{ "id": "00331afa-4e5f-42d3-8c9f-25f3d620ea3c", "created_at": "2026-04-06T00:19:54.500252Z", "updated_at": "2026-04-10T03:29:39.845034Z", "deleted_at": null, "sha1_hash": "8378026a4b3cacff4671bb769b93ceaa3f71b747", "title": "LockBit Attempts to Stay Afloat with a New Version", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 772810, "plain_text": "LockBit Attempts to Stay Afloat with a New Version\r\nBy By: Trend Micro Research Feb 22, 2024 Read time: 12 min (3194 words)\r\nPublished: 2024-02-22 · Archived: 2026-04-05 13:43:22 UTC\r\nThis research is the result of our collaboration with the National Crime Agency in the United Kingdom, who\r\nrecently took action against LockBit as part of an international effort resulting in the disruption of the group's\r\ninfrastructure and undermining of its operations. More details can be found on their website herenews article.\r\nIntroduction\r\nLockBitnews article is a Ransomware-as-a-Service operation (RaaS) that has been involved in numerous security\r\nincidents for organizations globally over the years. By offering LockBit as a RaaS, its developers can provide it to\r\nother criminals for their own operations. In a typical RaaS setup, earnings are split between both the developers\r\nand their affiliates after the ransom has been negotiated and paid. LockBit normally charges a 20% share of the\r\nransom per paying victim, with the remaining 80% going to the affiliate. However, if LockBit itself is the one\r\ncarrying out the negotiations, this fee goes up to 30 to 50%. In November 2023, the group introduced new\r\nrecommendations for ransom values based on the revenue of the victim, forbidding discounts above 50%.\r\nFrom a purely technical side, what made LockBit special compared to other competing ransomware packages was\r\nthat it used to have self-spreading capabilities. Once a host in the network becomes infected, LockBit is able to\r\nsearch for other nearby targets and to try and infect them as well, a technique that was not common in this kind of\r\nmalware.\r\nFrom a criminal group perspective, LockBit was known to be innovative and willing to try new things (though\r\nless so in recent times, as we will see in this entry). For instance, they came up with a public contest — a “bug\r\nbounty” — to find new ideas from the cybercriminal community to improve their ransomwarenews article. This\r\ngroup also developed and maintained a simple point-and-click interface that allowed a cybercriminal to choose\r\nvarious options before compiling the final binary for the attack, therefore lowering the technical barrier of entry\r\nfor their criminal affiliates.\r\nThe group also promoted themselves through stunts in the cybercriminal community, such as paying people to get\r\nLockBit tattoos and even offering a US$1 million bounty for anyone who could find out the real-world identity of\r\nLockBit’s gang leader (an individual or group known by the online nickname “LockBitSupp”).\r\nAs part of this innovative streak, LockBit has published several versions of their ransomware, from the initial v1\r\n(January 2020) to LockBit 2.0 (nicknamed “Red”, from June 2021), then to LockBit 3.0 (nicknamed “Black”,\r\nfrom March 2022). In October 2021, the threat actor introduced LockBit Linux to accommodate attacks on Linux\r\nand VMWare ESXi systems. Finally, an intermediate version, nicknamed “Green,” that incorporated code\r\napparently inherited from the defunct Conti ransomware, emerged in January 2023. However, this version was not\r\nidentified as a new 4.0 versionnews article.\r\nhttps://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html\r\nPage 1 of 11\n\nIn recent times, the group has experienced issues, both internally and externally, that have threatened its position\r\nand reputation as one of the top RaaS providers. This blog entry touches on these issues and provides a look into\r\nour data, which shows the group’s seeming decline over the past couple of years.\r\nFurthermore, we will examine an in-development version of the ransomware we track as LockBit-NG-Dev (NG\r\nfor Next Generation), which could be an upcoming version the group might consider as a true 4.0 version once\r\ncomplete. We will examine its capabilities in relation to other LockBit versions, such as the “Green” version from\r\n2023.\r\nA detailed technical analysis of LockBit-NG-Dev can be accessed in the appendix.