| ⓘ We are reaching out to let you know that a new variant of the LockBit ransomware, known as LockBit 5.0, has recently emerged. |
Attention constituent:
A new version of the LockBit ransomware, known as LockBit 5.0, has been observed following the disruption of the group’s operations earlier in 2024. The threat actors behind LockBit remain active and continue to refine their ransomware. The new version can infect Windows, Linux, and VMware ESXi systems, allowing attackers to target both standard computers and virtualized environments.
LockBit 5.0 introduces several technical improvements designed to make detection and analysis more difficult. It uses advanced obfuscation to hide its activity, disables security tools, and encrypt files using unique randomized extensions. The ransomware can also clear event logs to erase traces of its presence. These developments show that LockBit continues to evolve its tactics to remain effective and profitable through its ransomware-as-a-service model.
Advisory Overview
|
| Advisory Type |
Technical |
| Author |
Desmond Butler |
| Date |
27 October 2025 |
What’s Happening
|
| Affected Systems |
- Windows operating systems.
- Linux distributions.
- VMware ESXi virtualization environments.
- Systems without recent ransomware protection updates.
- Networks exposed to the internet without proper segmentation.
|
| What this Means |
Attackers can use LockBit 5.0 to encrypt files on affected systems, preventing users from accessing important data or running normal business operations. In some cases, entire virtual
environments may be locked, impacting multiple systems at once. The ransomware may also attempt to delete logs and stop security software, making recovery more difficult. |
What to Look For
|
| Signs You May Be at Risk |
- Systems not regularly updated or patched.
- Inadequate endpoint protection or anti-malware solutions.
- Exposed remote desktop or administrative interfaces.
- Lack of network segmentation or monitoring.
|
| Signs You May Be Affected |
- Files with unusual 16-character extensions.
- Ransom notes appearing in multiple folders.
- Inability to access or open files normally.
- Unexpected changes in configuration or security service interruptions.
|
What to Do
|
| Prevention |
- Ensure all systems are updated with the latest security patches.
- Back up critical data regularly and store backups offline.
- Restrict external access to administrative and management interfaces.
- Implement multi-factor authentication for remote or privileged accounts.
- Monitor systems for suspicious encryption activity or unauthorized changes.
|
| Mitigation |
- If infection is suspected, immediately disconnect affected systems from the network.
- Do not pay the ransom, recovery is not guaranteed, and payment funds further attacks.
- Run full antivirus or endpoint detection scans on all systems.
- Restore data from clean, offline backups once systems are verified safe.
- Report the issues to CIRT-BS at [email protected].
|
Should you require additional information or further support, submit a report on our website or contact us at [email protected].
Best,
Desmond Butler
Security Operations Centre
National Computer Incident Response Team of The Bahamas

|