LockBit 4.0 Ransomware Campaign Targets Healthcare Sector with New Encryption Engine

A new variant of the LockBit ransomware, dubbed LockBit 4.0, has emerged with an overhauled encryption engine and is actively targeting healthcare organizations across the United States and United Kingdom. The group appears to have rebuilt its infrastructure after law enforcement disruptions in 2024.

Researchers at Sophos X-Ops discovered that LockBit 4.0 uses a novel hybrid encryption scheme combining ChaCha20 and post-quantum lattice-based cryptography, making decryption without the private key virtually impossible even with future quantum computing capabilities.

At least 14 hospitals and medical research facilities have been impacted since mid-February, with ransom demands ranging from $2 million to $15 million in Monero cryptocurrency. Several facilities reported disruptions to critical patient care systems.

The initial access vector appears to be compromised VPN credentials purchased from initial access brokers on dark web forums. Once inside the network, the attackers deploy custom tooling for lateral movement and data exfiltration before encrypting systems.

The FBI and CISA have issued a joint advisory urging healthcare organizations to implement multi-factor authentication on all remote access points, segment critical medical device networks, and maintain offline backups of patient data systems.