In February 2024, the National Crime Agency (NCA) orchestrated Operation Cronos, dealing a significant blow to the LockBit ransomware group. Yet, just days ago, an unknown individual, claiming to represent LockBit, resurfaced to announce a new malware version: LockBit 4.0.
Screenshots from the dark web have circulated on social media, showing this supposed cyber criminal inviting people to “sign up and start your pentester billionaire journey in 5 minutes with us.” They promise access to supercars and women. However, the links in the post are currently inactive, and a countdown leads to a mysterious launch date on February 3, 2025.
Robert Fitzsimons, a lead threat intelligence engineer at Searchlight Cyber, points out that it’s still unclear what LockBit 4.0 will entail. Is the group launching a new leak site after losing one to law enforcement, or are they revamping their ransomware? LockBit has already had several versions, with the latest being LockBit 3.0. Fitzsimons believes the group aims to re-establish itself after suffering damage from Operation Cronos, which hijacked and defaced its previous site. “While LockBit’s victim output has declined since the raid, this announcement shows they’re still looking to attract affiliates and keep their operations going,” he said.
This unexpected announcement coincides with news that the United States is seeking to extradite an alleged LockBit operative, Rotislav Panev, from Israel. Panev was arrested in Haifa last August. Israeli news outlet Ynet reported that details about his arrest were kept quiet to prevent alerting other LockBit members. He’s accused of being a software developer for LockBit and may have created a method that let the gang print ransom notes directly from compromised systems. Panev’s lawyer insists he was just a computer technician, unaware of any illegal activities.
An extradition hearing for Panev is set for January 2025.
Since Operation Cronos, the NCA has been gradually releasing information about the LockBit operation. In May, they identified LockBit’s leader, a Russian national named Dmitry Khoroshev, and issued asset freezes and travel bans against him, alongside a US indictment with 26 counts including fraud and extortion. Khoroshev remains at large despite a multimillion-dollar reward, while he denies that this is his true identity.
Later, the NCA exposed Aleksandr Ryzhenkov, known as Beverley, a prominent LockBit affiliate with ties to the Evil Corp operation. Despite Operation Cronos’ apparent success, history shows that cyber criminals often bounce back quickly after such disruptions.
While we can’t yet predict LockBit’s next moves, everyone should stay vigilant for potential attacks in the weeks ahead and bolster their anti-ransomware defenses.