Lockbit ransomware group steps up with a new version of its malicious software, LockBit 4.0, and with adjustments to their Darknet infrastructure. Although minor, these updates are remarkable due to their mere presence: this hacker group was going through rough times after law enforcement disruption in February 2024. Now, they appear to be completely back and ready to perform cyberattacks at its typical pace.
LockBit 4.0 Ransomware Released, Introducing New Infrastructure
As it typically happens in the cybercrime world, the sample of updated malware was found in the wild, following the attack on an unnamed corporation. This new sample features a combined encryption, along with an updated ransom note. Much more important changes happened beneath the surface, on the side of server security.
Main “notification” about the LockBit 4.0 release is placed on all the Darknet leak sites that the malware gang uses to publish the information about hacked companies and their stolen information. It is pinned to the very top of the list, and, aside from claiming the update release, also offers folks to participate in their affiliate program.
The update itself is not that remarkable. And for a good reason – both LockBit ransomware and auxiliary services used by the gang are industry-leading, meaning that there is not much room for improvement. All the changes are generally related to internal infrastructure that serves for negotiations with victims and back-end data management.
One thing that the ransomware got in the update is the usage of elliptic curve cryptography (ECC) algorithms, along with the already used AES. This allows for even tougher ciphers: they generally have less flaws, and offer even bigger pool of possible keys. While this may look like a totally redundant feature, there may be a lot of sense behind it considering the quick development of quantum computers.
With Lockbit 4.0 release, the gang introduced a selection of new leak sites, data servers nad other elements of its own infrastructure. In fact, new ones were introduced serially throughout 2024, so it is barely an unexpectable change. All these maneuvers are likely needed to make the network infrastructure more attack-resistant.
Lockbit is Seeking For Affiliates
A stand-out detail is the aforementioned promotion of an opportunity of becoming one of LockBit affiliates. Aside from the post on their leak site, the group has announced using a clear web domain, lockbit4.com, to communicate with candidates.
However, a few days after the website went live, it was intercepted by VX-Underground, a well-known group of online malware collectors. They removed the past contents and put a banner that says “Hacking is illegal and for nerds” on top of a sleepy kitten pic.
Lockbit Chief Developer Arrested and Extraded from Israel
One of the programmers behind Lockbit ransomware, Rostislav Panev, was recently arrested in Israel. He moved to the country soon after being charged for cybercrime in several European countries; this happened back in the days when Russia was cooperating with Western countries in terms of arrests of cybercriminals.
Israel is known as a country that is almost impossible to get extradited from, except for some extreme cases. But this was not helpful in the case of Panev: they guy is now arrested and is waiting extradition, which is fully confirmed and is unlikely to be cancelled under any conditions.
Such news appearing along with the release of LockBit 4.0 version make things a bit confusing. Sure enough, there are other programmers that can maintain the program. But the outstanding characteristics that Lockbit’s cryptor and data extraction tool are known for now have no one backing it. This may quite possibly be the last major update for Lockbit ransomware, at least in the form and with the codebase that we know.