LockBit 5.0 Introduces New Features: ChaCha20 Encryption, Stealthy Installation, and Anti-Analysis to Target Windows, Linux, and ESXi Environments

The prolific LockBit ransomware-as-a-service (RaaS) group shows its dedication to evolutionary tactics and cross-platform attack capabilities in the latest iteration of its namesake malware, LockBit 5.0.

Our analysis of 19 LockBit 5.0 samples shows that it uses ChaCha20, a swift and stealthy 256-bit stream cipher, to encrypt files and data. This is a departure from its use of an Advanced Encryption Software (AES) key in earlier versions, such as in LockBit 2.0 and LockBit 3.0.

The use of ChaCha20 is an attempt to make detection more challenging for security defenders. As of writing, the sample we analyzed has a detection score of 1/65 on VirusTotal.

Figure 1. VirusTotal detection results for the LockBit 5.0 sample we analyzed as of writing

LockBit 5.0 uses the same encryption algorithm for Windows, Linux, and ESXi environments. However, we observed that it uses different system-specific behaviors to function optimally in each environment. This highlights how LockBit actors deliver highly targeted and evolved variants to maximize damage to victims.

Our full technical deep-dive, coming in a three-part blog series, of LockBit 5.0 samples across Windows, Linux, and ESXi environments provides comprehensive information on the following noteworthy observations:

• More Flexible and Modular Structure: This latest LockBit version now has a mutex option, ensuring that only one instance runs on an environment at a time. It also has a wiper component and a feature that allows it to delay execution prior to encryption.
• User-friendly Functionality: LockBit 5.0 has a progress bar, allowing ransomware actors to check the status and know when encryption has been successfully completed.
• Anti-analysis Techniques: It uses various anti-debugging techniques and patching Event Tracing for Windows (ETW) to blind security protections and avoid detection and analysis by security professionals.
• “Processless” Defense Bypass: LockBit 5.0 doesn’t use noisy external utilities such as vssadmin or WMI commands to remove shadow copies. Instead, it uses the hard-to-spot VSS Coordinator COM object.
• Operational Efficiency and Performance: LockBit 5.0 deletes unnecessary files and directories within the TEMP folder. Although earlier LockBit versions (such as LockBit 3.0) also deleted files in user-writable locations, those relied on less sophisticated artifact deletion commands.
• Using 16-character Strings for File Extensions: LockBit 5.0’s file extension uses a 16-character string while older LockBit variants used simpler file extensions, such as “.lockbit” (LockBit 2.0) and randomized file extensions with a black file icon (LockBit 3.0) to an encrypted file’s original filename.
• Enhanced In-memory Execution: This reduces disk traces, LockBit 5.0 doesn’t drop additional modules on the disk. Instead, it uses its loader to inject an executable into a legitimate Windows process without ever touching the file system.
• Enterprise “Kill List”: LockBit 5.0 inflicts heavy damage on organizations by dismantling the specific infrastructure organizations rely on for business continuity, such as Hyper-V virtualization, backup infrastructure services, and critical business databases.
• Irreversible Hashing Algorithm for API: It uses an irreversible hashing algorithm for API, service, and process name resolution, requiring brute force dictionaries to recover the original names.
• Quiet Installation: LockBit 3.0 aggressively announced its presence by forcing custom wallpaper. LockBit 5.0 deliberately omits this step. This departure marks a strategic shift, prioritizing stealth over shock value.

Our full report provides the full technical breakdown of LockBit 5.0 samples for Windows, Linux, and ESXi environments, as well as the samples’ Indicators of Compromise (IOCs), and MITRE ATT&CK mapping information. Aside from providing essential security recommendations that defenders can adopt to keep their environment secure, our report also provides details on how Cybereason, A LevelBlue Company, protects users against LockBit 5.0 attacks.

You can read Part 1 of the three-part series here.