\r\nRecent LockBit issues and difficulties\r\nThe LockBit group has had internal security incidents, due to the distributed semi-anonymous structure of the\r\ngroup itself and the interactions between the affiliate program members and the LockBit operators.\r\nInformation leaks by disgruntled developers or group members have occurred in the past. In September 2022, the\r\nbuilder for the ransomware was leakednews article by a developer associated with the group This leaked build had\r\nsignificant impact on the cybercriminal scene by lowering the threshold for criminals to start their own RaaS\r\nenterprise via clones of the LockBit operation.\r\nWhen builds are leaked, it can also muddy the waters with regards to attribution. For example, in August 2023, we\r\nobserved a group that called itself the Flamingo group using a leaked LockBit payload bundled with the\r\nRhadamanthys stealer. In November 2023, we found another group, going by the moniker Spacecolon,\r\nimpersonating LockBit. The group used email addresses and URLs that gave victims the impression that they\r\nwere dealing with LockBit.\r\nThis LockBit knock-off group even used a leak site similar to LockBit (Figure 2). This further demonstrates how\r\nthe leaked build has diluted the skill needed to operate a RaaS. Events like these might even cause doubt for\r\nlegitimate LockBit victims as to whether they are dealing with LockBit or an impostor.\r\nhttps://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html\r\nPage 2 of 11\n\nFigure 2. A false LockBit leak site made by another threat actor\r\nThe leaked build was a serious blow to the LockBit operation for several reasons:\r\n1. The fact that it was leaked in the first place by a disgruntled developer shows that it’s not all smooth sailing\r\nfor the LockBit operation. Anything that signals internal discontent will undoubtedly be concerning for\r\ncurrent or prospective affiliates.\r\n2. A leak like this should be called out for what it is — a security failure. If their core build can be leaked,\r\nthen affiliates might wonder if there are other security concerns. An incident like this in a software\r\ncompany would be seen as a complete failure of internal processes and controls, or worse, the absence of\r\nthem.\r\n3. Any technical advantage that LockBit may have had in the past is severely diluted due to the leaked build.\r\nOther groups that want to start up their own RaaS now have a level playing field without having to go\r\nthrough months of development and costs associated with building up an operation from scratch.\r\n4. The LockBit “brand” has likely suffered a blow, even though the operators would like to let on that\r\neverything is running smoothly. It would have been expected that following the leak, LockBit would have\r\ntried to change their build and add something innovative to strengthen their position as a leading RaaS\r\nprovider. However, the development of LockBit seems to have stagnated. This possibly leads back to the\r\nsource of the leak: Was the disgruntled employee one of the core developers who they have struggled to\r\nreplace?\r\nThe ransomware affiliate model is essentially a partnership, and just like any business relationship, any partner\r\nshould be questioning the long-term viability of an organization with such questionable internal security.\r\nOver the past few months, we’ve seen a downshift in confidence towards LockBit. There have been several\r\nfactors causing concern for affiliates. In April 2023, the group began to add several posts to the leak site, which\r\ncontained fake victims with made-up leaked data. It’s possible that this was part of internal testing. However, it’s\r\nhttps://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html\r\nPage 3 of 11\n\nhighly likely that this could have been an attempt to artificially inflate the number of victims to give the\r\nimpression that the threat actor was maintaining their success.\r\nOne of the most notable concerns is the apparent instability of the threat actor’s infrastructure. During a\r\nransomware operation, the negotiation phase is highly dependent on the threat of data being released. If the leaked\r\ndata is not available, then it becomes more difficult for affiliates to apply the pressure required for a successful\r\nnegotiation. Back in August 2023, we observed unusual behavior in LockBit’s leak site, with victims being added\r\nand removed within minutes, resulting in an error message.