LockBit Leak Reveals Details About Ransom Payments, Vulnerabilities and RaaS Operations

A recent breach of the LockBit ransomware group’s infrastructure resulted in the leak of an internal database, revealing significant intelligence about the group’s operations. Cyble analyzed the leaked database in an advisory sent to clients this week, revealing interesting details about ransom payments, exploited vulnerabilities and the structure of the ransomware group. On May 7, an unidentified actor compromised LockBit’s infrastructure and defaced the group’s dark web affiliate panels with the message: "Don't do crime CRIME IS BAD xoxo from Prague." The attacker also released a complete database—dumped on April 29, based on metadata—which revealed extensive details about LockBit’s Ransomware-as-a-Service (RaaS) operations from December 19 through the date of the data dump. LockBit was the most active ransomware group until a series of law enforcement actions slowed the group considerably beginning in February 2024, so the leaked database detailing the group’s inner workings is likely to further complicate comeback plans. LockBit Leak Exposed Affiliates, Chat Logs, Targets The leak exposed a total of 75 LockBit affiliate accounts, 246 victim organization chat logs, and almost 600 potential targets, which Cyble inferred from custom ransomware builders generated for specific domains. The leak also included communication logs, cryptocurrency transaction records, and affiliate-specific links, “which may help identify potential future connections between LockBit affiliates and other ransomware groups,” the Cyble advisory said. “The database provides unprecedented visibility into the inner workings of the LockBit ransomware operation, including their administration panel, affiliate program, victim management system, and ransom negotiation platform,” Cyble said. The 'users' table – one of 21 table in the database – contains 75 records of LockBit affiliates and operators, with login credentials, unencrypted passwords, permission levels, registration dates, and communication identifiers. The 'invites' table (3,693 records) documents the threatening invites sent to targeted organizations, including invitation codes and cryptocurrency wallet addresses for payment. The 'clients' table contains 246 records of victim organizations, including encryption status, ransom payment status, and negotiation records. 239 organizations logged into the platform, and 208 interacted in the chats. The database “reveals a consistent pattern of Initial victim profiling,” Cyble said. Build records with company_website and revenue fields are created before attack execution. Custom ransomware builds are created with company-specific configurations and unique encryption keys. The 'visits' table (2,398 records) tracks victim portal activities and engagement with the ransom demands. Multiple visit timestamps for the same client-id show patterns of victim engagement, often intensifying near payment deadlines. Cyble said 10-20% discounts are provided for fast payment, and payments are accepted only in BTC and Monero. A free decryptor is provided for Russia-based victims. Ransom Payment Rate Could Be Below 10% Only 18 chat logs included information indicating a ransom payment, which Cyble said suggests a payment rate of approximately 8.6% relative to the total number of victims. Of those chat logs, only two payments exceeded $100,000, while seven were under €10,000. The remaining nine payments fell between those two amounts, Cyble said. Nearly 60,000 Bitcoin wallet addresses belonging to LockBit affiliates identified in the leak may have been used to receive ransom payments from targeted organizations. The records contain details about payment status and affiliate commission distribution. The leak suggests that LockBit decrypts the encrypted data in a phased manner, as there were records indicating "decrypt_done", "decrypt_2_done", "decrypt_3_done", likely to maximize ransom collection, Cyble said. Connections with other ransomware group affiliates were also revealed in the data. The HellCat group, which recently announced its shutdown and the transfer of its brand, had been affiliated with LockBit since January 15, and chats revealed that affiliates of RansomHub joined the LockBit group amid uncertainty over RansomHub’s future. Possible Exploited Vulnerabilities In one of the chat exchanges, a LockBit affiliate confirmed that access to a victim's network was obtained through a vulnerability in FortiVPN, but the exact nature of the vulnerability could not be derived. In a chat exchange with one victim, a LockBit affiliate responded to the victim’s query about indicators of attack, mentioning exploiting several domain security issues, including weak passwords, exposed admin accounts, open ports, and missing backups. Analysis of 73 unique handler profiles and exposed contact details revealed potential aliases used by threat actors on underground forums, Cyble said. On XSS, one actor was seen expressing interest in Initial Access Brokers (IABs) and the exploitation of CVE-2024-55591 in FortiOS. Other notable activities include a clear focus on EDR evasion, phishing toolkits, Rust-based stealers, and delivery mechanisms such as .MSC files. The actor also demonstrated the use of reconnaissance tools like Shodan and Acunetix, suggesting a hands-on operational profile, Cyble said. Recent forum activity indicated one actor’s interest in acquiring corporate access and in vulnerabilities such as CVE-2024-3400. Other notable activities by the actor include advertising pentesting services, identifying IPs behind WAF or Cloudflare protection, and referencing exploitation of CVE-2023-3824 and CVE-2024-6387, “pointing to a technically capable actor with a focus on access facilitation and exploitation,” Cyble said. The leaked LockBit database shows that even as the list of most active ransomware groups changes, there is no shortage of technically capable affiliates ready to join the next leader.