A latest breach of the LockBit ransomware group’s infrastructure resulted within the leak of an inner database, revealing important intelligence concerning the group’s operations.
Cyble analyzed the leaked database in an advisory despatched to purchasers this week, revealing attention-grabbing particulars about ransom funds, exploited vulnerabilities and the construction of the ransomware group.
On Could 7, an unidentified actor compromised LockBit’s infrastructure and defaced the group’s darkish net affiliate panels with the message: “Don’t do crime CRIME IS BAD xoxo from Prague.” The attacker additionally launched an entire database—dumped on April 29, based mostly on metadata—which revealed in depth particulars about LockBit’s Ransomware-as-a-Service (RaaS) operations from December 19 via the date of the information dump.
LockBit was probably the most lively ransomware group till a sequence of law enforcement actions slowed the group significantly starting in February 2024, so the leaked database detailing the group’s inside workings is prone to additional complicate comeback plans.
LockBit Leak Uncovered Associates, Chat Logs, Targets
The leak uncovered a complete of 75 LockBit affiliate accounts, 246 sufferer group chat logs, and nearly 600 potential targets, which Cyble inferred from customized ransomware builders generated for particular domains. The leak additionally included communication logs, cryptocurrency transaction data, and affiliate-specific hyperlinks, “which can assist determine potential future connections between LockBit associates and different ransomware teams,” the Cyble advisory stated.
“The database offers unprecedented visibility into the inside workings of the LockBit ransomware operation, together with their administration panel, associates program, sufferer administration system, and ransom negotiation platform,” Cyble stated.
The ‘users’ table – one of 21 table in the database – contains 75 records of LockBit affiliates and operators, with login credentials, unencrypted passwords, permission levels, registration dates, and communication identifiers.
The ‘invites’ table (3,693 records) documents the threatening invites sent to targeted organizations, including invitation codes and cryptocurrency wallet addresses for payment.
The ‘clients’ table contains 246 records of victim organizations, including encryption status, ransom payment status, and negotiation records. 239 organizations logged into the platform, and 208 interacted in the chats.
The database “reveals a consistent pattern of Initial victim profiling,” Cyble said. Build records with company_website and revenue fields are created before attack execution. Custom ransomware builds are created with company-specific configurations and unique encryption keys.
The ‘visits’ table (2,398 records) tracks victim portal activities and engagement with the ransom demands. Multiple visit timestamps for the same client-id show patterns of victim engagement, often intensifying near payment deadlines.
Cyble said 10-20% discounts are provided for fast payment, and payments are accepted only in BTC and Monero. A free decryptor is provided for Russia-based victims.
Ransom Payment Rate Could Be Below 10%
Only 18 chat logs included information indicating a ransom payment, which Cyble said suggests a payment rate of approximately 8.6% relative to the total number of victims. Of those chat logs, only two payments exceeded $100,000, while seven were under €10,000. The remaining nine payments fell between those two amounts, Cyble said.
Nearly 60,000 Bitcoin wallet addresses belonging to LockBit affiliates identified in the leak may have been used to receive ransom payments from targeted organizations. The records contain details about payment status and affiliate commission distribution.
The leak suggests that LockBit decrypts the encrypted data in a phased method, as there have been data indicating “decrypt_done”, “decrypt_2_done”, “decrypt_3_done”, prone to maximize ransom assortment, Cyble stated.
Connections with different ransomware group associates had been additionally revealed within the knowledge. The HellCat group, which just lately introduced its shutdown and the switch of its model, had been affiliated with LockBit since January 15, and chats revealed that associates of RansomHub joined the LockBit group amid uncertainty over RansomHub’s future.
Attainable Exploited Vulnerabilities
In one of many chat exchanges, a LockBit affiliate confirmed that entry to a sufferer’s community was obtained via a vulnerability in FortiVPN, however the precise nature of the vulnerability couldn’t be derived.
In a chat alternate with one sufferer, a LockBit affiliate responded to the sufferer’s question about indicators of assault, mentioning exploiting a number of area security points, together with weak passwords, uncovered admin accounts, open ports, and lacking backups.
Evaluation of 73 distinctive handler profiles and uncovered contact particulars revealed potential aliases utilized by risk actors on underground boards, Cyble stated.
On XSS, one actor was seen expressing curiosity in Preliminary Entry Brokers (IABs) and the exploitation of CVE-2024-55591 in FortiOS. Different notable actions embrace a transparent give attention to EDR evasion, phishing toolkits, Rust-based stealers, and supply mechanisms reminiscent of .MSC recordsdata. The actor additionally demonstrated using reconnaissance instruments like Shodan and Acunetix, suggesting a hands-on operational profile, Cyble stated.
Current discussion board exercise indicated one actor’s curiosity in buying company entry and in vulnerabilities reminiscent of CVE-2024-3400. Different notable actions by the actor embrace promoting pentesting providers, figuring out IPs behind WAF or Cloudflare safety, and referencing exploitation of CVE-2023-3824 and CVE-2024-6387, “pointing to a technically succesful actor with a give attention to entry facilitation and exploitation,” Cyble stated.
The leaked LockBit database exhibits that even because the listing of most lively ransomware teams adjustments, there is no such thing as a scarcity of technically succesful associates prepared to affix the subsequent chief.
Associated
Media Disclaimer: This report is predicated on inner and exterior analysis obtained via varied means. The knowledge supplied is for reference functions solely, and customers bear full duty for his or her reliance on it. The Cyber Express assumes no legal responsibility for the accuracy or penalties of utilizing this info.
![[Travel Insurance] Does it Cowl Pure Disasters Like Typhoons and Earthquakes? What’s the Distinction Between Shopping for Earlier than or After Departure?](http://marketibiza.com/wp-content/uploads/2025/05/travel-insurance-disaster-820x453.webp-120x86.webp)
