Alleged LockBit Developer Charged As The Ransomware Group Teases LockBit 4.0

In this blog series we spotlight one of the stories from our cybersecurity newsletter, Beacon.

Rostislav Panev, 51, a dual citizen of Russia and Israel, has been charged in the US with developing and maintaining the source code of the LockBit ransomware.

Panev also allegedly operated StealBit, a tool that allowed the exfiltration of sensitive data from victims before the encryption process was initiated. It is claimed that he earned about US $230k between June 2022 and February 2024.

Panev is also accused of exchanging direct messages with Dmitry Yuryevich Khoroshev, the primary administrator of the LockBit RaaS operation and user of the LockBitSupp handle.

The statement from the Department of Justice came in the same week that LockBit teased LockBit 4.0 on its dark web leak site. Its post, titled “LockBit4.com” was presumably aimed at potential affiliates, urging them to start their “billionaire pentest journey”. It contained a number of onion links, which currently don’t direct anywhere, and a countdown timer for a date in February.

Robert Fitzsimons, Lead Threat Intelligence Engineer, Searchlight Cyber commented on the significance of this post:

“It is hard to say at this point exactly what “LockBit 4.0” entails, whether it is just a new dark web leak site for the group or whether there will be changes to the actual ransomware strain. The links in LockBit’s post don’t direct anywhere yet and the countdown timer attached to the post suggests that we won’t get more detail until February.

“It is worth noting that LockBit has already been through many iterations, its current branding is LockBit 3.0. It’s therefore not surprising that LockBit is updating once again and – given the brand damage inflicted by the law enforcement action Operation Cronos earlier this year – there is clearly a motivation for LockBit to shake things up and re-establish its credentials, keeping in mind that the LockBit 3.0 site was hijacked and defaced by law enforcement.

“There has been a decrease in LockBit’s victim output since Operation Cronos but this post shows that it is still trying to attract affiliates and continue its operations.”

For more information on Operation Cronos, the international law enforcement action against LockBit, and its fall-out, listen to the episode of The Dark Dive Podcast, The LockBit Takedown.