If you thought law enforcement had not only disrupted the LockBit ransomware operation, alongside trolling the criminal gang behind it but taken it out of business altogether, then you are likely in for a shock: LockBitSupp, the group’s alleged leader, has warned LockBit 4 will return next year. In fact, a dark web posting said the new ransomware attacks would launch on Feb. 3, 2025, to be precise. Here’s what we know.
The LockBit 4 Ransomware Resurgence
As news of a new variant of NotLockBit ransomware targeting Windows and Mac users breaks, it looks like the original threat that the new group imitates is about to rise phoenix-like from the FBI takedowns earlier this year.
A dark web posting, apparently from the administrator of the LockBit ransomware group, has teased the launch of a new version of the threat by posing the question: “Want a Lamborghini, Ferrari and lots of titty girls? Sign up and start your pentester billionaire journey in 5 minutes with us.” It is understood that a new leak website has been prepared for launch, along with a total of five anonymous TOR sites: the official release date for the latest version is cited as Feb. 3, 2025.
What You Need To Know About The LockBit Ransomware Attack Threat
LockBit’s activity has fluctuated month-on-month in 2024 following its takedown in February, Matt Hull, global head of threat intelligence at cyber security giant NCC Group, said. However, LockBit remained the most active ransomware threat actor in May 2024, responsible for 37% of all attacks, according to NCC Group data. “In July 2024, LockBit 3.0 was also the second most prolific threat actor,” Hull said. That burst of activity appears to have been short-lived, with the group not appearing in the top ten most active threat actors during October and November.
LockBit operates on a Ransomware-as-a-Service affiliate model, with their particular structure providing affiliate groups with a central control panel to create their own LockBit samples, manage their victims, publish blog posts, and view statistics regarding their success rates for each attack, Hull said. “RaaS models operate in a pseudo-organizational hierarchy, where the operators of the ransomware variant will get a percentage cut of each successful ransomware attack carried out by their affiliates,” Hull said, “thus minimizing the risk that the operators take on with each campaign.”
Like most other current ransomware actors, the LockBit threat deploys a double-extortion methodology of file encryption and sensitive data exfiltration. That data is “subsequently posted on their leak site where interested buyers can now pay for access to the data, a timer extension, or even the data’s deletion,” Hull said, unless the ransom is paid, of course.
Mitigation Methods For Incoming Ransomware Attacks—According To The FBI
With ransomware-as-a-service and double-extortion ransom tactics on the increase, the Federal Bureau Of Investigation has warned users to be alert to the risk and provided a number of recommended mitigation methods. The FBI said that organizations should enact three mitigating strategies immediately:
- Install updates for operating systems, software and firmware as soon as they are released.
- Require phishing-resistant, non SMS-based multi-factor authentication.
- Educate users to both recognize and report phishing attempts.
