Full Report
The LockBitSupp persona said LockBit 4.0 will be launched in February 2025
Analysis Summary
# Threat Actor: LockBit Ransomware Group
## Attribution & Identity
* **Primary Identity:** LockBit Ransomware Group (Ransomware-as-a-Service, RaaS, operator).
* **Key Persona/Admin:** LockBitSupp.
* **Associated Individuals:** Rostislav Panev, an Israeli national accused of being a software developer for the group between 2019 and 2024, sought for extradition by the US.
* **Known Associations:** The group has experienced internal disruption, including a leaked builder from a disgruntled developer following the LockBit 3.0 release.
## Activity Summary
The LockBit group is potentially making a comeback following the major infrastructure takedown, **Operation Cronos**, in February 2024.
* **Current Activity:** On December 19, 2024, LockBitSupp announced the imminent launch of a new version, **LockBit 4.0**, slated for release on February 3, 2025.
* **Historical Campaigns:** The group has been active since 2019 and has released several major versions:
* LockBit 1.0 (January 2020, initially "ABCD" ransomware).
* LockBit 2.0 (June 2021, included the StealBit exfiltration tool).
* LockBit Linux (October 2021, targeting Linux/VMWare ESXi systems).
* LockBit 3.0 / LockBit Black (March 2022).
* LockBit Green (January 2023, potentially a rebranded Conti encryptor).
* **Post-Takedown Status:** Despite the significant disruption from Operation Cronos (which recovered 7000 keys), LockBit was still reported as the most active threat actor in May and second in July 2024, though some of this activity might stem from other groups using their leaked builder.
## Tactics, Techniques & Procedures
* **Evolution:** Continuously evolving ransomware with versions including LockBit 1.0 through 4.0.
* **Data Exfiltration:** Used proprietary tools like **StealBit** alongside encryption (LockBit 2.0).
* **Infrastructure Resilience:** Planning to use five distinct TOR onion sites for the new version, suggesting an effort to strengthen infrastructure anti-disruption capabilities.
* **Affiliate Recruitment:** Using suggestive marketing messaging ("Want a Lamborghini... Sing up and start your pentester billionaire journey in 5 minutes with us") to recruit affiliates.
* **NOTE:** Specific technical TTPs (e.g., specific techniques or MITRE ATT&CK IDs) were not detailed in the context provided, beyond the mention of evolving ransomware versions.
## Targeting
* **Sectors:** Not explicitly detailed in this summary; historically known for broad targeting across various sectors.
* **Geography:** Associated individual (Panev) is Israeli, though the operation is global.
* **Victims:** Specific victims are not named in the context of the 4.0 announcement.
## Tools & Infrastructure
* **Malware Families Used:** LockBit (various versions: 1.0, 2.0, 3.0, 4.0, Green).
* StealBit (data exfiltration tool associated with LockBit 2.0).
* **Infrastructure (C2, domains, IPs):**
* Announced new website: `lockbit4[.]com`
* Five separate TOR onion sites planned for LockBit 4.0 launch.
## Implications
The announced return with LockBit 4.0 indicates the group is resilient and determined to re-establish dominance following the severe impact of Operation Cronos. The focus on robust infrastructure (multiple onion sites) suggests an anticipation of further law enforcement disruption. Their ability to attract new affiliates, even following a major takedown, highlights the continued profitability and appeal of the RaaS model they operate.
## Mitigations
* **Monitor for Indicators:** Monitor for the launch of the advertised infrastructure (`lockbit4[.]com` and associated TOR sites) scheduled for February 3, 2025.
* **Proactive Defense:** Implement strong EDR/anti-malware solutions capable of detecting future LockBit variants.
* **Backup Strategy:** Ensure robust, segmented, and tested backups, given the group's historical focus on leveraging encryption.
* **Threat Intelligence Integration:** Review any previously leaked LockBit builders or code samples (which researchers like Vx-Underground were granted access to) for potential defensive signature creation.