I want to tell you something the security industry usually doesn't bother to say to a small business owner: LockBit 4.0 is not an enterprise problem. It's not a "big company" problem. It's not a government problem. It is your problem — right now, today, whether you run a two-dentist practice in Sandton or a four-person accounting firm in the Cape Winelands.

LockBit is a Ransomware-as-a-Service operation. That means the people who built the malware aren't the ones attacking you. They've licensed it out to hundreds of criminal affiliates — the same way a franchise licences its brand — and those affiliates are hunting for targets everywhere, at all times, across every industry and every size of business. LockBit's developers get a cut. The affiliates do the work. And the affiliates have no minimum target size.

$1.5M+
Average ransom demand in 2025 LockBit attacks
22
Average days of downtime after a LockBit incident
45 min
Time to encrypt 90% of file servers in a documented 2026 attack
Feb '25
Official release date of LockBit 4.0 — active right now

The statistics above are not hypothetical worst-case scenarios. They're documented outcomes from real attacks in the past twelve months. That 22-day downtime figure is particularly savage for a small business. You do not have 22 days of revenue to lose. You probably don't have the cash reserves to survive it, let alone pay a seven-figure ransom on top.

⚠️
THIS IS NOT FEARMONGERING

Everything in this article is sourced from verified threat intelligence, published researcher reports, and documented incident data. I'm not trying to sell you paranoia. I'm trying to give you the same briefing I'd give to a hospital CISO — but translated into language that's useful to a business owner who doesn't have an IT department.

What Exactly Is LockBit 4.0?

LockBit has been active since 2019. Over six years it has gone through multiple major versions, each more dangerous than the last. In February 2024, international law enforcement — the NCA, FBI, and Europol — executed a major takedown called Operation Cronos, seizing LockBit's servers and infrastructure. Most observers assumed that was the end.

It wasn't. Within days the group had restored servers and resumed operations. By December 2024, LockBit announced version 4.0 — which had been under development even as their infrastructure was being seized. It launched officially in February 2025.

v1.0
2019
v2.0
2021
v3.0 Black
2022
Cronos Takedown
Feb 2024
v4.0 Neo
Feb 2025

LockBit 4.0 — also called LockBit Neo — was built from the ground up to be harder to detect, harder to stop, and harder to recover from. The people who built it watched every law enforcement and security team response to the previous versions and engineered around those responses. Here is what is new and what it means for you.

Feature 01 — Polymorphic Code
Your antivirus cannot see it coming · July 2025 variant
CRITICAL

Traditional antivirus works by recognising known malware signatures — specific patterns of code that identify a known threat. LockBit 4.0's July 2025 variant introduced fully polymorphic code: the malware rewrites its own signature with every single deployment. It looks different every time it is deployed. Your antivirus has never seen this particular version before and cannot recognise it as malicious. The scan comes back clean. The malware runs.

This is not a minor upgrade. It renders signature-based endpoint protection — which is what most small businesses rely on — effectively useless as a first line of defence against this threat.

INVISIBLE TO SIGNATURE AV REWRITES ITSELF EACH DEPLOY DETECTS SANDBOX ENVIRONMENTS
Feature 02 — EDR & Telemetry Bypass
Blinds your monitoring tools before encrypting
CRITICAL

Endpoint Detection and Response tools — EDR — are the more sophisticated cousin of antivirus. Rather than just looking for known signatures, they monitor for suspicious behaviour: a process that starts encrypting large numbers of files, a script that disables Windows security settings, a program that attempts to escalate its own privileges. EDR is often cited as the answer to polymorphic malware.

LockBit 4.0 was designed specifically to defeat it. It patches EtwEventWrite — the Windows event tracing function — by overwriting it with a single return instruction, effectively silencing the event log. It then clears existing Windows event logs via EvtClearLog. Your monitoring tools are blind. The malware deletes itself from disk after execution to frustrate forensic recovery. By the time your EDR would normally flag something, there is nothing left to find except encrypted files.

