FOCUS MODE
EXTRACT IOC
Threat Research

RaaS Evolved: LockBit 3.0 vs LockBit 4.0

Deepinstinct
RaaS Evolved: LockBit 3.0 vs LockBit 4.0
LockBit is a prominent ransomware strain operating since 2019, known for its aggressive tactics and Ransomware-as-a-Service model. The evolution of LockBit has seen the transition from version 3.0 to 4.0, introducing enhanced evasion techniques and impacting various organizations worldwide. Affected: organizations, cybersecurity sector

Keypoints :

  • LockBit ransomware has been operational since 2019, targeting diverse industries.
  • It uses a Ransomware-as-a-Service model, where affiliates carry out attacks for a share of the ransom.
  • LockBit employs double extortion tactics, threatening to release sensitive data if ransoms are unpaid.
  • LockBit 4.0 was released on February 3, 2025, marking the end of LockBit 3.0’s era.
  • The new version includes stealth features, such as a quiet mode and enhanced evasion capabilities.
  • LockBit 4.0 simplifies its packing mechanism, allowing easier analysis compared to version 3.0.
  • The ransom note structure has changed slightly, leaving file names intact and altering extensions.
  • LockBit uses a partial encryption method, enhancing efficiency but maintaining the core attack strategy.
  • The encryption process is slower in LockBit 4.0 compared to its predecessor.
  • Advanced evasion techniques are employed to bypass security measures, maintaining a high level of threat.

MITRE Techniques :

  • TA0040: Collection – LockBit 4.0 collects sensitive files for double extortion.
  • TA0040: Exfiltration – New features for secure negotiation post-attack.
  • TA0050: Resource Development – Ransomware-as-a-Service model to develop the malware.
  • TA0057: Attack Phishing – Targets organizations through deceptive tactics.
  • TA0020: Initial Access – Utilizing exploit kits to gain access to the victim’s systems.

Indicator of Compromise :

  • [Hash] 3552dda80bd6875c1ed1273ca7562c9ace3de2f757266dae70f60bf204089a4
  • [Hash] a33376f74c2f071ff30bab1c2d19d9361d16ebaa3dee73d3b595f6d789c15f62
  • [Onion Domain] lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion
  • [Onion Domain] lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion
  • [Onion Domain] lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion

Full Story: https://www.deepinstinct.com/blog/raas-evolved-lockbit-3-0-vs-lockbit-4-0

Tags: PROXY, COLLECTION, EXPLOIT, MONITOR, WINDOWS, RAAS, INITIAL ACCESS, EXFILTRATION