Cybersecurity News and Headlines
  • All Technology
  • AI
  • Autonomy
  • B2B Growth
  • Big Data
  • BioTech
  • ClimateTech
  • Consumer Tech
  • Crypto
  • Cybersecurity
  • DevOps
  • Digital Marketing
  • Ecommerce
  • EdTech
  • Enterprise
  • FinTech
  • GovTech
  • Hardware
  • HealthTech
  • HRTech
  • LegalTech
  • Nanotech
  • PropTech
  • Quantum
  • Robotics
  • SaaS
  • SpaceTech
AllNewsDealsSocialBlogsVideosPodcastsDigests

Cybersecurity Pulse

EMAIL DIGESTS

Daily

Every morning

Weekly

Sunday recap

NewsDealsSocialBlogsVideosPodcasts
CybersecurityNewsLockBit 5.0 Emerges: Cross-Platform Ransomware Now Targeting Windows, Linux, and ESXi Systems
LockBit 5.0 Emerges: Cross-Platform Ransomware Now Targeting Windows, Linux, and ESXi Systems
Cybersecurity

LockBit 5.0 Emerges: Cross-Platform Ransomware Now Targeting Windows, Linux, and ESXi Systems

•February 16, 2026
0
GBHackers On Security
GBHackers On Security•Feb 16, 2026

Companies Mentioned

Acronis

Acronis

VMware

VMware

VMW

Why It Matters

By extending ransomware to servers and hypervisors, LockBit 5.0 widens the attack surface for critical infrastructure, forcing organizations to protect more than just Windows endpoints.

Key Takeaways

  • •LockBit 5.0 targets Windows, Linux, ESXi.
  • •Unified crypto uses XChaCha20 and Curve25519.
  • •Windows variant employs advanced anti‑forensic techniques.
  • •Linux/ESXi versions focus on virtualization environments.
  • •Affiliates restrict attacks in post‑Soviet regions.

Pulse Analysis

LockBit’s evolution from a Windows‑only threat to a truly cross‑platform ransomware reflects a broader industry shift toward modular, multi‑environment malware. Version 5.0 consolidates encryption logic across three operating systems, leveraging XChaCha20 for speed and Curve25519 for secure key exchange. This unified approach reduces development overhead for affiliates while delivering a consistent ransom experience. The Windows payload is heavily obfuscated, employing DLL unhooking, process hollowing, and ETW patching to evade detection, whereas the Linux and ESXi binaries focus on virtualization‑specific capabilities, such as scanning VMFS directories and terminating virtual machines to free locked files.

Enterprises must rethink traditional endpoint‑centric defenses. The inclusion of ESXi and Proxmox targets means that hypervisor hosts, storage arrays, and backup systems are now high‑value ransomware vectors. Security teams should deploy telemetry that monitors hypervisor APIs, VM lifecycle events, and anomalous file‑system activity on /vmfs/. Integrating threat‑intel feeds that flag shared infrastructure—like the SmokeLoader IPs now used by LockBit—can also surface early indicators of campaign overlap. Patch management, network segmentation, and immutable backups become essential controls when ransomware can strike at the virtualization layer.

The business impact is immediate: a successful ESXi compromise can cripple dozens of virtual machines with a single infection, inflating ransom demands and recovery costs. Organizations should adopt a layered strategy that includes hardened hypervisor configurations, least‑privilege service accounts, and regular integrity checks of VM images. Law‑enforcement takedowns of leak sites have proven ineffective against resilient mirror networks, so reliance on external de‑cryption tools is risky. Proactive threat hunting, coupled with continuous user education on phishing—LockBit’s primary entry point—remains the most cost‑effective defense against this expanding ransomware‑as‑a‑service ecosystem.

LockBit 5.0 Emerges: Cross-Platform Ransomware Now Targeting Windows, Linux, and ESXi Systems

Read Original Article
0

Comments

Want to join the conversation?

Loading comments...