\r\nFigure 3. LockBit leak site error message\r\nThroughout the first half of 2023, there were also numerous claims by the group that they had released data\r\nfollowing an organization’s failure to pay a ransom demand. What’s interesting is that there was no way to\r\ndownload the data that was “published” — there was simply a post saying the files were published. This topic is\r\nthoroughly covered in the Ransomware Diaries Volume 3 series by Jon DiMaggio.\r\nIn September 2023, LockBitSupp issued a proposal via a Tox message to implement new rules for affiliates in an\r\neffort to improve negotiations. The decline in successful negotiations and increased frustration with negotiators\r\ncould signal that the quality of affiliates that the operation attracts has been impacted by the lack of innovation and\r\ncontinued technical issues. The proposal included a minimum payment along with a fixed discount of 50%. It also\r\nproposed that payment should not be less than that of the amount covered by the victim’s insurance policy. Shortly\r\nafter, the actor Bassterlord (an affiliate of LockBit and the leader of a group called the National Hazard Agency)\r\npublished a tweet suggesting that these rules were being applied. \r\nhttps://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html\r\nPage 4 of 11\n\nopen on a new tab\r\nFigure 4. Translated version of the proposed rules from LockBitSupp\r\nFigure 5. Tweet by Bassterlord endorsing LockBit’s new rules\r\nIn early November, we also observed some unusual behavior in the leak site mirrors. For several days, there were\r\ninconsistencies when trying to access them, and a lot of the site mirrors would redirect to the victim chat page.\r\nThis is yet another example of the litany of technical issues the group seems to be suffering from while trying to\r\nmaintain a stable operational infrastructure.\r\nhttps://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html\r\nPage 5 of 11\n\nFigure 6. What users see when they are redirected from the leak site to the victim chat site\r\nIt’s clear that LockBit has been having issues throughout 2023, and it stands to reason that this is having a\r\nnegative impact on their ability to attract or retain affiliates. There are several factors at play that may dissuade a\r\npotential affiliate from joining the group:\r\n1. Affiliates seem to be losing faith in the program. To compound LockBit’s technical issues, there also seems\r\nto be a shortage of staff for the operators. They’re not as responsive as they used to be, sometimes taking\r\ndays or even weeks to reply to inquiries.\r\n2. The new affiliate rules standardize ransom demands and constrain the amount an affiliate can earn may not\r\ngo down well and could result in further migration of affiliates.\r\n3. The delay in an updated release of LockBit, combined with the attempts to attain rival builds suggest\r\nthere’s a brain drain in the operation and their core developer(s) may have privately moved on (as opposed\r\nto the very public departure of the person who leaked the LockBit build).\r\n4. The recent public call to ALPHV (BlackCat) and NoEscape affiliates to join the LockBit group has an air\r\nof desperation around it. In the past, threat actors were clamoring to join the group. In more recent times,\r\nhowever, it looks like the LockBit operators are desperate for fresh affiliates and actively looking for\r\nopportunities to capitalize on the misfortunes of rival groups.\r\nAt the end of January 2024, a malicious actor using the moniker “michon” on the XSS forum opened a thread for\r\narbitration against LockBitSupp. The malicious actor claimed that LockBitSupp refused to pay for access they\r\nprovided that led to a ransomware payout. In the beginning of the thread, it appears that this malicious actor was\r\nsomewhat inexperienced and did not outline conditions for the sale at the time. However, as the thread progressed\r\nand private chat logs were provided, there was a clear shift in sentiment from observers. There emerged a negative\r\nreaction to LockBitSupp’s attitude towards the malicious actor and the nature of the transaction, with a number of\r\nobservers giving LockBitSupp’s responses a thumbs down. As the thread ended, LockBitSupp was directed to pay\r\n10% of the ransom payment to the claimant within 24 hours.