DISABLES EVENT TRACING SELF-DELETES POST-EXECUTION WIPES WINDOWS EVENT LOGS DLL UNHOOKING + PROCESS HOLLOWING
Feature 03 — Double Extortion
Your data is stolen before it is encrypted
HIGH

Older ransomware had one lever: pay us or lose your data. Backups defeated it. LockBit 4.0 operates on a double-extortion model that removes backups as a solution entirely. Before a single file is encrypted, the malware exfiltrates your data to an external server. Your patient records. Your client files. Your financial data. Your staff information. All of it is copied out to attacker-controlled infrastructure first.

Now the attacker holds two guns. The first: pay us or your systems stay encrypted. The second: pay us or we publish everything we took on our dark web leak site — where journalists, competitors, and regulators will find it. A backup does not stop the second threat. Even if you restore from backup in four hours, the attacker still holds your data and the demand stands.

For South African businesses subject to POPIA, this second threat is often more terrifying than the encryption itself. A confirmed data leak triggers mandatory breach notification to the Information Regulator — which means your clients find out, your regulator finds out, and the reputational and legal consequences begin regardless of whether you pay.

DATA EXFILTRATED FIRST DARK WEB LEAK SITE BACKUPS DON'T STOP THREAT 2 TRIGGERS POPIA BREACH NOTIFICATION

How LockBit 4.0 Gets Into a Small Business

LockBit doesn't need a zero-day exploit or nation-state tooling to compromise your business. It relies on entry paths that exist in almost every small business in South Africa right now — the same misconfigurations and oversights that have always existed, combined with automation that makes finding them trivially easy at scale.

PATH 01
Phishing — The Favourite Entry Point
A convincing email arrives containing either a malicious attachment (often a PDF or Office document with an embedded macro) or a link to a credential-harvesting page that looks exactly like your Microsoft 365 or Google login. One click. One wrong password entered on a fake login page. That's all it takes. LockBit affiliates send targeted spear-phishing campaigns — researching your business via LinkedIn, your website, and Google before crafting a message that feels genuine. An invoice from a supplier. A quote request. A SARS document. The email looks real because it was designed to look real.
PATH 02
Exposed RDP — The Favourite Target
Remote Desktop Protocol (RDP) is how you — or your IT support — remotely access your business computers. If your server or workstation has RDP enabled and is reachable from the internet, LockBit affiliates will find it. Automated scanners run constantly, mapping every internet-connected device in every IP range. Once an exposed RDP endpoint is found, attackers run credential-stuffing attacks with leaked password lists, or brute-force common username/password combinations. No phishing required. They connect directly to your machine as if they were sitting at the keyboard. RDP with weak credentials, no MFA, and no network restriction is one of the single most common entry points for ransomware globally.
PATH 03
Unpatched Software — The Silent Vulnerability
Every piece of software you run — Windows, your firewall, your practice management system, your VPN client — has known vulnerabilities that are publicly documented in the CVE database. When a patch is released, the vulnerability it fixes is also disclosed, which means attackers immediately have a list of exactly what to exploit on systems that haven't yet applied the update. LockBit affiliates actively scan for businesses running vulnerable versions of Citrix, Fortinet, Microsoft Exchange, and dozens of other platforms. If your systems are behind on patches — which is extremely common in small businesses that rely on a part-time IT contractor — you may already be flagged as a viable target.
PATH 04
Supply Chain & Trusted Third Parties
Your IT support provider, your accounting software vendor, your managed print service — they all have access to your systems. If any of them are compromised, attackers can use that trusted access as a bridge directly into your network. This is a particularly insidious entry path because it bypasses all of your perimeter defences: you've explicitly granted access to someone who, from your network's perspective, looks completely legitimate. The attacker isn't coming through the front door — they're using a key that you handed to your IT guy, who left it on a hook in a room that got broken into.
🔑
THE AFFILIATE MODEL CHANGES EVERYTHING

LockBit's RaaS model means none of these attacks require a skilled attacker. The affiliate buys access to the tooling for roughly $500 in Bitcoin, receives a full management dashboard, and is handed ready-made attack infrastructure. A moderately motivated criminal with no deep technical skills can run a successful LockBit campaign. The barrier to entry is lower than ever — and the volume of attacks reflects that reality.

What a LockBit 4.0 Attack Looks Like From the Inside

The attack doesn't announce itself. From your perspective, everything is normal — until it isn't. Here is how a typical LockBit 4.0 campaign against a small business unfolds, drawn from documented incident response data.

