LockBit Leak Exposes Ransom Payment Information and Security Vulnerabilities

Dark Watch
LockBit Leak Exposes Ransom Payment Information and Security Vulnerabilities

Published:

Staff Editor
Written by: Staff Editor
spot_img

Inside the LockBit Ransomware Leak: Unveiling the Dark Web’s Secrets

A recent breach of the LockBit ransomware group’s infrastructure has sent shockwaves through the cybersecurity community. The leak, which exposed an internal database, has provided unprecedented insights into the group’s operations, revealing critical intelligence about their methods, targets, and financial transactions.

Contents
Inside the LockBit Ransomware Leak: Unveiling the Dark Web’s SecretsThe Breach: A Bold StatementWhat the Leak RevealedA Deep Dive into OperationsRansom Payment InsightsConnections to Other Ransomware GroupsExploited VulnerabilitiesThe Future of Ransomware

The Breach: A Bold Statement

On May 7, an unidentified actor infiltrated LockBit’s infrastructure, leaving a defiant message on the group’s dark web affiliate panels: “Don’t do crime CRIME IS BAD xoxo from Prague.” This audacious act was accompanied by the release of a complete database, dated April 29, which detailed LockBit’s Ransomware-as-a-Service (RaaS) operations from December 19 until the date of the data dump. This breach is particularly significant given that LockBit had been the most active ransomware group until law enforcement actions began to hinder their operations in early 2024.

What the Leak Revealed

The leaked database has exposed a wealth of information, including:

  • 75 LockBit Affiliate Accounts: The database contains detailed records of affiliates and operators, including login credentials, unencrypted passwords, and permission levels.

  • 246 Victim Organization Chat Logs: These logs provide a glimpse into the interactions between LockBit affiliates and their targets, revealing negotiation tactics and payment discussions.

  • Almost 600 Potential Targets: Cyble, a cybersecurity firm that analyzed the leak, inferred these targets from custom ransomware builders created for specific domains.

The database also includes communication logs, cryptocurrency transaction records, and affiliate-specific links, which could help identify future connections between LockBit affiliates and other ransomware groups.

A Deep Dive into Operations

Cyble’s analysis highlights the inner workings of LockBit’s operations. The database features a ‘users’ table with 75 records detailing affiliate information, while the ‘invites’ table documents 3,693 threatening invites sent to potential victims. The ‘clients’ table contains 246 records of victim organizations, detailing encryption status, ransom payment status, and negotiation records.

Interestingly, the database reveals a consistent pattern of initial victim profiling. Records are created with company websites and revenue fields before attacks are executed, allowing for tailored ransomware builds with unique encryption keys.

The ‘visits’ table, with 2,398 records, tracks victim portal activities, showing engagement patterns that often intensify as payment deadlines approach. LockBit reportedly offers discounts for quick payments, accepting only Bitcoin and Monero, with a free decryptor available for victims based in Russia.

Ransom Payment Insights

Despite the extensive operations, the data suggests that LockBit’s ransom payment rate is alarmingly low. Only 18 chat logs indicated a ransom payment, translating to an approximate payment rate of 8.6% relative to the total number of victims. Among these payments, only two exceeded $100,000, while the majority were under €10,000.

The leak also identified nearly 60,000 Bitcoin wallet addresses linked to LockBit affiliates, which may have been used for ransom payments. Records indicate that LockBit employs a phased approach to data decryption, likely to maximize ransom collection.

Connections to Other Ransomware Groups

The leaked data also sheds light on LockBit’s connections with other ransomware groups. Notably, the HellCat group, which recently announced its shutdown, had been affiliated with LockBit since January 15. Additionally, chats revealed that affiliates from RansomHub joined LockBit amid uncertainty about RansomHub’s future.

Exploited Vulnerabilities

The leak provides insights into the vulnerabilities exploited by LockBit affiliates. In one chat exchange, an affiliate confirmed that access to a victim’s network was gained through a vulnerability in FortiVPN. Other discussions highlighted the exploitation of various domain security issues, including weak passwords and exposed admin accounts.

Analysis of 73 unique handler profiles revealed potential aliases used by threat actors on underground forums. One actor expressed interest in Initial Access Brokers (IABs) and the exploitation of specific vulnerabilities in FortiOS, indicating a technically capable actor focused on access facilitation and exploitation.

The Future of Ransomware

The leaked LockBit database underscores the ongoing evolution of ransomware operations. Even as the landscape of active ransomware groups shifts, the data reveals that there is no shortage of technically skilled affiliates ready to join the next leader in the dark web’s criminal underbelly. The implications of this leak extend beyond LockBit, potentially reshaping the strategies of law enforcement and cybersecurity professionals in their ongoing battle against cybercrime.

spot_img

Related articles

Recent articles

Sign up to the Newsletter and never miss out on the latest news!
Join the Cyber Warriors community and get Insider Tips & Tricks to defend your digital assets.

© Cyberwarriorsmiddleeast.com