A recent hack has turned tables on the infamous ransomware collective LockBit, revealing a whopping 59,975 Bitcoin addresses, public keys, and 4,442 instances of hostage negotiations. The notorious cybercriminal organization, known for deploying Ransomware-as-a-Service (RaaS), develops tools and structures for affiliates to execute attacks.
Like many ransomware gangs, LockBit demands its victims pay in cryptocurrencies such as Bitcoin (BTC) or Monero (XMR). Victims are often coerced into sending funds to specific wallet addresses to access decryption keys or prevent data leaks. Affiliates then usually attempt to clean the funds using mixers, cross-chain swaps, or privacy coins to dodge detection.
The dark web platforms of LockBit affiliates were altered with a message containing a link to a database dump. The message stated, “Don’t do crime CRIME IS BAD xoxo from Prague,” according to cybersecurity publication, Bleeping Computer.
BleepingComputer’s examination of the leaked LockBit database, first highlighted by the cyber threat actor, Rey, revealed 20 tables with revealing details. One table includes almost 60,000 Bitcoin addresses, likely a combination of addresses used by the gang’s affiliates and infrastructure. Another reveals ransomware builds specific to certain targets. The leak also discloses configuration details for attacks, such as which servers to avoid or which files to encrypt. A chat log unveils over 4,400 negotiations between the ransomware operation and its victims, and a user table names 75 admins and affiliates, with passwords in plain text, including samples like “Weekendlover69” and “Lockbitproud231.”
A LockBit operator known as “LockBitSupp” confirmed the breach to Rey, ensuring that no private keys were leaked. Bleeping Computer indicates that the database dump likely occurred around April 29, as suggested by the MySQL timestamp and the latest chat record. However, the identity of the individual or group behind the breach and the means by which it was executed are still unknown. The defacement message mirrors one used in a recent attack on Everest ransomware’s dark web site, hinting at a potential connection.
The server was found to be running PHP 8.1.2, which is vulnerable to CVE-2024-4577 – a critical flaw that can facilitate remote code execution. In February 2024, Operation Cronos, an international law enforcement initiative, dismantled LockBit’s infrastructure, seizing 34 servers, stolen data, cryptocurrency addresses, 1,000 decryption keys, and its affiliate panel. Despite this setback, LockBit managed to rebuild and resume operations, only to face another significant blow in May of the same year when U.S. authorities unmasked and indicted its ringleader, Dmitry Khoroshev, on 26 criminal counts.
