As Apple computer’s market share continues to grow, threat actors are increasingly shifting their focus toward MacOS environments. Today, surging enterprise adoption and a user base of high-value targets, such as software engineers, executives, and cryptocurrency investors, attackers now see Macs as a highly profitable target.

In the first part of our LockBit 5.0 series, where we analyzed 19 samples of the latest version of this cross-platform ransomware, we provided a comprehensive technical analysis of its ESXi variant. This report, which is the second part of a three-part series, focuses on our analysis of the Linux x64 variant of LockBit 5.0.

The Cybereason, A LevelBlue Company, Threat Intelligence Team conducted an analysis of DragonForce, a ransomware group that emerged in late 2023 as a significant cyber threat actor.

This three-part blog series presents an analysis of 19 samples of a cross-platform LockBit 5.0 ransomware payload affecting Windows, Linux (LINUX Locker v1.06/v1.08), and ESXi (LINUX ESXi Locker v1.07) environments, highlighting how the ransomware operates, encrypts data, and interacts with targeted systems. By reverse engineering multiple samples, we identified shared components across platforms as well as operating system–specific behaviors that allow the malware to function efficiently in different environments.