LockBit 5.0 ransomware expands its reach across Windows, Linux, and ESXi
The Acronis Threat Research Unit (TRU) has identified a new and significantly enhanced version of the LockBit ransomware, LockBit 5.0, currently being deployed in active campaigns. The latest variant demonstrates expanded cross-platform capabilities, enabling attackers to target Windows, Linux, and VMware ESXi systems within a single coordinated attack.
According to analysis, LockBit 5.0 introduces dedicated builds tailored for enterprise environments, reflecting the continued evolution of ransomware-as-a-service (RaaS) operations. By supporting multiple operating systems and virtualization platforms, the threat actors are positioning themselves to compromise endpoints, servers, and hypervisors, simultaneously increasing the potential scale and severity of attacks.
The Windows variant incorporates advanced defense-evasion techniques, including obfuscation and anti-analysis mechanisms designed to bypass detection tools and disrupt monitoring systems. Meanwhile, the Linux and ESXi versions are engineered to target critical infrastructure and virtual machines, allowing attackers to encrypt multiple workloads at once and cause widespread operational disruption.
Researchers observed that LockBit 5.0 continues to rely on strong encryption routines and appends encrypted files with randomized extensions, making recovery without secure backups significantly more challenging. The ESXi-focused functionality is particularly concerning, as compromising a single hypervisor host can impact numerous virtual machines simultaneously.
The emergence of LockBit 5.0 underscores the resilience and adaptability of ransomware groups, even as global law enforcement continues sustained efforts to disrupt and dismantle their infrastructure. The release of this upgraded version also signals a continued shift toward enterprise-grade targets, with virtualization platforms and critical backend systems increasingly in the crosshairs.
Acronis TRU advises organizations to adopt a layered security strategy, including comprehensive endpoint and server protection, network segmentation, strong access controls such as multi-factor authentication, and regularly tested offline backups. As ransomware operators continue to expand their technical sophistication and platform reach, cross-environment visibility and proactive cyber resilience measures are becoming increasingly critical for enterprise defense.
Download: Tines Voice of Security 2026 report