Be wary of February 3, 2025—Malevolent Ransomware Group Warns of Fresh Assault
Update, Dec. 21, 2024: This story, originally published Dec. 20, now includes news of criminal charges filed against the suspected developer of the LockBit ransomware by the U.S. Department of Justice.
If you believed that law enforcement had not only disrupted the LockBit ransomware operation and poked fun at the crooks behind it, but had effectively wiped it out for good, then you're in for a surprise: LockBitSupp, alleged leader of the group, has declared that LockBit 4 will make a comeback next year. In fact, a post on the dark web indicates that the new ransomware attacks will commence on Feb. 3, 2025, without a moment's delay. Here's the lowdown.
The Return of LockBit 4 Ransomware
With word of a new version of NotLockBit ransomware targeting Windows and Mac users, it appears as if the original threat – the one that the new group mimics – is about to rise like a phoenix from the ashes of the FBI takedowns from earlier this year.
A post on the dark web, apparently originating from the administrator of the LockBit ransomware group, seems to be teasing the launch of this new version with a tantalizing question: "Fancy a Lamborghini, Ferrari, and a plethora of scantily clad women? Sign up and embark on your pentester billionaire journey in just 5 minutes with us." It is understood that a whole new leak website has been prepared for unveiling, accompanied by five anonymous TOR sites, with the official release date for the latest version set for Feb. 3, 2025.
What You Need To Know About the LockBit Ransomware Attack Threat
LockBit's activities have seen fluctuations each month in 2024 after its takedown in February, as per Matt Hull, global head of threat intelligence at cybersecurity giant NCC Group. However, in May 2024, LockBit was still the most active ransomware threat actor, accounting for 37% of all attacks, according to NCC Group statistics. In July 2024, LockBit 3.0 was also the second-most-prolific threat actor, Hull said. This surge of activity seems to have been short-lived, with the group not appearing among the top ten most active threat actors during October and November.
LockBit functions on a Ransomware-as-a-Service model, with its structure providing affiliate groups with a central control panel to create their own LockBit samples, manage their victims, publish blog posts, and view statistics related to their success rates for each attack, Hull indicated. "RaaS models operate in a pseudo-organizational hierarchy, with the operators of the ransomware variant receiving a percentage cut of each successful ransomware attack carried out by their affiliates," Hull explained, "thus minimizing the risk that the operators take on with each campaign."
Like most current ransomware actors, LockBit employs a double-extortion mechanism of file encryption and sensitive data exfiltration. This data is then "subsequently posted on their leak site where interested buyers can now pay for access to the data, a timer extension, or even the data's deletion," Hull said, "unless the ransom is paid, of course."
Suspected LockBit Ransomware Coder Indicted by U.S. Department of Justice
Rostislav Panev, a 51-year-old with Russian and Israeli citizenship, has been indicted by the U.S. Department of Justice on charges of involvement in the development of the LockBit ransomware family malware. The recently unsealed U.S. District Court, District of New Jersey, criminal complaint, charges Panev with conspiracy to commit fraud and related activities in connection with computers. This activity includes the development, specifically, of the LockBit ransomware encryptors as well as one of the custom tools used in LockBit ransomware attacks known as StealBit, according to a report in Bleeping Computer. Panev was arrested on Aug. 18, 2024, in Israel where he remains in custody while a request for his extradition to the U.S. is processed.
According to the criminal complaint, Special Agent Jacob A. Walker, of the Federal Bureau of Investigation, said that Panev "has provided coding and development services to the LockBit ransomware group since at least as early as in or around January 2022 and has received at least as much as approximately $230,000 in cryptocurrency transfers from the LockBit group during that time." Panev also stated that "On May 2, 2024, a grand jury in the District of New Jersey indicted a Russian national, Dmitry Yuryevich Khoroshev, on 26 criminal counts based on Khoroshev's alleged role as the creator and primary developer and administrator of the LockBit group." The criminal complaint stated that while Khoroshev remains a fugitive, U.S. authorities believe that Panev was "subordinate to Khoroshev in the LockBit group."
Countermeasures for Inbound Ransomware Attacks—According to the FBI
With ransomware-as-a-service and double-extortion ransom tactics on the rise, the Federal Bureau of Investigation has advised users to remain vigilant and provided several recommended countermeasures. The FBI suggests that organizations should implement the following three mitigating strategies immediately:
- Install updates for operating systems, software, and firmware as soon as they are released.
- Implement phishing-resistant, non-SMS-based multi-factor authentication.
- Educate users to recognize and report phishing attempts.
- Despite the U.S. Department of Justice's indictment of the alleged LockBit ransomware developer and the disruption of the previous operation, the cybercrime group announced that LockBit 4 would return with new attacks on Feb. 3, 2025.
- The NCC Group reported that LockBit remained the most active ransomware threat actor in May 2024, accounting for 37% of all attacks, despite the group's previous takedown in February.
- The crime gang operating LockBit employs a Ransomware-as-a-Service (RaaS) model, allowing affiliate groups to create their own LockBit samples, manage victims, and view statistics related to attack success rates.
- The suspected developer of the LockBit ransomware family malware, Rostislav Panev, was indicted by the U.S. Department of Justice on charges of involvement in developing LockBit encryptors and the StealBit tool used in ransomware attacks.
- The FBI advises organizations to counter ransomware attacks by installing updates as soon as they're released, implementing multi-factor authentication, and educating users to recognize and report phishing attempts.