LockBit 5.0 is an evolved, cross-platform ransomware variant that uses the ChaCha20 256-bit stream cipher across Windows, Linux, and ESXi environments while adopting modular, stealthy behaviors to evade detection. The sample analyzed scored 1/65 on VirusTotal and the variant includes features such as in-memory execution, ETW patching, VSS Coordinator usage for shadow copy removal, and an irreversible hashing method for API/process resolution. #LockBit5.0 #ChaCha20
Keypoints
- LockBit 5.0 replaces prior AES usage with ChaCha20 (256-bit stream cipher) to encrypt files, applied consistently across Windows, Linux, and ESXi samples.
- The malware adopts a more flexible and modular structure, including a mutex to ensure a single instance, an integrated wiper component, and an optional execution delay before encryption.
- Multiple anti-analysis and defense-evasion techniques are used, such as anti-debugging measures and patching Event Tracing for Windows (ETW) to blind security protections.
- LockBit 5.0 uses a “processless” defense bypass by leveraging the VSS Coordinator COM object rather than noisy utilities (e.g., vssadmin) to remove shadow copies.
- The variant emphasizes stealth and reduced forensic artifacts via enhanced in-memory execution and a loader that injects into legitimate processes without dropping modules to disk.
- Operational changes include deleting TEMP files to reduce artifacts, using 16-character strings for encrypted file extensions, an irreversible hashing algorithm for name resolution, and a progress bar for operator feedback.
MITRE Techniques
- [T1055 ] Process Injection – used to run payloads without touching disk: (‘…uses its loader to inject an executable into a legitimate Windows process without ever touching the file system.’)
- [T1070.004 ] Indicator Removal on Host: File Deletion – deletes artifacts from temporary locations to reduce traces: (‘…deletes unnecessary files and directories within the TEMP folder.’)
- [T1490 ] Inhibit System Recovery – removes shadow copies to prevent recovery, using a stealthy COM object instead of noisy tools: (‘…doesn’t use noisy external utilities such as vssadmin or WMI commands to remove shadow copies. Instead, it uses the hard-to-spot VSS Coordinator COM object.’)
- [T1485 ] Data Destruction – includes a wiper component to inflict irreversible damage: (‘This latest LockBit version now has … a wiper component’).
- [T1027 ] Obfuscated Files or Information – uses irreversible hashing for API/service/process name resolution to obfuscate intent and require brute-force recovery: (‘It uses an irreversible hashing algorithm for API, service, and process name resolution, requiring brute force dictionaries to recover the original names.’)
- [T1562.001 ] Impair Defenses: Disable or Modify Tools – patches Event Tracing for Windows (ETW) to blind security protections and avoid detection/analysis: (‘…patching Event Tracing for Windows (ETW) to blind security protections and avoid detection and analysis by security professionals.’)
- [T1622 ] Debugger Evasion – employs various anti-debugging techniques to hinder analysis: (‘…uses various anti-debugging techniques …’)
Indicators of Compromise
- [No explicit IOCs ] Article context – The article references analysis of 19 LockBit 5.0 samples and a VirusTotal detection score (1/65) but does not provide concrete IP addresses, domains, or file hashes in the text.
- [File extension pattern ] context – LockBit 5.0 uses a 16-character string as encrypted file extensions (no concrete example extension value provided).