A Leaked Database Reveals LockBit Ransomware Operations and Negotiation Data
Recently, a significant security breach has exposed extensive internal data of LockBit, one of the most notorious ransomware-as-a-service groups active today. This leak was uncovered when a database dump was obtained directly from LockBit’s own infrastructure, revealing astonishing insights into their operations, victim profiles, and negotiation processes.
The Origin of the Data Breach
The leaked information surfaced after an attacker gained access to LockBit’s backend system—a PHP-based platform managing their ransomware campaigns and payment processing. The breach appears to stem from an authentication bypass, allowing unauthorized individuals to extract a significant portion of the group’s operational data. This dump, retrieved on April 29, 2025, was first made publicly accessible on May 7 during a defacement incident targeting LockBit’s onion sites. Hackers replaced the usual homepage with a message and a link to download the extracted database, which included a wealth of sensitive data.
What the Leak Contains
The leaked dump offers an in-depth look into LockBit’s internal workings, revealing:
- Approximately 60,000 Bitcoin addresses linked to the group’s ransom transactions
- Over a thousand configurations corresponding to various payloads used in attacks
- Profiles associated with hundreds of victims
- Nearly 4,400 negotiation messages exchanged between attackers and victims
- A list of 75 registered users or affiliates involved in the operation
The main administrator of LockBit has acknowledged the breach, attributing it to an authentication workaround that allowed the extraction of this data. Despite the breach, they assured that no decryption keys or sensitive victim data were compromised during the incident and described the breach as confined to a “light management panel” primarily used for tracking affiliates.
Insights into LockBit’s Infrastructure and Affiliate Network
The dump includes approximately 30,000 private keys—possibly one per encrypted device—suggesting automated key generation or mass importation around December 2024, coinciding with the platform’s significant activity surge. This may indicate efforts to restore or expand their infrastructure following a disruption, perhaps linked to external law enforcement operations like “Operation Cronus.”
Further analysis classifies the 75 user accounts into six groups: new members, verified affiliates (who adhere to commission agreements), scammers (non-paying or malicious actors), confirmed penetration testers, suspected individuals, and at least one known to have communicated with entities in Russia. Notably, one of the affiliates in Tchebarkoul (located in the southern Ural region near Kazakhstan) received a decryptor from LockBit’s admin, which initially failed to work.
Another alarming detail is that some user credentials, including Tox messaging platform identifiers, were stored in plaintext. Many passwords were reused and unprotected, with hashes lacking salting, making brute-force recovery straightforward.
Operational Patterns and Negotiation Tactics
The data reveal that, on average, it takes about 17 hours from payload deployment to the first negotiation message. Each victim’s ransomware payload is associated with a unique Bitcoin address, often generated through automated scripts, indicating a high degree of operational automation.
The median ransom demand in these negotiations is roughly $5 million, with the most common amount requested being $10,000. The ransomware primarily targets domains with country-code top-level domains such as .br (Brazil), .cn (China), and .tw (Taiwan). Since early February 2025, the group has shifted its payloads from “locker-only” ransomware to combined “locker and stealer” malware, offering standardized proof elements to aid affiliates during negotiations. This evolution hints at the possible integration of former ransomware groups’ members, like Conti, into LockBit’s ecosystem.
Victim Profiles and Extortion Strategies
The leak also sheds light on LockBit’s victims, with detailed profiles of hundreds affected. Notably, at least one affiliate appears to have targeted entities in Russia, highlighting the group’s geographically diverse operations. The stored data indicate that some victims’ identifiers were kept in plaintext and that their password hashes lacked additional security measures, heightening the risk of credential recovery.
The time from payload deployment to negotiation is consistently around 17 hours, emphasizing the rapid pace at which LockBit operates. Each attack is tied to a specific Bitcoin address, suggesting a tightly managed transaction process, often involving automated scripting for efficiency.
Financial demands vary, with ransom sizes typically around several million dollars, though the most frequently requested amount is significantly lower, around ten thousand dollars. The group’s targeting patterns favor certain countries, reflecting strategic choices or operational focus.
Implications and Future Outlook
This massive leak offers unprecedented insight into LockBit’s operational hierarchy, affiliate network, and negotiation engagement. It underscores the risks of internal breaches within cybercriminal organizations and illustrates how operational data can be weaponized to inform law enforcement and security strategies. The leak raises questions about ongoing security measures within ransomware operations and highlights the need for victims and security practitioners to remain vigilant against such leaks that could erode the group’s previously perceived invincibility.
As LockBit adapts its tactics—adding data stealers alongside traditional encryption—cybersecurity professionals must analyze these developments continuously. The leak’s revelations mark a pivotal moment in understanding modern ransomware ecosystems, emphasizing the importance of internal security and monitoring even within underground criminal networks.
