Threat Research

LockBit 5.0

Securonix
LockBit 5.0

LockBit 5.0 is a cross-platform ransomware family targeting Windows, Linux, and VMware ESXi with advanced obfuscation, DLL reflection, ETW patching, and anti-forensics to evade detection and hinder recovery. It appends randomized 16-character file extensions, clears event logs, and shares code with LockBit 4.0, indicating an evolutionary upgrade. #LockBit5.0 #LockBit4.0

Keypoints

  • LockBit 5.0 targets Windows, Linux, and VMware ESXi, enabling wide-ranging attacks across endpoint and virtualized environments.
  • Windows variant uses heavy obfuscation, DLL reflection (loading and decrypting a PE binary in memory), and patches EtwEventWrite to disable Event Tracing for Windows (ETW).
  • The ransomware terminates security services by comparing hashed service names against a hardcoded list and clears event logs via the EvtClearLog API to impede forensic analysis.
  • Linux variant mirrors Windows functionality with similar command-line options, detailed execution logging, and randomized 16-character file extensions for encrypted files.
  • ESXi variant specifically targets VMware hosts with ESXi-focused CLI parameters to encrypt multiple virtual machines from a single host compromise.
  • LockBit 5.0 includes geofencing to abort on Russian language settings or geolocations and embeds original file sizes in encrypted file footers to omit traditional markers.
  • Code reuse with LockBit 4.0 (identical hashing algorithms and API resolution methods) indicates an evolutionary update rather than a complete rewrite.

MITRE Techniques

  • [T1055] Process Injection – DLL reflection is used to load and decrypt a PE binary in memory to evade static analysis. Quote: ‘decrypts a PE binary in memory to evade static analysis.’
  • [T1218] Signed Binary Proxy Execution – Uses legitimate Windows API functions (e.g., EtwEventWrite, EvtClearLog) and patches them (writing 0xC3 to EtwEventWrite) to disable event tracing and clear logs. Quote: ‘patching the EtwEventWrite API with a 0xC3 (return) instruction to disable Windows Event Tracing’ and ‘clears event logs using the EvtClearLog API.’
  • [T1070] Indicator Removal on Host – Clears event logs post-encryption to hinder forensic investigations. Quote: ‘clears event logs using the EvtClearLog API, further hindering forensic investigations.’
  • [T1036] Masquerading / Obfuscation – Heavy obfuscation and packing are used to evade detection and analysis. Quote: ’employs heavy obfuscation through packing.’
  • [T1490] Inhibit System Recovery – Appends randomized 16-character file extensions and embeds original file sizes in encrypted file footers to complicate recovery and detection. Quote: ‘appends randomized 16-character file extensions to encrypted files’ and ’embedding original file sizes in encrypted file footers.’
  • [T1012] Query Registry / [T1033] System Owner/User Discovery – Geofencing by checking system language/geolocation to abort on Russian settings (privacy/safety check). Quote: ‘terminating execution on systems with Russian language settings or geolocation.’

Indicators of Compromise

  • [File Hash ] samples of LockBit 5.0 – 7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82, 180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38, and 4 more hashes.
  • [File Behavior ] encrypted file naming – Use of randomized 16-character file extensions (example behavior, no specific sample names provided).
  • [API/Artifacts ] anti-forensics and ETW tampering – Patching EtwEventWrite (writing 0xC3) and use of EvtClearLog API to clear event logs (behavioral IOCs).

Read more: https://blog.polyswarm.io/lockbit-5.0

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint