LockBit 4.0: Analysis of the Most Dangerous Ransomware of 2025

In the world of cyber threats, malicious programs capable of causing as much alarm among security experts as the latest version of the notorious LockBit ransomware rarely emerge. Following the high-profile law enforcement operation to dismantle the group’s infrastructure in February 2025, LockBit not only returned but evolved into a more dangerous and technically sophisticated version 4.0, posing a serious threat to companies worldwide.

This article presents a detailed analysis of LockBit 4.0, including its technical characteristics, distribution methods, target sectors, and protection recommendations.

LockBit History and Path to Version 4.0

LockBit first appeared on the ransomware scene in September 2019 under the name “ABCD ransomware.” Since then, the malware has undergone significant evolution, including several key versions:

• LockBit 1.0 (2019-2020): The initial version that used basic encryption methods.
• LockBit 2.0 (2021): Introduced faster encryption algorithms and tools for automatic network propagation.
• LockBit 3.0 “Black” (2022-2024): Added double extortion, improved detection evasion mechanisms, and a bug bounty program.
• LockBit 4.0 (2025): A completely rewritten version in Rust with advanced detection evasion capabilities and multi-threaded encryption.

Operation “Cronos,” conducted by an international group of law enforcement agencies in February 2025, led to the arrest of several key members of the group and temporary seizure of LockBit infrastructure. However, as often happens with distributed cybercriminal groups, LockBit was able to quickly recover and release an updated version 4.0, demonstrating exceptional resilience and adaptability.

According to Microsoft Security Intelligence, by June 2025, LockBit 4.0 had already become responsible for more than 22% of all ransomware attacks, overshadowing other known groups such as Sarcoma Group.

Technical Features of LockBit 4.0

LockBit 4.0 represents a significant technological leap compared to previous versions. Here are the key technical changes that make this version especially dangerous:

• Transition to Rust: Unlike previous versions written in C++, LockBit 4.0 was completely rewritten in the Rust programming language. This provides better performance, memory safety, and cross-platform compatibility.
• Multi-threaded encryption: The new algorithm efficiently utilizes all available processor cores, significantly accelerating the file encryption process.
• Safe mode launch: LockBit 4.0 can force a system restart in safe mode to bypass security solutions that are not active during such a boot.
• Improved shadow copy deletion: Uses not only standard methods for deleting shadow copies via vssadmin but also alternative approaches through WMI and PowerShell.
• Self-protection: The malware actively protects itself by terminating processes that could interfere with encryption or detect its activity.
• Detection evasion techniques: Uses advanced methods of obfuscation, string encryption, code confusion, and virtual environment checks.

The encryption used by LockBit 4.0 combines RSA-4096 asymmetric encryption for keys and AES-256 for files, making decryption without a key practically impossible. Files receive the .lockbit extension, and ransom notes in HTML and TXT formats are created in each folder.

LockBit 4.0 Distribution Tactics

LockBit 4.0 uses a variety of methods for initial penetration into corporate networks. According to research by CISA, the most common methods of initial access include:

1. Phishing campaigns: Targeted phishing emails with malicious attachments or links disguised as legitimate business documents.
2. Vulnerability exploitation: Active use of known and 0-day vulnerabilities in popular corporate software, especially in VPN solutions and remote access systems.
3. Credential compromise: Use of stolen or weak credentials to access corporate resources, especially through RDP and other remote access services.
4. Supply chain attacks: Compromising software or service providers with subsequent penetration into their clients’ systems.
5. Initial access brokers: Purchasing access from specialized cybercriminal groups that specialize in penetrating corporate networks.

After gaining initial access, LockBit 4.0 uses a range of tools and methods to establish persistence, elevate privileges, and move laterally. These techniques often include:

• Use of legitimate administration tools (Living off the Land) to reduce the likelihood of detection
• Process injection to bypass endpoint protection
• Use of masking techniques and encrypted communications with command servers
• Application of Mimikatz and similar tools to extract credentials from memory
• Automatic search and use of unsecured network resources for propagation

Methods for detecting systems for encryption have also been significantly improved in LockBit 4.0, including automatic scanning of Active Directory to find critical servers and data storage systems. This allows the malware to specifically target an organization’s most valuable assets for maximum pressure.

LockBit 4.0 also uses an approach similar to EncryptHub Ransomware, with multi-level extortion and refined detection evasion techniques, making it particularly dangerous even for well-protected organizations.

