LevelBlue

LevelBlue + SentinelOne: Global Partnership to Deliver AI-Powered Managed Security Operations and Incident Response. Learn More

Submit RFP Request a Demo

LockBit 5.0 Introduces New Features: ChaCha20 Encryption, Stealthy Installation, and Anti-Analysis to Target Windows, Linux, and ESXi Environments

Change theme to light
2 Minute Read by SpiderLabs Researcher

The prolific LockBit ransomware-as-a-service (RaaS) group shows its dedication to evolutionary tactics and cross-platform attack capabilities in the latest iteration of its namesake malware, LockBit 5.0.

Our analysis of 19 LockBit 5.0 samples shows that it uses ChaCha20, a swift and stealthy 256-bit stream cipher, to encrypt files and data. This is a departure from its use of an Advanced Encryption Software (AES) key in earlier versions, such as in LockBit 2.0 and LockBit 3.0.

The use of ChaCha20 is an attempt to make detection more challenging for security defenders. As of writing, the sample we analyzed has a detection score of 1/65 on VirusTotal.

 

Locbit5_Pic1

Figure 1. VirusTotal detection results for the LockBit 5.0 sample we analyzed as of writing

 

LockBit 5.0 uses the same encryption algorithm for Windows, Linux, and ESXi environments. However, we observed that it uses different system-specific behaviors to function optimally in each environment. This highlights how LockBit actors deliver highly targeted and evolved variants to maximize damage to victims.

Dedicated to hunting and eradicating the world's most challenging threats.

SpiderLabs

Our full technical deep-dive, coming in a three-part blog series, of LockBit 5.0 samples across Windows, Linux, and ESXi environments provides comprehensive information on the following noteworthy observations:

  • More Flexible and Modular Structure: This latest LockBit version now has a mutex option, ensuring that only one instance runs on an environment at a time. It also has a wiper component and a feature that allows it to delay execution prior to encryption.
  • User-friendly Functionality: LockBit 5.0 has a progress bar, allowing ransomware actors to check the status and know when encryption has been successfully completed.
  • Anti-analysis Techniques: It uses various anti-debugging techniques and patching Event Tracing for Windows (ETW) to blind security protections and avoid detection and analysis by security professionals.
  • “Processless” Defense Bypass: LockBit 5.0 doesn’t use noisy external utilities such as vssadmin or WMI commands to remove shadow copies. Instead, it uses the hard-to-spot VSS Coordinator COM object.
  • Operational Efficiency and Performance: LockBit 5.0 deletes unnecessary files and directories within the TEMP folder. Although earlier LockBit versions (such as LockBit 3.0) also deleted files in user-writable locations, those relied on less sophisticated artifact deletion commands.
  • Using 16-character Strings for File Extensions: LockBit 5.0’s file extension uses a 16-character string while older LockBit variants used simpler file extensions, such as “.lockbit” (LockBit 2.0) and randomized file extensions with a black file icon (LockBit 3.0) to an encrypted file’s original filename.
  • Enhanced In-memory Execution: This reduces disk traces, LockBit 5.0 doesn’t drop additional modules on the disk. Instead, it uses its loader to inject an executable into a legitimate Windows process without ever touching the file system.
  • Enterprise “Kill List”: LockBit 5.0 inflicts heavy damage on organizations by dismantling the specific infrastructure organizations rely on for business continuity, such as Hyper-V virtualization, backup infrastructure services, and critical business databases.
  • Irreversible Hashing Algorithm for API: It uses an irreversible hashing algorithm for API, service, and process name resolution, requiring brute force dictionaries to recover the original names.
  • Quiet Installation: LockBit 3.0 aggressively announced its presence by forcing custom wallpaper. LockBit 5.0 deliberately omits this step. This departure marks a strategic shift, prioritizing stealth over shock value.

Our full report provides the full technical breakdown of LockBit 5.0 samples for Windows, Linux, and ESXi environments, as well as the samples’ Indicators of Compromise (IOCs), and MITRE ATT&CK mapping information. Aside from providing essential security recommendations that defenders can adopt to keep their environment secure, our report also provides details on how Cybereason, A LevelBlue Company, protects users against LockBit 5.0 attacks.

You can read Part 1 of the three-part series here.

ABOUT LEVELBLUE

LevelBlue secures what's next with intelligence-led security delivering visibility and speed to stop threats faster. As the world’s largest and most analyst-recognized pure-play managed security services provider, our AI-powered managed services and cyber expertise across managed, advisory, and incident response services help clients operate with confidence. Learn more about us.

https://www.levelblue.com/resources/blogs/internal-blog/how-to-create-a-blog-post/
Emerging Threats Vulnerabilities Threat Intelligence

Latest Intelligence

Inside Vect Ransomware-as-a-Service
Hacking Hotels via Smart Stationary Bikes: How Unsecured Gym Equipment Can Lead to RCE
Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
© Copyright 2026