The LockBit Ransomware Site was Breached, Database Dump Was Leaked Online
In a shocking turn of events, the dark web leak site of the notorious LockBit ransomware gang was compromised, with hackers stealing and leaking sensitive data from their backend infrastructure. The breach has left the group's operators reeling, as attackers defaced the site and posted a message, along with a link to the dump of the MySQL database of its backend affiliate panel.
The message, attributed to "Don't do crime CRIME IS BAD xoxo from Prague," reads like a taunt from the hackers. It appears that the LockBit operator, identified as 'LockBitSupp,' has confirmed the data breach in a private conversation with the threat actor Rey, but assured that no private keys were leaked or data lost.
However, further analysis by BleepingComputer revealed a treasure trove of sensitive information, including 20 tables, containing BTC addresses, build configurations, and plaintext passwords. One table in particular caught researchers' attention - the "chats" table, which contains 4,442 negotiation messages between the LockBit operation and its victims from December 19th to April 29th.
"This is a very interesting 'chats' table," states Emanuele De Lucia, an Italian cybersecurity expert. "It shows a significant range in the initial ransom amounts demanded by the gang, with values ranging from $50,000 to at least $1,500,000." This level of detail suggests that the LockBit gang is willing to tailor its demands based on the perceived value of each victim.
De Lucia also extracted 60k+ addresses from the dump and argued that these are likely key data for developing universal or victim-specific decryption tools. "The presence of a large number of private keys, linked to specific build configurations or victims via build_id, suggests this is the actual key data," he said. This data could be critical in unlocking the secrets of the LockBit ransomware operation.
Furthermore, researchers noticed that only 44 user accounts were associated with actual encryptor builds for LockBit affiliates, with 30 being active at the time of the dump. This low number raises questions about the effectiveness and reach of the LockBit gang's operations.
As for the attacker behind the breach, their identity remains unknown, but the defacement message bears striking resemblance to a recent Everest ransomware hack. Could there be a link between the two attacks? The world of cybersecurity will have to wait and see as this investigation continues to unfold.
In the meantime, researchers like Emanuele De Lucia are already making sense of the data, analyzing it for operational and technical intelligence that could aid in developing effective countermeasures against the LockBit ransomware gang. As one expert noted, "Finally, this is a rich source of operational and technical intelligence. Its contents enable a deeper understanding of the threat actor's capabilities and methods."