Introduction
The LockBit ransomware group has suffered a significant data breach [1], revealing extensive details about its operations. This breach, potentially linked t [1]o another ransomware gang, has exposed sensitive information and provided insights into the group’s ransomware-as-a-service (RaaS) activities.
Description
The LockBit ransomware group experienced a substantial data breach on May 7 [1], when its infrastructure was compromised by an unidentified actor, possibly associated with another ransomware gang. This incident resulted in the leak of an internal database, offering comprehensive insights into the group’s RaaS operations, with data spanning from December 19 until the breach date. The database contained nearly 60,000 Bitcoin addresses, 75 LockBit affiliate accounts, and over 4,400 chats with victim organizations [1], alongside 246 victim organization chat logs and nearly 600 potential targets [3].
The breach exposed sensitive information on more than 70 LockBit administrators and affiliates [1], including plaintext passwords [1], usernames [2], TOX messenger IDs [2], and configurations of the LockBit ransomware code [1]. It documented ransom payment statuses [3], indicating a payment rate of approximately 8.6% among victims [3], with only 18 chat logs mentioning ransom payments [3], primarily made in Bitcoin and Monero [3]. Discounts were offered for quick payments [3], and the leak suggested that LockBit decrypts data in phases to maximize ransom collection [3].
In terms of exploited vulnerabilities [3], a LockBit affiliate confirmed gaining access to a victim’s network through a vulnerability in FortiVPN [3], while other weaknesses included weak passwords, exposed admin accounts [3], open ports [3], and missing backups [3]. The database also highlighted interest in exploiting CVE-2024-55591 in FortiOS [3], indicating a technically capable actor focused on access facilitation and exploitation [3]. Additionally, the database contained metadata on ransomware builds linked to over 630 domains [2], some of which are victims while others are for testing [2], and included invite links for ransom negotiations tied to specific Bitcoin or Monero addresses [2].
This breach follows an international law enforcement operation [1], Operation Cronos [1], which has severely impacted LockBit’s activities [1], resulting in arrests [1], the closure of rogue accounts [1], and the seizure of servers and infrastructure [1]. The recent attack on LockBit bears similarities to a previous compromise of the Everest ransomware group’s Dark Web site [1], which was also defaced with the message, “Don’t do crime CRIME is BAD xoxo from Prague.”
One potential suspect behind the LockBit breach is the DragonForce ransomware cartel, a newer group that has been aggressively recruiting affiliates from other ransomware operations and offering its infrastructure to other groups under a white-label model [1]. DragonForce has also been linked to recent ransomware attacks on major UK retailers [1], indicating its growing influence in the criminal ransomware landscape [1]. Analysis of the leaked data has not revealed overlaps with previous ransomware leaks from groups like Conti and BlackBasta [2], and the investigation into the leak is ongoing [2].
Conclusion
The breach of the LockBit ransomware group underscores the vulnerabilities inherent in criminal networks and the potential for internal data to be exposed. This incident highlights the importance of robust cybersecurity measures and the need for continuous monitoring and updating of security protocols. As law enforcement agencies continue to target ransomware groups, the landscape of cybercrime may shift, with new actors emerging and existing groups adapting their strategies. The ongoing investigation into the LockBit breach will likely provide further insights into the operations of ransomware groups and inform future mitigation efforts.
References
[1] https://www.cybersecurityintelligence.com/blog/-lockbit-ransomware-group-hacked-and-exposed-8432.html
[2] https://www.cyberdaily.au/security/12095-leakbit-what-we-know-so-far-about-the-lockbit-data-breach
[3] https://thecyberexpress.com/lockbit-leak-ransomware-revelations/