\r\nThere are a couple of key observations to be made after examining the contents of the forum thread;\r\n1. LockBitSupp displayed a degree of arrogance when responding to both the claimant and other supporters\r\nwho weighed in on the topic. The actor came across as someone who was “too big to fail” and even\r\nhttps://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html\r\nPage 6 of 11\n\nshowed disdain to the arbitrator who would make the decision on the outcome of the claim.\r\n2. This discourse demonstrated that LockBitSupp is likely using their reputation to carry more weight when\r\nnegotiating payment for access or the share of ransom payouts with affiliates. This is probably not the first\r\ntime that someone has tried to begin a working relationship with LockBitSupp and has been dealt\r\nunfavourable terms. The fact that this was played out in public may also dissuade others from dealing with\r\nLockBitSupp in the future.\r\n3. The type of behavior exhibited by LockBitSupp is similar to those observed with other operators of RaaS\r\ngroups that have overstepped the line and inevitably ended up disbanding. There are no positives for\r\nLockBitSupp with regards to this arbitration. The malicious actor has quite likely alienated their peers,\r\npotential access suppliers, and affiliates.\r\nOn January 30, 2024, LockBitSupp was banned from the XSS forum and assigned the status ripper/scammer. The\r\nactor was also subsequently banned from the Exploit forum.\r\nhttps://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html\r\nPage 7 of 11\n\nFigure 7. LockBitSupp banned from the XSS and Exploit forums\r\nLockBit’s Decline\r\nAccording to our confirmed breach data, there are some indications that although LockBit has maintained its\r\nposition as the intrusion set with the largest number of attacks, it’s overall share of ransomware impact has seen a\r\nsteady decline over the last two years. There is a clear decline in numbers when we look at the figures for LockBit\r\n2.0 and the shift to LockBit 3.0, although there was a slight rise during the fourth quarter of 2023, which may be\r\nattributed to the increased law enforcement activity against rival groups. LockBit offered affiliates the chance to\r\nmigrate to their operation during this period.\r\nFigure 8. Breach data from Q1 2022 to Q4 2023 shows that LockBit’s market share (among the\r\nmajor groups we track) as the RaaS with the highest number of attacks suffered a decline in late\r\n2022 and throughout most of 2023 (click the image to enlarge)\r\nhttps://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html\r\nPage 8 of 11\n\nThreat actors associated with LockBit\r\nThis section will examine the people behind the LockBit group. There are several nicknames and online personas\r\nthat are frequently associated with LockBit, including LockBit (forum user) and LockBitSupp (forum user).\r\nThe official online presence from the group was through “LockBitSupp” — the username used by the user/s\r\noffering LockBit support, and “LockBit,” a more generic account that, through multiple conversations, has shown\r\na direct involvement with the LockBit affiliate program. Notably, the LockBit user ran a publicity stunt on the\r\nXSS forum, where they offered to pay US$1,000 to anyone getting LockBit tattoos. Public information shows that\r\nLockBit spent US$20,000 to pay people who got tattoos done. However, some forum members complained about\r\nbeing scammed by LockBit after they got the tattoo but were not paid for it.\r\nAnother prominent member of the criminal underground, Bassterlord, is believed to be associated with the\r\nLockBit group. Bassterlord is a criminal who claims to be from Ukraine (LDNR, according to their response in a\r\npublic interview) and has previously worked with the REvilnews article RaaS group. Bassterlord is famous within\r\nthe cybercrime community for selling the second edition of their manual for attacking corporate networks.\r\nBassterlord’s handle on the XSS forum was renamed to “National Hazard Agency,” which is believed to be a sub-group within the LockBit operation. This group has claimed responsibility for high-profile attacks such as the one\r\nlaunched against the Taiwan Semiconductor Manufacturing Company (TSMC) in June 2023. A known handle\r\nused by Bassterlord on Twitter (“AL3xL7”) has openly mentioned their affiliation to the LockBit group.