The LockBit ransomware group could be making a comeback after months of struggling to maintain its criminal activity following its takedown in February 2024.
On December 19, LockBitSupp, the persona allegedly run by the ransom-as-s-service (RaaS) group admins, announced on its website the group would launch a new version of its ransomware, LockBit 4.0.
In the message, LockBitSupp wrote: "Want a Lamborghini, Ferrari and lots of titty girls? Sing up and start your pentester billionaire journey in 5 minutes with us.”
They also mentioned a website, lockbit4[dot]com, five TOR sites and a release date, February 3, 2025.
In a social media post, a spokesperson for the training platform Cyber Threat Intelligence Academy, commented: “[With] these five different onion links, it seems that LockBit is strengthening its infrastructure to take its operations one step further.”
Vx-Underground, a collective of security researchers, said LockBitSupp has allowed them free access to the program, has uploaded code samples and is reverse-engineering them.
Zscaler ThreatLabz said it has added the Lockbit 4.0 ransom note to their ransomware notes repository.
This comes 10 months after a large part of LockBit’s infrastructure was taken down and 7000 decryption keys were recovered in a global law enforcement raid, Operation Cronos.
The takedown happened when the group was believed to already be working on the 4.0 version of its ransomware.
LockBit’s Previous Versions
LockBit ransomware has evolved since its inception in 2019. Security experts believe the group has been running the following ransomware versions:
- LockBit 1.0. Released in January 2020 as "ABCD" ransomware
- LockBit 2.0 (LockBit Red). Released in June 2021 together with StealBit, the group's data exfiltration tool
- LockBit Linux. Released in October 2021 to infect Linux and VMWare ESXi systems
- LockBit 3.0 (LockBit Black). Released in March 2022 and leaked six months later by the group's disgruntled developer, leading to disruptions within the RaaS structure
- LockBit Green. Released in January 2023 and promoted by LockbitSupp as being a major new version – a fact that was later denied by many security professionals, who found it was a rebranded version of a Conti encryptor
Despite the disruption to group’s infrastructure, LockBit was still the most active threat actor in May and the second in July. However, some of this activity might come from other groups using its leaked builder. In October and November, LockBit was not in the top ten most active threat actors.
US Seeks Extradition of Israeli Tied to LockBit
Also on December 19, Israeli news website Ynet reported that the US was looking to extradite Rostislav Panev, an Israeli national accused of having served as a software developer for LockBit between 2019 and 2024.
The news site also said Panel has allegedly made $230,000, largely via cryptocurrency. Law enforcement agencies discovered digital wallets tied to these payments, along with ransom templates, during searches at Panev’s residence. Documents disclosed in conjunction with the extradition request allegedly reveal that Panev was arrested at his Israeli home in August.
Panev’s lawyer, Sharon Nahari, told Ynet that Panev was neither aware of nor complicit in the alleged schemes.
A public statement was initially published on the US Department of Justice (DoJ) website but is no longer accessible.