CROCOTHERY - stock.adobe.com
LockBit ransomware gang teases February 2025 return
An individual associated with the LockBit ransomware gang has broken cover to tease details of a new phase of the cyber criminal operation's activity, that they claim is set to begin in February 2025
Despite being taken down and humiliated by the National Crime Agency (NCA) coordinated Operation Cronos in February 2024, an unknown individual(s) associated with, or claiming to represent, the LockBit ransomware gang has broken cover to announce the impending release of a new locker malware, LockBit 4.0.
In screengrabs taken from the dark web that have been widely circulated on social media in the past day, the supposed cyber criminal invited interested parties to “sign up and start your pentester billionaire journey in 5 minutes with us”, promising them access to supercars and women. At the time of writing, none of the links in the post direct anywhere, while a countdown timer points to a ‘launch’ date of 3 February 2025.
Robert Fitzsimons, lead threat intelligence engineer at Searchlight Cyber, said it was hard to say at this stage what LockBit 4.0 entailed – whether the gang was launching a new leak site, its old one having been seized, or whether it has made changes to its ransomware.
“It is worth noting that LockBit has already been through many iterations, its current branding is LockBit 3.0. It's therefore not surprising that LockBit is updating once again and – given the brand damage inflicted by the law enforcement action Operation Cronos earlier this year – there there is clearly a motivation for LockBit to shake things up and re-establish its credentials, keeping in mind that the LockBit 3.0 site was hijacked and defaced by law enforcement,” said Fitzsimons.
“There has been a decrease in LockBit's victim output since Operation Cronos but this post shows that it is still trying to attract affiliates and continue its operations.”
The gang’s sudden announcement comes just days after it emerged that the United States government is seeking the extradition from Israel of an alleged LockBit operative named as Rotislav Panev to face trial for wire fraud and cyber crime.
Panev was arrested in Haifa in Israel in August – according to Israeli news site Ynet, which was first to report the extradition request, news of his arrest has been restricted up to now in order to avoid tipping off other LockBit associates who may be located outside Russia and giving them a chance to escape to the relative safety afforded them there.
Panev is accused of working as a software developer for LockBit and may have created the mechanism by which the gang was able to print ransom notes on printers connected to the compromised systems. Panev’s lawyer told Ynet that he was a computer technician and was never aware of nor involved in any fraud, extortion or money laundering.
Computer Weekly understands an extradition hearing in this case is scheduled for January 2025.
LockBit down but not out?
Since Operation Cronos unfolded in early 2024, the NCA and other agencies that participated in the takedown have been drip feeding more information about the infamous cyber criminal operation.
In May, the NCA unmasked its leader, LockBitSupp, naming him as Russian national Dmitry Khoroshev and targeting him with asset freezes and travel bans, concurrent with an indictment in the US that has seen him charged with a total of 26 counts of fraud, damage to protected computers and extortion. Khoroshev remains at large despite a multimillion dollar reward, and LockBitSupp has denied that this is their true identity.
Later in the year the NCA named-and-shamed a high-profile LockBit affiliate, Aleksandr Ryzhenkov, aka Beverley, who was also a key player in the Evil Corp operation and served as a henchman to its leader Maksim Yakubets.
Despite the apparent success of Operation Cronos, recent history has shown that even when law enforcement operations can be effective at disrupting their activities, cyber criminals are remarkably resilient and often able to stand up their operations again with relative ease.
Although it is not currently possible to ascertain what the person behind LockBit’s announcement is actually planning, defenders should be alert to the possibility of attack in the coming weeks, and take appropriate anti-ransomware measures wherever possible.
Read more about LockBit
- The US authorities say they now have more than 7,000 LockBit decryption keys in their possession and are urging victims of the prolific ransomware gang to come forward.
- Coalition is the latest company to confirm LockBit activity against vulnerable ScreenConnect instances. But the insurer found significant differences between previous LockBit attacks.
- Reaction to the takedown of the LockBit ransomware gang is enthusiastic, but tempered with the knowledge that cyber criminals are often remarkably resilient.
Read more on Hackers and cybercrime prevention
-
![]()
Secureworks: Ransomware takedowns didn’t put off cyber criminals
By: Alex Scroxton
-
![]()
Law enforcement agencies arrest 4 alleged LockBit members
By: Arielle Waldman
-
![]()
Unmasked: The Evil Corp cyber gangster who worked for LockBit
By: Alex Scroxton
-
![]()
Risk & Repeat: Hacks, lies and LockBit
By: Alexander Culafi
