Friday April 03, 2026

NCC-CSIRT Cybersecurity Advisory on LockBit Strikes with New 5.0 Version Targeting Windows, Linux, and ESXi Systems

Advisory ID: NCC-CSIRT-2026-008

Summary: 

Security researchers from the Acronis Threat Research Unit (TRU) have identified a new version of the LockBit ransomware (version 5.0) actively used in cyberattacks. The updated variant introduces expanded cross-platform capabilities, enabling threat actors to target Windows, Linux, and VMware ESXi systems within a single coordinated campaign.

Damage: Critical

Probability: High

Product(s): 

  • Microsoft Windows systems
  • Linux servers and enterprise workloads
  • VMware ESXi hypervisors and virtual infrastructure

Version(s): 

All vulnerable Windows, Linux, and ESXi deployments.

Platform(s): 

Enterprise endpoints, servers, and virtualized environments running Windows, Linux, or VMware ESXi.

Description: 

LockBit first emerged in 2019 and has evolved into one of the most prolific ransomware families globally through its affiliate-driven Ransomware-as-a-Service model.

The latest version of LockBit, 5.0, introduces improvements to increase operational scale and resilience. Researchers observed that the new variant includes:

  • Separate payload builds for Windows, Linux, and VMware ESXi environments, allowing attackers to compromise heterogeneous enterprise infrastructure.
  • Advanced encryption routines, including fast symmetric encryption mechanisms such as ChaCha20 for rapid file locking.
  • Hypervisor-focused capabilities, including commands that enumerate and shut down virtual machines before encrypting their virtual disks.
  • Defense-evasion techniques, such as obfuscation, anti-analysis mechanisms, and disabling certain monitoring features to avoid detection.

In ESXi environments, attackers may upload the ransomware payload to the hypervisor, use administrative commands to power down virtual machines, and encrypt VM datastore files located under /vmfs/volumes/.

Because a single hypervisor may host dozens or hundreds of virtual machines, successful compromise can cause large-scale business disruption.

Threat Types: 

  • Ransomware (RaaS): LockBit operates through affiliates who deploy the ransomware after gaining network access.
  • Cross-platform malware: Separate builds target Windows, Linux servers, and VMware ESXi hosts.
  • Data exfiltration and double extortion: Victims may face threats of data leaks if ransom payments are not made.
  • Defense evasion: The malware uses obfuscation and anti-analysis techniques to evade detection.

Impacts: 

  • LockBit 5.0 can encrypt endpoints, servers, and virtual machines simultaneously.
  • Attacks on ESXi hypervisors can affect multiple virtual workloads hosted on the same system.
  • Stolen data may be published on leak sites to pressure victims.
  • Critical services, databases, and enterprise systems may become unavailable.
  • Recovery costs, regulatory penalties, and loss of customer trust may occur.

Solutions/Mitigations:  

NCC-CSIRT recommends the following mitigation steps:

  • Isolate infected systems and disable network connectivity to prevent lateral movement.
  • Stop unauthorized administrative access to hypervisors and servers.
  • Preserve forensic evidence and system logs.
  • Patch exposed services and disable unused remote access services.
  • Reset compromised credentials and enforce multi-factor authentication (MFA).
  • Conduct full scans using updated EDR and anti-malware tools.
  • Implement network segmentation to limit lateral movement.
  • Maintain offline and immutable backups and regularly test restoration processes.
  • Restrict administrative privileges and monitor privileged accounts closely.

References: