Found 97 bookmarks
Newest
Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto
Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto
On May 7, 2025, the LockBit admin panel was hacked by an anonymous actor who replaced their TOR website with the text ‘Don’t do crime CRIME IS BAD xoxo from Prague’ and shared a SQL dump of their admin panel database in an archived file ‘paneldb_dump.zip’: There is not much information available regarding the individual identified as 'xoxo from Prague' whose objective seems to be the apprehension of malicious ransomware threat actors. It is uncommon for a major ransomware organization's website to be defaced; more so for its administrative panel to be compromised. This leaked SQL database dump is significant as it offers insight into the operational methods of LockBit affiliates and the negotiation tactics they employ to secure ransom payments from their victims. Trellix Advanced Research Center’s investigations into the leaked SQL database confirmed with high confidence that the database originates from LockBit's affiliates admin panel. This panel allows the generation of ransomware builds for victims, utilizing LockBit Black 4.0 and LockBit Green 4.0, compatible with Linux, Windows and ESXi systems, and provides access to victim negotiation chats. The leaked SQL database dump encompasses data from December 18, 2024 to April 29, 2025, including details pertaining to LockBit adverts (aka ransomware affiliates), victim organizations, chat logs, cryptocurrency wallets and ransomware build configurations.
#trellix#EN#2025#LockBit#Leak#Affiliates#Crypto#research
·trellix.com·
Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto
On Lockbit's plaintext passwords
On Lockbit's plaintext passwords
Today it was discovered that an unknown actor had managed to exploit a vulnerability in Lockbit’s PHPMyAdmin instance (on their console onion site). Apparently they were running PHP 8.1.2 which is vulnerable to an RCE CVE-2024-4577. Which uhh… lol? It probably would have been prudent to do a post-paid penetration test on their own infrastructure at some point. Further compounding the unfortunate situation, the actor was able to dump their database. This contained, as stated by Bleeping Computer, a number of tables such as bitcoin addresses, data about their build system such as bespoke builds for affiliates, A ‘chats’ table containing negotiation messages, which we’ll go through in a later post. And finally, of interest today, the usernames and passwords of LockBit agents using the console. Of special importance, making our work markedly easier, these passwords were not hashed. Which sure is a choice, as an organization that performs ransomware attacks. The vast majority of the passwords in this table as reasonably secure; it’s not solely hilariously weak credentials, but there still are a number that display poor security hygiene. The weak passwords Before going into my standard analysis, I’ll list off all of the weak passwords in question, and then we’ll go through the statistics of the whole set. The fun to highlight passwords: Weekendlover69 CumGran0Salis Lockbit123 Lockbitproud321 * Lavidaloca18
#dak.lol#EN#2025#Lockbit#leak#passwords#complexity#PHPMyAdmin#analysis
·dak.lol·
On Lockbit's plaintext passwords
LockBit ransomware gang hacked, victim negotiations exposed
LockBit ransomware gang hacked, victim negotiations exposed
The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump. All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip." LockBit dark web site defaced with link to database As first spotted by the threat actor, Rey, this archive contains a SQL file dumped from the site affiliate panel's MySQL database. From analysis by BleepingComputer, this database contains twenty tables, with some more interesting than others, including: A 'btc_addresses' table that contains 59,975 unique bitcoin addresses. A 'builds' table contains the individual builds created by affiliates for attacks. Table rows contain the public keys, but no private keys, unfortunately. The targeted companies' names are also listed for some of the builds. A 'builds_configurations' table contains the different configurations used for each build, such as which ESXi servers to skip or files to encrypt. A 'chats' table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th. Affiliate panel 'chats' table Affiliate panel 'chats' table A 'users' table lists 75 admins and affiliates who had access to the affiliate panel, with Michael Gillespie spotting that passwords were stored in plaintext. Examples of some of the plaintext passwords are 'Weekendlover69, 'MovingBricks69420', and 'Lockbitproud231'. In a Tox conversation with Rey, the LockBit operator known as 'LockBitSupp' confirmed the breach, stating that no private keys were leaked or data lost. Based on the MySQL dump generation time and the last date record in the negotiation chats table , the database appears to have been dumped at some point on April 29th, 2025. It's unclear who carried out the breach and how it was done, but the defacement message matches the one used in a recent breach of Everest ransomware's dark web site, suggesting a possible link.
#bleepingcomputer#EN#2025#Affiliates#Data-Breach#Defacement#LockBit#MySQL
·bleepingcomputer.com·
LockBit ransomware gang hacked, victim negotiations exposed
LockBit Ransomware v4.0
LockBit Ransomware v4.0
Malware Analysis Report - LockBit Ransomware v4.0 In this blog post, I’m going over my analysis for the latest variant of LockBit ransomware - version 4.0. Throughout this blog, I’ll walk through all the malicious functionalities discovered, complete with explanations and IDA screenshots to show my reverse engineering process step by step. This new version of LockBit 4.0 implements a hybrid-cryptography approach, combining Curve25519 with XChaCha20 for its file encryption scheme. This version shares similarities with the older LockBit Green variant that is derived from Conti ransomware. While the multi-threading architecture seems more streamlined than previous versions, it still delivers an encryption speed that outpaces most other ransomware families. As always, LockBit is still my most favorite malware to look at, and I certainly enjoyed doing a deep dive to understand how this version works.
