LockBit Ransomware Resurgence Set for February 2025

If you believed that law enforcement had successfully dismantled the notorious LockBit ransomware operation, including inflicting serious blows on its criminal network, think again. A chilling new announcement reveals that the LockBit ransomware group, or more specifically its alleged leader LockBitSupp, is preparing for a major resurgence. According to a recent dark web posting, LockBit 4 is poised to strike with new ransomware attacks scheduled for February 3, 2025. The message marks an alarming return of this highly destructive threat, and here’s everything we know about what lies ahead.

Despite the disruption of LockBit operations earlier this year, including actions from global law enforcement and FBI takedowns, it seems the group is not only operational but expanding. In a dark web post attributed to LockBitSupp, the alleged mastermind behind the operation, a new variant of LockBit ransomware is being touted. The ominous announcement cryptically hints at the new attack’s release with a bizarre promise: “Want a Lamborghini, Ferrari, and lots of titty girls? Sign up and start your pentester billionaire journey in 5 minutes with us.” This cryptic statement is a promotional pitch for potential affiliates or partners, suggesting that the group is ready to recruit. The group is preparing to launch this new strain of ransomware alongside a newly created leak site. In total, five anonymous TOR sites have been set up, which are expected to facilitate the ransomware’s distribution and possibly the auctioning of stolen data. The release of LockBit 4 is being specifically set for February 3, 2025, meaning organizations and individuals must brace for a high-stakes cyber assault in the new year.

LockBit has become infamous for its “Ransomware-as-a-Service” (RaaS) model, a structure that allows cybercriminal affiliates to launch attacks using LockBit’s tools, thereby generating income for both the operators and the affiliates themselves. This decentralized model has helped the group maintain its dominance in the ransomware world. As of 2024, LockBit is considered one of the most active ransomware gangs globally, responsible for a significant share of cyberattacks. Matt Hull, the global head of threat intelligence at cybersecurity firm NCC Group, commented that LockBit’s activity had fluctuated in the months following its takedown in February 2024. Despite the disruption, LockBit continued to be a dominant threat. Data from NCC Group revealed that in May 2024, LockBit was the leading ransomware operator, responsible for 37% of all ransomware attacks. Even in July, LockBit 3.0 remained one of the most active threat actors. However, the group’s activity seemed to wane during the later months of 2024, with the group failing to appear in the top ranks of ransomware activity in October and November. Despite these fluctuations, the group’s ability to regain strength and plan the launch of LockBit 4 underscores its resilience.

LockBit’s “Ransomware-as-a-Service” affiliate model is a key component of its success. Affiliates, essentially cybercriminal partners, are given access to a central control panel where they can generate their own LockBit ransomware samples, manage their victims, and track the success rates of their attacks. This method minimizes the risk for LockBit operators, as they take a percentage cut from each attack carried out by an affiliate. The system operates similarly to a business franchise, with each affiliate responsible for their own campaign and revenue generation. The group’s methods are highly sophisticated and destructive. Like most contemporary ransomware actors, LockBit utilizes a double-extortion technique. This involves encrypting a victim’s files and stealing sensitive data. The stolen data is then posted on a leak site where buyers can access it for a price, or even pay to extend the time before the data is deleted—provided the ransom is paid. This two-pronged attack not only disrupts operations but also leaves organizations vulnerable to further exploitation and extortion.

The new LockBit 4 variant, which will reportedly target both Windows and Mac users, appears to be a continuation of the group’s previous attacks, but with improvements. The emergence of NotLockBit, a new variant modeled after the original ransomware, indicates that the group may have learned from past FBI takedowns and is now evolving its tactics. The launch of LockBit 4 next year may come with more advanced encryption methods and more aggressive data exfiltration strategies. The ransomware group’s persistence in the face of law enforcement disruption and their ability to stay one step ahead is concerning for businesses and individuals alike. The tactics used by LockBit are becoming more refined, and as seen from the previous versions, the group is likely to continue leveraging new vulnerabilities in operating systems, software, and online services to launch its attacks.

As the threat of ransomware grows, particularly with groups like LockBit, the FBI has issued several recommendations for individuals and organizations to better protect themselves from these sophisticated cyberattacks. With ransomware-as-a-service becoming more prevalent, the Bureau’s advice is clear: take proactive steps to mitigate risks and enhance cybersecurity defenses. The FBI’s recommended strategies include: installing updates for operating systems, software, and firmware as soon as they are released; requiring phishing-resistant, non-SMS-based multi-factor authentication methods; and educating users to recognize and report phishing attempts. By taking these precautions, organizations can reduce the risk of falling victim to these ever-evolving cyber threats.

The looming arrival of LockBit 4 on February 3, 2025, serves as a stark reminder that ransomware groups like LockBit remain a significant and evolving threat. Organizations must continue to strengthen their defenses and be proactive in preparing for such attacks. By implementing the FBI’s recommended strategies and staying informed about emerging threats, businesses and individuals can better defend themselves against ransomware attacks that could disrupt operations and compromise sensitive data. The return of LockBit is a signal that the fight against ransomware is far from over, and vigilance is crucial for staying one step ahead of cybercriminals.