DAYS
1–14
Silent Reconnaissance — You Notice Nothing
The attacker is inside your network using a compromised credential or exploited vulnerability. They are not encrypting anything. They are watching. They map your network, identify all connected devices, locate your backup systems, find your most valuable data stores, understand your business operations, and identify the staff accounts with the most privilege. This phase can last days or weeks. During this time your normal security tools see nothing unusual because the attacker is using legitimate tools and legitimate credentials to move around.
DAYS
15–17
Data Exfiltration — The Data Leaves Before Encryption
Having identified your most valuable data — client records, financial files, staff information, intellectual property — the attacker begins systematically copying it out to an external server they control. This is the double-extortion setup. For a small business, the data that matters most is often small enough in size that this exfiltration completes in hours and doesn't generate obvious network traffic anomalies that a non-monitored environment would ever detect. Your cloud backup continues running. Your systems remain functional. You have no idea this is happening.
DAY 18
02:00
Deployment — Always at Night or on a Weekend
Ransomware is almost always deployed outside business hours. The attacker wants maximum encryption time before anyone notices. LockBit 4.0 patches Windows event tracing, clears logs, then begins encrypting. It targets network shares as well as local drives — meaning every PC connected to your server at that time is encrypted simultaneously. A manufacturing firm hit in January 2026 had 90% of file servers encrypted in under 45 minutes. Backup systems are targeted first, specifically to eliminate your recovery path before you even know an attack is in progress.
DAY 18
07:30
You Arrive at Work to Find a Ransom Note
Every desktop wallpaper has been replaced with a ransom note. Every folder contains a text file with payment instructions. Some printers print the note automatically. Your files have randomised 16-character extensions — they are completely inaccessible. Your practice management software won't open. Your accounting system won't open. Your backup drive shows the same encrypted files. The note gives you a deadline — typically 72 hours — and a dark web address for negotiation. Average recovery time without paying: 22 days. Average ransom demand for small businesses: between R500,000 and R2,000,000. And even if you pay, there is no guarantee the decryption key works.

The POPIA Dimension — Why South African Businesses Face a Second Crisis

Most cybersecurity articles written for a global audience stop after describing the operational disruption. For South African businesses, there is a second crisis that runs in parallel — and in many cases causes more lasting damage than the ransomware itself.

The Protection of Personal Information Act (POPIA) places specific obligations on any "responsible party" — that's any business that processes the personal information of South African residents. If LockBit's double-extortion attack succeeds in exfiltrating your data, POPIA's breach notification provisions are triggered. You are required to notify the Information Regulator and, in most cases, your affected data subjects — your clients, your patients, your employees — as soon as reasonably possible after becoming aware of the breach.

⚖️
PAYING THE RANSOM DOESN'T MAKE YOU COMPLIANT

This is a critical misunderstanding. Some business owners believe that paying the ransom, recovering the decryption key, and restoring systems means the incident "didn't happen" from a regulatory perspective. It did happen. Your data left your control. Whether the attacker honours the ransom and deletes their copy — which is unverifiable and frequently not true — is irrelevant to your POPIA obligations. The breach occurred the moment the data was exfiltrated. Notification is required. The Information Regulator has enforcement powers including administrative fines and, in serious cases, criminal prosecution of responsible parties.

The practical consequence of this is that a successful LockBit 4.0 attack against a South African small business triggers a cascade of simultaneous crises: operational shutdown, financial ransom demand, mandatory regulatory notification, client notification and the resulting reputational damage, potential civil claims from affected data subjects, and the costs of forensic investigation to determine exactly what was taken. Small businesses routinely underestimate how expensive the regulatory and reputational tail of a ransomware incident is relative to the ransom itself.

Six Things to Do Before LockBit Finds You

LockBit 4.0's evasion capabilities are real and significant. But the same truth applies here as it does to almost every cyberattack: the attackers still need an entry point. They still need to find you, get in, move around undetected, and exfiltrate your data before encrypting. Every one of those steps can be disrupted. None of these fixes require an enterprise IT budget.

