Lockbit ransomware group has been compromised, attackers stole and leaked data contained in the backend infrastructure of their dark web site.
Hackers compromised the dark web leak site of the LockBit ransomware gang and defaced it, posting a message and a link to the dump of the MySQL database of its backend affiliate panel.
“Don’t do crime CRIME IS BAD xoxo from Prague,” reads the message published on the group dark web leak site.
The LockBit operator ‘LockBitSupp’ confirmed the data breach in a private conversation with the threat actor Rey, however, he said that no private keys were leaked or data lost.
BleepingComputer analyzed the leaked database and reported that it has 20 tables, including BTC addresses, builds with target names, build configurations, 4,442 victim chat logs, and user data with plaintext passwords.
“A ‘chats‘ table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th.” states BleepingComputer.
Researchers noticed that only 44 user accounts are associated with actual encryptor builds for LockBit affiliates, among which 30 were active at the moment of the dump.
As said, only 44 user accounts are associated with actual encryptor builds, among which 30 were actually active at the moment of the dump.
— Valéry Rieß-Marchive | @valerymarchive.bsky.social (@ValeryMarchive) May 8, 2025
That's your number of active #LockBit affiliates by then. Now, who are they and how active were they?pic.twitter.com/sYilI2BjXU
The Italian cyber security expert Emanuele De Lucia extracted the 60k+ addresses in the dump and argued that the presence of a large number of private keys, linked to specific build configurations or victims (via build_id) suggests these are the actual key data. This data could be critical for developing universal or victim-specific decryption tools.
De Lucia added that the chat logs show a significant range in the initial ransom amounts demanded (from $50,000 to at least $1,500,000). The ransomware gang demands are tailored based on the perceived value of the victim.
The top victim TLDs are:
- .et (Ethiopia)
- .co (Colombia)
- .jp (Japan)
- .br (Brazil)
- .tw (Taiwan)
- .ph (Philippines)
- .fr (France)
“Finally, this is a rich source of operational and technical intelligence. Its contents enable a deeper understanding of the threat actor’s capabilities and methods (i.e. FortiVPN is reported as an initial access point) and infrastructures.” said De Luci
The attacker behind the breach is still unknown, but the defacement message matches a recent Everest ransomware hack, hinting at a possible link between the two defacements.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Lockbit ransomware)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/177619/cyber-crime/the-lockbit-ransomware-site-was-breached-database-dump-was-leaked-online.html