Acronis TRU analyzed LockBit 5.0, a cross‑platform ransomware family (Windows, Linux, ESXi) that uses XChaCha20 and Curve25519 encryption, random per‑file extensions, and shared execution/encryption logic while applying extensive defense‑evasion techniques on Windows. The report also links LockBit infrastructure to a SmokeLoader‑associated IP and documents double‑extortion exfiltration and enterprise/virtualization targeting (including Proxmox and ESXi). #LockBit #SmokeLoader
Keypoints
- LockBit 5.0 supports Windows, Linux and ESXi, sharing a unified encryption routine (XChaCha20 + Curve25519) and identical ransom note content across variants.
- The Windows build employs heavy defense‑evasion: packing, DLL unhooking, process hollowing (injection into defrag.exe), ETW patching and clearing all event logs.
- Linux and ESXi samples are similar to Windows in core logic but are largely unpacked, have encrypted strings, and include virtualization‑specific functionality (VM enumeration/termination and Proxmox claims).
- LockBit appends a random 16‑character extension to each encrypted file, writes an appended data block containing original file size and an encrypted ChaCha20 key, and uses multi‑threaded encryption based on logical processors.
- The malware supports multiple command‑line options (e.g., -d, -w, -k, -nomutex, -o, -n) that control injection, verbosity, wiping, self‑deletion, and VM handling.
- A public IP historically used by SmokeLoader (205.185.116[.]233) hosted LockBit sites, suggesting infrastructure reuse or renting; affiliates are allowed to target any organization except post‑Soviet countries.
MITRE Techniques
- [T1055 ] Process Injection – Uses process hollowing/injection by launching a legitimate process suspended, writing the LockBit image into its memory, setting a new thread context and resuming execution (‘Defrag.exe — a system utility responsible for defragmentation — will be started in a suspended state. … Right before writing, we can observe the ‘MZx’ header in the buffer, which is actually the image of LockBit. After that, it sets a new thread context, resumes it and terminates execution.’)
- [T1027 ] Obfuscated Files or Information – Binaries are packed or have encrypted strings and use MBA obfuscation around return‑address dependent hashes to hinder analysis (‘This includes packing, DLL unhooking, process hollowing, patching Event Tracing for Windows (ETW) functions and clearing all available logs in the system.’ and ‘almost all strings are encrypted.’)
- [T1562 ] Impair Defenses – Modifies or disables telemetry by patching ETW functions to prevent security software from tracing events (‘it patches the ‘EtwEventWrite’ function… replaces the very first byte in this function with the value ‘C3’, which is a ‘return’ instruction in assembly.’)
- [T1070.001 ] Indicator Removal on Host – Clear Windows Event Logs using EvtClearLog to remove trace evidence after execution (‘clears all available event logs by passing different service log files to the ‘EvtClearLog’ function.’)
- [T1070.004 ] Indicator Removal on Host – File/self deletion via SetInformationByHandle FileDispositionInfo to delete the malware binary after execution (‘calls the ‘SetInformationByHandle’ function… with flag 4 (FileDispositionInfo). Passing value ‘1’ will trigger file deletion.’)
- [T1486 ] Data Encrypted for Impact – Encrypts victim files with XChaCha20 for symmetric and Curve25519 for asymmetric operations, appending encrypted keys and random extensions to each file (‘All versions have the same ransom note, append a random extension to each encrypted file, and the same encryption routine that involves XChaCha20 and Curve25519.’)
- [T1485 ] Data Destruction – Performs free‑space wiping by creating a temporary file and writing zeros until free space is exhausted to hamper recovery (‘it will create a ‘.tmp’ file in C: drive and start writing ‘00’ bytes to it, 4194304 bytes per write until the free space ends.’)
- [T1041 ] Exfiltration Over C2 – Implements double‑extortion by exfiltrating files to attacker servers prior to or alongside encryption to pressure victims (‘also exfiltrating files to the attacker’s server to increase the likelihood of receiving the ransom.’)
- [T1497 ] Virtualization/Sandbox Evasion – Detects analysis environments and known debuggers/trace tools and exits if detected to avoid analysis (‘To avoid analysis, it gets the parent process name, decodes saved values and compares them. If matches, it will terminate execution.’ and lists gdb, lldb, strace, ltrace, rr.)
- [T1036 ] Masquerading – Attempts to appear legitimate by using a fake compilation timestamp and a suspicious/invalid certificate to evade casual inspection (‘The LockBit 5.0 Windows sample is a PE64 file with a fake compilation timestamp… This file has an invalid certificate that expired in 1996 and was issued to the BorgWarner company.’)
Indicators of Compromise
- [File Hash ] LockBit and related samples – 7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38, 44dc06ecee904b9165fa699b026045c1b6408cc7061df3d2a7bc2b7b4f0879f4d98d8c7870c8e99ca6c8c25bb9ef79f71c25912fbb65698a9a6f22709b8ad34b6, and 2 more hashes (includes ESXi sample and a SmokeLoader sample hash).
- [IP Address ] Exposed LockBit hosting IP – 205.185.116[.]233 (reported as hosting LockBit site and observed accepting RDP on port 3389).
- [Domain ] Non‑onion domain linked to infrastructure – karma0[.]xyz (associated with the exposed LockBit server registration/hosting context).
- [.onion URL ] Data leak site and mirrors – hxxp://lockbitfbinpwhbyomxkiqtwhwiyetrbkb4hnqmshaonqxmsrqwg7yad[.]onion, hxxp://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd[.]onion, and 22 additional .onion mirror URLs (LockBit leak site and many mirrors).
- [File Name ] Legitimate system executable used for injection – defrag.exe (used as the suspended process target for process hollowing/injection).