01
Implement Multi-Factor Authentication Everywhere
MFA is the single highest-impact, lowest-cost security control available to a small business. Enable it on your Microsoft 365 or Google Workspace account, your remote access solution, your cloud storage, and your banking platform. An attacker with your password cannot log in without also having physical access to your phone. The brute-forced or phished credential — LockBit's most common entry mechanism — becomes useless. This is free, takes less than 30 minutes to implement, and makes you dramatically harder to attack than businesses without it.
02
Audit and Restrict RDP — Close It or Lock It Down
If you don't need RDP exposed to the internet, disable it or put it behind a VPN. If your IT support needs remote access, use a dedicated remote management tool that requires authentication rather than raw RDP. Check your router — many small businesses have had RDP port-forwarded for IT convenience years ago and forgotten about it. If you don't know whether your RDP is exposed, Greyhat4Hire's free Hacker's Dossier tool will show you exactly what's visible from the internet on your domain in under 60 seconds.
03
Maintain Offline, Air-Gapped Backups
LockBit targets backup systems specifically. Any backup that is continuously connected to your network — a NAS drive, an always-on cloud sync, a USB drive left plugged in — will be encrypted along with everything else. You need a backup that is physically or logically disconnected from your network at the time of attack. The simplest implementation: a rotation of external drives that you physically disconnect and store off-site after each backup. The 3-2-1 rule — three copies, on two different media types, with one kept off-site — is the standard. It survives ransomware.
04
Patch Aggressively and on a Schedule
Unpatched systems are one of the most reliable entry paths in LockBit's playbook. Enable automatic updates on Windows. Make patching your firewall, VPN appliance, and any internet-facing services a scheduled, documented monthly task rather than something that happens whenever someone gets around to it. Every day a critical patch sits unapplied is a day your system is on an active exploit list that criminals can purchase for less than the price of a coffee.
05
Train Your Staff to Recognise Phishing
Your staff are not the weakest link in your security chain — they are the most powerful one if they know what to look for. A brief, practical training session on how to identify phishing emails — urgency cues, mismatched sender addresses, unexpected attachments, requests that bypass normal process — changes the outcome of a phishing attack from "one click and we're in" to "staff member reports suspicious email." Greyhat4Hire offers security awareness training specifically designed for small professional practice teams, not for enterprise IT departments.
06
Know What You're Exposed To — Get Tested
You cannot defend what you cannot see. A penetration test conducted by someone who thinks like an attacker — which is, incidentally, exactly what I do — will identify your real entry points: the exposed services, the weak credentials, the network misconfigurations, the gaps in your backup strategy. It gives you a prioritised, practical remediation list. The cost of a small business penetration test is a fraction of one day of ransomware downtime, let alone a seven-figure ransom demand.

From One South African to Another

I built Greyhat4Hire because I kept seeing the same story. A small practice owner — dentist, attorney, accountant, physio — who ran a good business, looked after their clients, and had absolutely no reason to think they were a target for serious cybercrime. Then they were. The attack didn't care how good they were at their job or how loyal their clients were. It cared that their RDP was exposed, or that someone on their team clicked a link, or that their backups were plugged into the network 24 hours a day.

LockBit 4.0 is not a more dangerous version of the same old threat because the code got better — although it did. It's more dangerous because the affiliate model means the number of attackers looking for businesses like yours has increased by an order of magnitude, the barrier to running an attack has dropped to near zero, and the detection gap created by polymorphic code and telemetry bypass means your existing defences are less effective than they were a year ago.

The good news is that the fundamentals still work. MFA, offline backups, patch management, and staff awareness would prevent the overwhelming majority of LockBit attacks. These are not exotic or expensive interventions. They are basic hygiene that the vast majority of South African small businesses have not yet implemented.

If you are not sure whether your business would survive a LockBit attack, it would be my pleasure to find out for you — before the attackers do.

🦷
Dr David Sykes
Dentist · Penetration Tester · Founder, Greyhat4Hire · South Africa

Dr Sykes runs a dental practice and a cybersecurity consultancy out of the same brain. His unusual position — understanding both how healthcare and professional practices operate and how attackers think about them — drives Greyhat4Hire's focus on small South African businesses that have been largely ignored by the enterprise-focused security industry.

Share This Article