Double and Triple Extortion by LockBit 4.0

One of the most dangerous characteristics of LockBit 4.0 is its advanced approach to multi-level extortion. Unlike early ransomware that simply encrypted data, LockBit 4.0 uses a comprehensive strategy to pressure victims:

• First level: Data encryption – Traditional file encryption with the threat of information loss if the ransom is not paid.
• Second level: Data theft – Before encryption, LockBit 4.0 steals confidential information (intellectual property, financial documents, personal data) and threatens to publish it on the Dark Web through its “leak site.”
• Third level: DDoS attacks – In version 4.0, the LockBit operator also conducts DDoS attacks on the victim company’s public resources, increasing pressure and creating additional problems for the business.

This combined tactic significantly increases the chances of receiving ransom payments, as even companies with good backup strategies are forced to consider payment to prevent data leaks and extended downtime. According to CISA, about 45% of LockBit 4.0 victims make payments, which is higher than the average for other ransomware programs.

LockBit 4.0 adapts its extortion tactics depending on the size and type of company:

• For small companies: Relatively low ransom ($30,000-$50,000) with shorter payment deadlines
• For medium-sized companies: Ransom of $100,000-$300,000 with threats of information publication
• For large corporations: Multi-million dollar demands with individual negotiation terms and additional threats

The group has also developed a sophisticated negotiation scheme, including a chat service in the ransom note, the possibility of appealing the amount, and even a “test decryption” option for several files to demonstrate the ability to return the data.

Target Industries and Victim Selection Tactics

Unlike some other ransomware programs that use a mass approach to attacks, LockBit 4.0 demonstrates a more strategic and targeted selection of victims. Analysis of LockBit 4.0 victims shows a clear concentration on certain economic sectors:

As shown in the diagram, manufacturing companies (28%) and healthcare institutions (19%) are the most frequent targets of LockBit 4.0. This is explained by several factors:

• Criticality of data and processes – Manufacturing and medical organizations cannot afford extended downtime, increasing the likelihood of ransom payment
• Regulatory pressure – In the case of medical or financial data leaks, companies face additional fines and reputational losses
• Often insufficient cyber defense – Especially in production networks with numerous legacy control systems
• High value of data – Intellectual property of manufacturing companies and personal patient data have high value

In its target selection tactics, LockBit 4.0 considers the following factors:

1. Financial indicators of the company (to assess the ability to pay ransom)
2. Criticality of IT systems for business processes
3. Presence of cyber risk insurance
4. Presence of public reporting and regulatory pressure
5. Jurisdiction of the company (preference is given to Western countries)

Interestingly, LockBit 4.0, like its predecessors, avoids attacking organizations in former USSR countries, indicating the likely geographical origin of the group.

Signs of LockBit 4.0 Infection

Early detection of LockBit 4.0 infection can significantly reduce the damage from an attack. Here are key signs indicating the possible presence of malware in the system:

Technical Indicators of Compromise

• Unusual network activity:
  • Increased traffic to unknown external IP addresses
  • Unexpected requests to Active Directory
  • Intensive scanning of the internal network
• Suspicious system activity:
  • Unusual scheduled tasks in Windows
  • Modifications to the Windows registry, especially the autorun sections
  • Blocked access to security and management tools
  • Attempts to disable backup services and antivirus programs
  • Execution of shadow copy deletion commands (e.g., vssadmin delete shadows /all)
• Suspicious files:
  • Appearance of executable files in unusual locations
  • Files with .dll or .exe extensions in user directories
  • Encrypted or obfuscated PowerShell scripts

Signs of Active Encryption

If LockBit 4.0 has already started the encryption process, you will notice the following signs:

• Files with the .lockbit extension added to their original names
• Ransom notes in HTML and TXT formats named “LockBit_Ransomware.html” and “LockBit_Ransomware.txt” in each directory with encrypted files
• Changed desktop wallpaper to a message from LockBit
• High CPU load due to intensive encryption operations
• Problems accessing files and systems or their unusual behavior

The ransom note typically contains:

• LockBit logo
• Unique victim identifier
• Information about encrypted data
• Ransom amount in cryptocurrency (usually Bitcoin or Monero)
• Payment deadlines and conditions for increasing the amount
• Link to a LockBit chat portal on the Tor network for negotiations
• Threats to publish stolen data

Unlike many other ransomware programs, LockBit 4.0 also leaves a unique binary signature in encrypted files, which can help security experts identify the specific version of the malware.

