Share this article on:
Ransomware giant LockBit has announced its 4.0 encryptor, teasing a return in early 2025.
The group took a blow in February 2024 following a global takedown operation called Operation Cronos, which saw its site seized, its infrastructure dismantled, and several members and affiliates arrested.
While the group has made moves to rise from the ashes a number of times, LockBit has been a shell of its former self throughout the year, with additional Operation Cronos activity and false claims about breaches.
Now, LockBit has announced the release of its 4.0 encryptor, which will see the group evolve from LockBit 3.0 to LockBit 4.0.
In a post to its LockBit 3.0 dark web leak site, the group announced the encryptor would be released early next year.
“Want a lamborghini, a ferrari and lots of titty girls? Sign up and start your pentester billionaire journey in 5 minutes with us,” the group said in an attempt to draw in new affiliates as many of its former affiliates left during the takedown.
The group also has a LockBit 4.0 clear web site, which, when accessed, simply displays the message “hacking is illegal and for nerds” with a picture of a cat.
As it would do when teasing the release of exfiltrated sensitive data, LockBit set a countdown timer for the release of its 4.0 encryptor, which is due to end on 5 February 2025.
The announcement of the encryptor closely followed LockBit teasing the FBI with a birthday message to director Christopher Wray.
“Friends! Today is a significant day! It’s the FBI Director’s Birthday,” said the LockBit representative.
“Dear Christopher Asher Ray [sic]. On this wonderful day, I want to sincerely congratulate you on your birthday and wish you all the best. May your life always be wonderful and full of good moments, for example, how you caught me or at least learned my identity.
“May your memories be only bright and good, for example, how your employees deceived you and said that they supposedly found me. May you be surrounded by people who will help you rise even higher, although where else can you go higher?
“May your work be easy and beloved, and your salary – high and desirable, like mine. May your eyes always shine as they do now, may your money never end, and may all your dreams come true as quickly as you wish.
“Accept this archive as a gift. I ask that no one download this archive under any circumstances, this archive is only for the FBI Director.
“Happy Birthday again!”
Cyber Daily noted that the archive in question is password-protected and inaccessible. It is currently unclear what the archive entails, but it could be new FBI data.
LockBit was reportedly developing its 4.0 encryptor at the time of its takedown in February.
It would have been the new encryptor that was known as LockBit-NG-Dev and would later likely have been renamed LockBit 4.0, marking the group’s evolution from its current LockBit 3.0 and former LockBit 2.0 and so forth.
The new encryptor is written in .NET, compiled with CoreRT and packed with MPRESS, unlike 3.0, which was built in C/C++.
According to a report by Trend Micro, observed by BleepingComputer, the new encryptor was still lacking some of the features in the previous malware versions, such as printing ransomware notes on victim printers and being able to self-propagate on affected networks; it was in its final development stages and offered most functions.
“Like past versions, it still has an embedded configuration that dictates the routines it can perform,” said Trend Micro in its technical report.
“The configuration, which is in JSON format, is decrypted at runtime and includes information like date range for execution, the ransom note filename and content, unique IDs for the ransomware, the RSA public key, and some other flags and lists for its other routines.”
The report added that the malware supports three types of encryption:
“Fast encrypts the first 0x1000 bytes of the file (files listed in Fast Set will use Buffersize value to determine the size to encrypt).
“Intermittent only encrypts a certain percentage of the file based on the value set in the configuration under the Percent field. Also, the field Segmentation determines the distance between encrypted blocks.
“Full encrypts the whole file.”