In September 2025, a new incarnation of the notorious LockBit ransomware emerged, dubbed LockBit 5.0. It’s not just an “update”: it’s an operational adaptation designed to be faster, less noisy, and have a greater impact on virtualized infrastructures. The feature that should be emphasized right away is that 5.0 is cross-platform: samples have been identified for Windows, Linux, and VMware ESXi—which expands the attack surface and requires coordination between different teams (endpoints, servers, virtualization).
What changes
The attack chain remains the same, but LockBit 5.0 carries it forward faster and with measures designed to minimize traces:
LockBit 5.0 aims to run “in memory” by staying “in RAM.” Rather than leaving files on disk, it injects and loads code directly into memory: so the indicator is no longer the suspicious file, but the behavior of otherwise legitimate processes. You see “clean” applications suddenly opening thousands of files, creating threads in series, or starting to communicate over the network without a corresponding executable. On well-configured EDR/NGAV systems, this often translates into warnings about code injection or modules loaded only into memory, with typical sequences like VirtualAlloc → WriteProcessMemory → CreateRemoteThread or use of MapViewOfSection. However, the alarm doesn’t always go off: obfuscation, indirect syscalls, and diluted timing can mask the chain; on workstations protected only by traditional AV, it’s easy for it to slip through .
Reduction of useful telemetry. LockBit 5.0 includes actions aimed at hindering the collection of events and logs precisely when this data is most needed. This doesn’t necessarily mean that logs are always clearly deleted: more often, inconsistencies are observed (missing expected events, time jumps, or sudden reductions in event volume), disabling or altering tracking providers, and, in some cases, explicit commands that clear logs. In essence, the attacker is attempting to “silence” the tools that would allow them to reconstruct what happened.
Focused attention on hypervisors (ESXi). The variant designed for ESXi directly targets virtual machine files (.vmdk) and can perform multiple encryption operations in parallel to complete the attack much more quickly. In practice, rather than scrolling through and encrypting individual servers one by one, the attacker can “saturate” a datastore in a matter of minutes, drastically reducing the window for intervention. For this reason, it’s important to carefully monitor certain practical signs: sudden I/O spikes on the datastore, intensive and repeated writes to .vmdk files, and alarms or anomalies reported by storage systems.
Modular and selective behavior. Analysis indicates that LockBit 5.0 behaves more like a parameterizable “kit” than a single monolithic binary. It’s possible to configure targeting options, choose paths to include or exclude, and decide how aggressive the encryption should be. As a result, different forms of the same attack can be expected depending on the targeted machine.
The image shows the parameters, and how to use them. to launch encryption.
LockBit 5.0 shifts the focus to memory and expands the perimeter: the endpoint is no longer enough; the environments that orchestrate it must also be protected. An effective response combines constant patching , ESXi host hardening , proactive log monitoring , and endpoint and network protection . Isolated, preferably immutable, and tested backups remain essential for recovery. In parallel, it is necessary to reduce the attack surface (turning off non-essential functionality), apply least privilege , and monitor network anomalies . Investing in MDR and proactive threat hunting is crucial to detect stealth activities before they become mass encryption.
Antonio Piazzolla IT Infrastructure & Security Manager with more than 20 years of experience in complex business environments. In the Casillo Group, he deals with business continuity, security and innovation. Microsoft, VMware, Cisco and ITIL certified.
Antonio Piazzolla