19 Shades of LockBit5.0, Inside the Latest Cross-Platform Ransomware: Part 1

This technical report analyzes 19 cross-platform LockBit 5.0 ransomware samples—focusing on an ESXi-targeting Linux variant and a 32-bit ESXi build—detailing how the malware validates ESXi hosts, enumerates and force-stops VMs via vim-cmd, performs a two-pass ChaCha20-based encryption of VMDK/VMX and related files, supports operator flags (fast mode, logging, exclusions, wiping, self-delete), and includes anti-analysis measures and embedded IOCs such as datastore paths and log locations.