LockBit Ransomware Site Breached: Database Dump Leaked Online
Discover the latest on the LockBit ransomware group breach, where hackers defaced their dark web site and leaked sensitive data. Learn about the implications and the exposed information.
TL;DR
The LockBit ransomware group’s dark web site was compromised, leading to the leak of their MySQL database. The breach exposed critical information, including BTC addresses, build configurations, and victim chat logs. This incident provides valuable insights into the group’s operations and highlights the ongoing risks in the cybersecurity landscape.
LockBit Ransomware Group Compromised: Sensitive Data Leaked
Hackers recently breached the dark web leak site of the LockBit ransomware gang, defacing it and posting a message along with a link to the dump of the MySQL database from its backend affiliate panel. The message read, “Don’t do crime CRIME IS BAD xoxo from Prague,” indicating a moral stance against cybercrime.
Source: @vxdb on Twitter
Confirmation and Initial Analysis
The LockBit operator, ‘LockBitSupp,’ confirmed the data breach in a private conversation but asserted that no private keys were leaked or data lost. However, an analysis by BleepingComputer revealed that the leaked database contains 20 tables, including BTC addresses, build configurations, and 4,442 victim chat logs with plaintext passwords.
Significant Findings
One of the most intriguing tables is the ‘chats’ table, which contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th. Researchers also noted that only 44 user accounts are associated with actual encryptor builds for LockBit affiliates, with 30 being active at the time of the dump.
Expert Insights
Italian cybersecurity expert Emanuele De Lucia extracted over 60,000 addresses from the dump and suggested that the presence of a large number of private keys could be crucial for developing decryption tools. The chat logs revealed a significant range in initial ransom demands, from $50,000 to $1,500,000, tailored based on the victim’s perceived value.
Top Victim TLDs
The most affected top-level domains (TLDs) include:
- .et (Ethiopia)
- .co (Colombia)
- .jp (Japan)
- .br (Brazil)
- .tw (Taiwan)
- .ph (Philippines)
- .fr (France)
Operational Intelligence
De Lucia emphasized that the leaked data provides a rich source of operational and technical intelligence, offering deeper insights into the threat actor’s capabilities, methods, and infrastructures. The attacker behind the breach remains unknown, but the defacement message matches a recent Everest ransomware hack, suggesting a possible link.
Conclusion
The breach of the LockBit ransomware group’s site highlights the ongoing risks and complexities in the cybersecurity landscape. As more details emerge, it is crucial for organizations to stay vigilant and implement robust security measures to protect against such threats.
For more details, visit the full article: source
Additional Resources
For further insights, check:
Follow me on Twitter: @securityaffairs, Facebook, and Mastodon
(SecurityAffairs – hacking, LockBit ransomware)