Protecting Against LockBit 4.0

Protection against complex threats like LockBit 4.0 requires a multi-layered approach to cybersecurity. Below are key measures that organizations can take to reduce the risk of a successful attack:

Preventing Initial Access

• Strict credential management policies:
  • Implementing multi-factor authentication for all remote connections and critical systems
  • Setting complex password requirements and regular forced password changes
  • Limiting administrative privileges based on the principle of least privilege
• Network perimeter protection:
  • Regular checking and updating of all internet-facing services and applications
  • Using VPN with additional authentication for all remote connections
  • Implementing solutions for protection against threats in email and web traffic
  • Using next-generation firewalls (NGFW) for monitoring and controlling traffic
• Vulnerability management:
  • Regular vulnerability scanning and timely patching
  • Prioritizing patches for vulnerabilities actively used in cyberattacks
  • Implementing change verification processes and testing patches before deployment

Limiting Spread and Mitigating Consequences

• Network segmentation:
  • Logical separation of critical systems and data from the general corporate network
  • Implementing micro-segmentation to limit lateral movement of attackers
  • Using network access control (NAC) systems to restrict access by unauthorized devices
• Monitoring and detection:
  • Implementing EDR (Endpoint Detection and Response) solutions on all endpoints
  • Using XDR (Extended Detection and Response) solutions for correlation of security events
  • Creating baseline indicators of normal activity for more effective anomaly detection
  • Monitoring command line and suspicious PowerShell scripts
• Critical data protection:
  • Implementing Data Loss Prevention (DLP) solutions
  • Encrypting sensitive data both at rest and in transit
  • Classifying data by importance level and configuring appropriate access controls

Recovery Strategies

• Reliable backup:
  • Following the “3-2-1” rule: three copies of data, on two different types of media, one copy offline
  • Regular testing of the data recovery process
  • Storing backups with write protection or in an isolated environment
• Incident response plan:
  • Developing and regularly reviewing a response plan for ransomware attacks
  • Conducting response exercises with simulation of various attack scenarios
  • Defining roles and responsibilities for each member of the response team
• Secure recovery:
  • Conducting a full malware analysis before recovery to prevent re-infection
  • Restoring systems from known clean sources
  • Changing all credentials after an incident

Organizations should understand that complete prevention of LockBit 4.0 attacks in today’s threat environment is an extremely challenging task. Therefore, the strategy should include both measures to reduce the likelihood of a successful attack and plans to minimize damage if an attack does occur.

LockBit 4.0’s Connection to Other Threats

LockBit 4.0 is part of a broader ecosystem of ransomware and cybercrime in general. Analyzing this malware in the context of other threats helps better understand its place in the cyber threat landscape:

Comparison with Sarcoma Group Ransomware: While LockBit 4.0 focuses on technical excellence and encryption speed, Sarcoma Group is more concentrated on targeted attacks with prolonged reconnaissance. Sarcoma Group typically attacks companies in the media sector, whereas LockBit 4.0 more broadly targets manufacturing and healthcare. Both groups use double extortion tactics, but LockBit 4.0 has added a third level with DDoS attacks, making it more dangerous.

Differences from EncryptHub Ransomware: Unlike the solo operation of EncryptHub, LockBit 4.0 operates under the Ransomware-as-a-Service (RaaS) model, where developers provide malware to affiliate partners. This allows LockBit to scale operations and conduct significantly more attacks simultaneously. EncryptHub relied more on using AI for malware development, while LockBit 4.0 is based on years of experience in code development and refinement.

Interaction with other cybercriminal groups: LockBit 4.0 does not exist in isolation. Analysis of the group’s infrastructure and tactics indicates possible connections with other cybercriminal groups:

• Use of common tools and techniques with other ransomware such as Conti and REvil
• Collaboration with initial access brokers for penetration into victim networks
• Use of common cryptocurrency laundering services for processing ransoms

These connections point to the growing professionalization of the cybercriminal world, where specialized groups create complex business models resembling legitimate enterprises, making the fight against them even more difficult.

Conclusion

LockBit 4.0 represents a significant evolution in the world of ransomware, combining technical innovations with sophisticated business models and psychological pressure tactics. The transition to Rust, use of multi-threaded encryption, and triple extortion make this threat particularly dangerous for organizations across all sectors.

The history of LockBit demonstrates the resilience and adaptability of modern cybercriminal groups. Despite the international law enforcement operation in early 2025, the group quickly recovered and released an even more powerful version of its malware, indicating the need for more comprehensive approaches to combat such threats.

For organizations, the key factor in protecting against LockBit 4.0 and similar threats is a multi-layered approach to cybersecurity, including both technical measures for prevention and detection, as well as organizational strategies for mitigation and recovery. Special attention should be paid to:

• Protecting the network perimeter and preventing initial access
• Network segmentation to limit lateral movement of attackers
• Reliable backup with offline copies
• Training employees to recognize phishing attacks
• Continuous monitoring and timely detection of suspicious activity
• Developing and testing response plans for ransomware incidents

In an environment where ransomware continues to evolve and adapt, only continuous improvement of protective measures and incident readiness can provide organizations with the necessary level of resilience in the face of these complex threats.