\r\nYet another prominent member of the cybercrime underground who has previous ties to LockBit is the malicious\r\nactor “wazawaka” (identified by the FBI as Mikhail Matveev), who was known to be an affiliate throughout 2020\r\nand 2021. Matveev was indicted by the US Department of Justice in May 2023. It should be noted that this\r\nmalicious actor communicates regularly with Bassterlord and has made references to rejoining the LockBit\r\naffiliate program.\r\nAn unknown actor, “Ali_qushji” claimed to have compromised the LockBit server infrastructure. However,\r\nLockBitSupp contradicted this information, mentioning that the leak actually originated from a disgruntled\r\ndeveloper.  This person uses the handle “protonleaks” and is thought to be a former employee of the groupnews\r\narticle and the individual who leaked the build.\r\nhttps://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html\r\nPage 9 of 11\n\nFigure 9. A user claiming to have leaked the LockBit build\r\nThe new LockBit-NG-Dev version\r\nRecently, we came into possession of a sample that we believe represents a new evolution of LockBit: an in-development version of a platform-agnostic malware-in-testing that is different from previous versions. The\r\nsample appends a “locked_for_LockBit” suffix to encrypted files which, being part of the configuration and\r\ntherefore still subject to change, leads us to conclude that this is an undeployed upcoming version from the group.\r\nBased on its current developmental state, we are tracking this variant as LockBit-NG-Dev, which we further\r\nbelieve could form the basis of a LockBit 4.0 that the group is almost certainly working on.\r\nA detailed analysis follows in the technical appendix, but some key changes include:\r\nLockBit-NG-Dev is now written in .NET and compiled using CoreRT. When deployed alongside the .NET\r\nenvironment, this allows the code to be more platform-agnostic.\r\nThe code base is completely new in relation to the move to this new language, which means that new\r\nsecurity patterns will likely need to be created to detect it.\r\nWhile it has fewer capabilities compared to v2 (Red) and v3 (Black), these additional features are likely to\r\nbe added as development continues. As it is, it is still a functional and powerful ransomware.\r\nIt removed the self-propagating capabilities and the ability to print ransom notes via the user’s printers.\r\nThe execution now has a validity period by checking the current date, likely to help the operators assert\r\ncontrol over affiliate use and make it harder for automated analysis systems by security companies.\r\nSimilar to v3 (Black), this version still has a configuration that contains flags for routines, a list of\r\nprocesses and service names to terminate, and files and directories to avoid.\r\nIt also still has the ability to rename the filenames of encrypted files to a random one.\r\nAs mentioned in the introduction, those looking for a detailed analysis of LockBit-NG-Dev can refer to the\r\ntechnical appendix.\r\nConclusion\r\nhttps://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html\r\nPage 10 of 11\n\nThe criminal group behind the LockBit ransomware has proven to be successful in the past, having consistently\r\nbeen among the top impactful ransomware groups during their whole operation. In the last couple years, however,\r\nthey seem to have had a number of logistical, technical, and reputational problems.\r\nThis has forced LockBit to take action by working on a new much-awaited version of their malware. However,\r\nwith the seeming delay in the ability to get a robust version of LockBit to the market, compounded with continued\r\ntechnical issues — it remains to be seen how long this group will retain their ability to attract top affiliates and\r\nhold its position. In the meantime, it is our hope that LockBit is the next major group to disprove the notion of an\r\norganization being too big to fail.\r\nMore information on LockBit can be found in this link.\r\nSource: https://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html\r\nhttps://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html" ], "report_names": [ "lockbit-attempts-to-stay-afloat-with-a-new-version.html" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434794, "ts_updated_at": 1775791779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8378026a4b3cacff4671bb769b93ceaa3f71b747.pdf", "text": "https://archive.orkl.eu/8378026a4b3cacff4671bb769b93ceaa3f71b747.txt", "img": "https://archive.orkl.eu/8378026a4b3cacff4671bb769b93ceaa3f71b747.jpg" } }