<p>remove ESXi hosts from direct internet exposure. Management consoles should be behind a VPN, backed up by strong role-based access control.<\/p>\n<p>keep ESXi patched and only use supported versions.<\/p>\n<p>require anyone who has access to the vCenter management console to log in with multi-factor authentication.<\/p>\n<p>disable unused services like SSH and follow the <a href=\"https:\/\/core.vmware.com\/security-configuration-guide\" target=\"_blank\" rel=\"noopener\">vSphere Security Configuration Guide<\/a> and VMware ransomware defense guidance.<\/p>\n<p>have teams hunt for hypervisor and lateral movement attack precursors such as unusual admin logins, mass process termination, or snapshot manipulation.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The LockBit gang has released a new version of its ransomware with improved ESXi drive encryption speed. However, a security researcher who has talked to senior gang members in the past says LockBit 5.0 is more \u201cfine tuning some basic features \u2026 and a lot of propaganda\u201d than a major leap in capabilities. In 2023, [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5080,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5079","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5079"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5079"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5079\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5080"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5079"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5079"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5079"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}