Will We See the Release of a New LockBit4 Ransomware Payload in 2025?

LockBit ransomware, despite significant law enforcement actions earlier this year, is poised to return with its fourth iteration, LockBit 4.0, set to launch on February 3, 2025.  

The ransomware gang’s alleged leader, “LockBitSupp,” announced the comeback via a dark web post, Forbes reports.

LockBit operates on a Ransomware-as-a-Service (RaaS) model, where affiliates use a central control panel to launch attacks and share profits with the core operators. The group’s double-extortion tactics involve encrypting files and exfiltrating sensitive data, which is then sold or publicly leaked if ransoms are unpaid.

LockBit was the most active ransomware group in 2024, responsible for 37% of attacks in May, according to NCC Group. However, its activity declined sharply in the latter months, dropping out of the top ten by October. The resurgence announcement suggests the group’s return to prominence after a temporary lull.

Meanwhile, U.S. authorities are cracking down on the group’s developers. Rostislav Panev, a dual Russian-Israeli citizen, was arrested in Israel in August 2024 for allegedly developing LockBit malware, including encryption tools and StealBit, a data theft program.  

Panev reportedly received $230,000 in cryptocurrency from the group since 2022. A related indictment names Dmitry Yuryevich Khoroshev as the group’s primary developer and administrator; he remains a fugitive.

Despite these setbacks, LockBit’s persistence and planned comeback underscore the challenges in combating sophisticated ransomware operations and the enduring threat they pose to cybersecurity.

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, LockBit, a prominent Ransomware-as-a-Service (RaaS) platform active since 2019, is renowned for its sophisticated evasion techniques and rapid encryption speed.  

The group employs multiple extortion strategies, often demanding separate ransoms for decrypting files and for the sensitive data they exfiltrate. For data theft, LockBit uses a combination of publicly available file-sharing services and its proprietary Stealbit tool.

In February 2024, LockBit faced a significant disruption when Operation Cronos, an international law enforcement task force, temporarily seized its administrative infrastructure. Despite this setback, the group resumed operations within days.  

While LockBit remains active, some analysts suspect the group exaggerates involvement in high-profile attacks, such as a purported breach of the US Federal Reserve, to bolster its reputation among affiliates.

LockBit's operational maturity is evident in its constant refinement of tools and tactics. After releasing LockBit 3.0 in June 2022, the group introduced a macOS ransomware variant in April 2023, marking a first in the ransomware landscape.  

LockBit 3.0 features advanced anti-analysis capabilities, supports attacks on Windows and Linux systems, and employs a modular design for adaptable execution modes. It uses the Salsa20 encryption algorithm and exploits Remote Desktop Protocol (RDP) for initial access, spreading across networks via Group Policy Objects and PsExec through the SMB protocol.

Interestingly, LockBit continues to support its 2.0 variant, with victims of this older version still listed on the LockBit 3.0 leak site. In Q1 2024, the group exploited the Citrix Bleed vulnerability (CVE-2023-4966) in its attacks.

LockBit’s well-organized affiliate program offers payouts of up to 75% of ransoms, making it a favored platform among attackers. However, law enforcement actions, particularly Operation Cronos, have reportedly diminished its affiliate base, potentially reducing its capacity for large-scale attacks.  

Despite its prolific activity—over 200 ransomware attacks in May and June 2024—there are signs of declining momentum. Targeting large enterprises, LockBit has a history of favoring industries such as healthcare, financial services, and government agencies.  

Known for issuing some of the highest ransom demands, including a $70 million request to Taiwan Semiconductor Manufacturing Company in July 2023, LockBit’s operations have yielded hundreds of millions of dollars, underscoring its profitability. Its ransom demands are strategically tailored to the victim’s perceived ability to pay, maximizing financial gain from each attack.

Notable victims include Fulton County, Industrial and Commercial Bank of China (ICBS), Alphadyne Asset Management, Boeing, SpaceX, Shakey’s Pizza, Banco De Venezuela, GP Global, Kuwait Ministry of Commerce, MCNA Dental, Bank of Brazilia, Endtrust, Bridgestone Americas, Royal Mail.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.