Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The article reviews 19 LockBit 5.0 ransomware samples built to hit Windows, Linux, and VMware ESXi. It emphasizes fast encryption using ChaCha20, the family’s cross-platform design, and ESXi-focused behavior that can power down virtual machines before encrypting their disks. The write-up walks through execution stages, anti-analysis measures, and the hypervisor-specific file targets the malware prioritizes during impact.
Investigation
Researchers conducted static analysis of the ELF variants, extracting embedded paths, command strings, and configuration switches. On ESXi, the malware leverages VMware management tooling (including vim-cmd) to enumerate and shut down VMs ahead of disk encryption, and includes anti-debug checks for tools like valgrind and frida. The sample writes execution telemetry to /var/log/encrypt.log and supports self-deletion after completing its routine.
Mitigation
Monitor ESXi hosts for unexpected use of VMware administrative commands, unplanned VM shutdown events, creation of /var/log/encrypt.log, and artifacts such as .vmdk.fastpass markers. Reduce exposure by preventing untrusted ELF execution on hypervisors and enforcing strict allow-listing for binaries and scripts permitted to run on ESXi.
Response
If activity is detected, isolate the affected ESXi host, halt VM processes to contain spread, and preserve forensic evidence (the ELF payload, encrypt.log, and relevant host logs). Begin recovery from verified clean snapshots/backups, then sweep for additional ransomware components and validate the integrity of critical hypervisor files.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef technique fill:#e6e6e6 %% Action nodes validate_env["<b>Action</b> – <b>T1059.004 Unix Shell</b><br/><b>Description</b>: Validate ESXi environment using ESXi Administration Command (T1675) and Unix shell commands."] class validate_env action enumerate_vms["<b>Action</b> – <b>T1673 Enumerate Virtual Machines</b><br/><b>Description</b>: List virtual machines present on the ESXi host."] class enumerate_vms action poweroff_vms["<b>Action</b> – <b>T1675 ESXi Administration Command</b><br/><b>Description</b>: Power off target virtual machines via vimu2011cmd."] class poweroff_vms action anti_analysis["<b>Action</b> – Antiu2011analysis checks<br/><b>Techniques</b>: T1497.001 System Checks, T1497.002 User Activity Checks, T1622 Debugger Evasion"] class anti_analysis action encrypt_vm["<b>Action</b> – Encrypt VM files<br/><b>Technique</b>: T1573.001 Encrypted Channel (Symmetric Cryptography) using ChaCha20"] class encrypt_vm action obfuscate_files["<b>Action</b> – Obfuscate encrypted files<br/><b>Technique</b>: T1027.002 Software Packing"] class obfuscate_files action archive_data["<b>Action</b> – Archive encrypted files<br/><b>Technique</b>: T1560.003 Archive via Custom Method"] class archive_data action wipe_free_space["<b>Action</b> – Optional wipe of free space and log activity"] class wipe_free_space action self_delete["<b>Action</b> – Cleanup<br/><b>Techniques</b>: T1070.004 File Deletion, T1027.001 Binary Padding, T1027.005 Indicator Removal from Tools"] class self_delete action %% Tool nodes tool_esxi_admin["<b>Tool</b> – ESXi Administration Command<br/><b>Purpose</b>: Manage ESXi host configuration and VM lifecycle."] class tool_esxi_admin tool tool_vim_cmd["<b>Tool</b> – vimu2011cmd<br/><b>Purpose</b>: ESXi commandu2011line utility for VM operations."] class tool_vim_cmd tool tool_chacha20["<b>Tool</b> – ChaCha20 Encryption Module<br/><b>Purpose</b>: Perform fastu2011pass then fullu2011pass symmetric encryption."] class tool_chacha20 tool tool_custom_archive["<b>Tool</b> – Custom Archiver<br/><b>Purpose</b>: Package encrypted VM files into a proprietary archive format."] class tool_custom_archive tool %% Connections validate_env –>|uses| tool_esxi_admin validate_env –>|executes| tool_vim_cmd validate_env –>|leads_to| enumerate_vms enumerate_vms –>|uses| tool_vim_cmd enumerate_vms –>|leads_to| poweroff_vms poweroff_vms –>|uses| tool_vim_cmd poweroff_vms –>|leads_to| anti_analysis anti_analysis –>|executes| encrypt_vm encrypt_vm –>|uses| tool_chacha20 encrypt_vm –>|leads_to| obfuscate_files obfuscate_files –>|leads_to| archive_data archive_data –>|uses| tool_custom_archive archive_data –>|leads_to| wipe_free_space wipe_free_space –>|leads_to| self_delete self_delete –>|uses| tool_esxi_admin "
Attack Flow
Detections
Linux/ESXi – Mass VM Power Control via vim-cmd (via cmdline)
View
Possible Indicator of Anti-Debugging via TracerPid Check (via cmdline)
View
Detection of LockBit 5.0 Ransomware Activity on ESXi [Linux File Event]
View
LockBit 5.0 ESXi Ransomware Activity Detection [Linux Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker with administrative access to the ESXi host uploads the LockBit 5.0 payload via the vSphere client. The ransomware creates its working directory under/var/tmp/.guestfs-0/appliance.d/root, writes an encryption log to/var/log/encrypt.log, and begins traversing all VMFS datastores (/vmfs/volumes/) to encrypt virtual disk files. The following commands emulate that behavior using harmless dummy files:- Create the ransomware staging directory and a dummy “encrypted” VMFS file.
- Write a log entry that mimics LockBit’s encryption status.
- Touch a file deep inside a VMFS volume to replicate bulk encryption activity.
-
Regression Test Script:
#!/usr/bin/env bash set -euo pipefail # 1️⃣ Create staging directory (simulates LockBit payload unpack) mkdir -p /var/tmp/.guestfs-0/appliance.d/root echo "LockBit 5.0 staging directory created" > /var/tmp/.guestfs-0/appliance.d/root/stage.txt # 2️⃣ Write an encryption log (simulates ransomware activity logging) LOGFILE="/var/log/encrypt.log" echo "$(date '+%Y-%m-%d %H:%M:%S') - Encryption started on VMFS datastore" | sudo tee -a "$LOGFILE" # 3️⃣ Simulate bulk file encryption on a VMFS volume DUMMY_VMFS_PATH="/vmfs/volumes/lockbit_simulation" mkdir -p "$DUMMY_VMFS_PATH" dd if=/dev/zero of="$DUMMY_VMFS_PATH/encrypted_dummy.vmdk" bs=1M count=10 status=none echo "Dummy VMFS file created to emulate ransomware encryption" | sudo tee -a "$DUMMY_VMFS_PATH/notes.txt" echo "=== Simulation complete. ==="Run the script as root (or via sudo) on the ESXi host. The
auditdwatches will generateopen,write, andcreatevents that match all keywords in the Sigma rule. -
Cleanup Commands:
#!/usr/bin/env bash set -euo pipefail sudo rm -rf /var/tmp/.guestfs-0/appliance.d/root sudo rm -f /var/log/encrypt.log sudo rm -rf /vmfs/volumes/lockbit_simulation echo "=== Cleanup complete. ==="