LockBit Ransomware Group Returns, Launching 4.0 in February

• The notorious LockBit ransomware group announced the launch of the 4.0 version next year.
• The announcement even included access details to the gang’s dark web leak website.
• Security experts say the market is already dominated by RansomHub, and the 4.0 launch may be overhyped.

The LockBit ransomware group is planning an ambitious return to the ransomware scene with the release of LockBit 4.0, scheduled to launch on February 3, 2025, and the inclusion of dark leak site (DLS) access details indicates that LockBit remains eager to reassert itself.

The release of LockBit 4.0 marks a major attempt by the Ransomware-as-a-Service (RaaS) syndicate to regain its foothold in the competitive ransomware landscape.

The details of LockBit’s announcement were published in a report from Cyble, which takes on a provocative tone. The message enticed potential customers with the promise of expensive cars and attracting girls that could come true as a “pentester billionaire.”

While this marketing approach may appeal to potential affiliates, it underscores the challenges LockBit faces in maintaining its credibility after recent takedowns and leaks of its tools.

The LockBit group, once dominant in the ransomware ecosystem, has spent the past year grappling with significant setbacks. This announcement comes nearly a year after coordinated global law enforcement actions severely disrupted the group’s operations, leading to major arrests and the recovery of approximately 7,000 decryption keys.

LockBit 4.0’s release arrives more than two years after the debut of LockBit 3.0. The group was already working on the 4.0 iteration during the law enforcement actions. If law enforcement accessed LockBit’s source code during the crackdown, the group may have needed to implement significant changes to the new version. 

One area of focus is whether LockBit will alter its targeting criteria or geographical focus to minimize scrutiny from international law enforcement.

LockBit has functioned as a Ransomware-as-a-Service (RaaS) affiliate-based variant since January 2020. The credibility of the group—already damaged by arrests, law enforcement takedowns, and prior decryption leaks—will be a factor in its attempts to regain traction, while the ecosystem is dominated by competitors such as RansomHub.