#chuongdong#EN#2025#Malware#Analysis#Report#LockBit#LockBit4.0#ransomware
·chuongdong.com·
LockBit Ransomware v4.0
Inside the Open Directory of the “You Dun” Threat Group
Inside the Open Directory of the “You Dun” Threat Group
  • Analysis of an open directory found a Chinese speaking threat actor’s toolkit and history of activity. The threat actor displayed extensive scanning and exploitation using WebLogicScan, Vulmap, and Xray, targeting organizations in South Korea, China, Thailand, Taiwan, and Iran. The Viper C2 framework was present as well as a Cobalt Strike kit which included TaoWu and Ladon extensions. * The Leaked LockBit 3 builder was used to create a LockBit payload with a custom ransom note that included reference to a Telegram group which we investigated further in the report.
#thedfirreport#EN#2024#Analysis#open-directory#LockBit#operational#You-Dun#group#China#tools#scan
·thedfirreport.com·
Inside the Open Directory of the “You Dun” Threat Group
Further Evil Corp cyber criminals exposed, one unmasked as LockBit affiliate - National Crime Agency
Further Evil Corp cyber criminals exposed, one unmasked as LockBit affiliate - National Crime Agency
Sixteen individuals who were part of Evil Corp, once believed to be the most significant cybercrime threat in the world, have been sanctioned in the UK, with their links to the Russian state and other prolific ransomware groups, including LockBit, exposed. Sanctions have also been imposed by Australia and the US, who have unsealed an indictment against a key member of the group.
#nationalcrimeagency#EN#2024#organised-crime#Evil-Corp#UK#Russia#LockBit
·nationalcrimeagency.gov.uk·
Further Evil Corp cyber criminals exposed, one unmasked as LockBit affiliate - National Crime Agency
LockBit power cut: four new arrests and financial sanctions against affiliates | Europol
LockBit power cut: four new arrests and financial sanctions against affiliates | Europol
These are some of the results of the third phase of Operation Cronos, a long-running collective effort of law enforcement authorities from 12 countries, Europol and Eurojust, who joined forces to effectively disrupt at all levels the criminal operations of the LockBit ransomware group. These actions follow the massive disruption of LockBit infrastructure in February 2024, as well as the large series of sanctions and operational actions that took place against LockBit administrators in May and subsequent months. Between 2021 and 2023, LockBit was the most widely employed ransomware variant globally with a notable number of victims claimed on its data leak site. Lockbit operated on the ransom as a service model. The core group sold access to affiliates and received portions of the collected ransom payments. Entities deploying LockBit ransomware attacks had targeted organisations of various sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing and transportation. Reflecting the considerable number of independent affiliates involved, LockBit ransomware attacks display significant variation in observed tactics, techniques and procedures. #2024 #EN #Eurojust #LockBit #busted #disrupt #europol
#EN#europol#Eurojust#LockBit#2024#busted#disrupt
·europol.europa.eu·
LockBit power cut: four new arrests and financial sanctions against affiliates | Europol
Office of Public Affairs | Two Foreign Nationals Plead Guilty to Participating in LockBit Ransomware Group
Office of Public Affairs | Two Foreign Nationals Plead Guilty to Participating in LockBit Ransomware Group
Two foreign nationals pleaded guilty today to participating in the LockBit ransomware group—at various times the most prolific ransomware variant in the world—and to deploying LockBit attacks against victims in the United States and worldwide.
#justice.gov#EN#2024#LockBit#guilty#justice#US
·justice.gov·
Office of Public Affairs | Two Foreign Nationals Plead Guilty to Participating in LockBit Ransomware Group
 The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups
 The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups
The Trellix Advanced Research Center has recently observed an uptick of LockBit-related cyber activity surrounding vulnerabilities in ScreenConnect. This surge suggests that despite the Law Enforcement's (LE) "Operation Cronos" aimed at dismantling LockBit's infrastructure, the ransomware operators somehow managed to survive and stay a float. It appears that the cybercriminals group behind LockBit ransomware partially restored their infrastructure and created an impression that the LE actions did not affect their normal operation. Concurrently, alongside the resurgence of LockBit's exploitation of ScreenConnect vulnerabilities, we have seen other threat actors have either impersonated LockBit ransomware or incorporated LockBit into their own cyber attack campaigns.
#Trellix#EN#2024#LockBit-related#LockBit#campaigns#ransomware#LockBitSupp
·trellix.com·
 The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups
Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption
Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption
  • On Feb. 19, 2024, Operation Cronos, a targeted law enforcement action, caused outages on LockBit-affiliated platforms, significantly disrupting the notorious ransomware group's operations. LockBit’s downtime was quickly followed by a takeover of its leak site by the UK’s National Crime Agency (NCA), spotlighting the concerted international effort against cybercrime. Authorities leveraged the compromised LockBit leak site to distribute information about the group and its operations, announce arrests, sanctions, cryptocurrency seizure, and more. This demonstrated support for affected businesses and cast doubt on LockBit's promises regarding data deletion post-ransom payment — emphasizing that paying ransoms is not the best course of action. Trend Micro analyzed LockBit-NG-Dev, an in-development version of the ransomware. Key findings indicated a shift to a .NET core, which allows it to be more platform-agnostic and emphasizes the need for new security detection techniques. The leak of LockBit's back-end information offered a glimpse into its internal workings and disclosed affiliate identities and victim data, potentially leading to a drop in trust and collaboration within the cybercriminal network. The sentiments of the cybercrime community to LockBit's disruption ranged from satisfaction to speculation about the group’s future, hinting at the significant impact of the incident on the ransomware-as-a-service (RaaS) industry. Businesses can expect shifts in RaaS tactics and should enhance preparedness against potential reformations of the disrupted group and its affiliates. Contrary to what the group themselves have stated, activities observed post-disruption would indicate that Operation Chronos has a significant impact on the group’s activities.
#trendmicro#EN#2024#research#LockBit#Operation-Cronos#impact
·trendmicro.com·
Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption
Exclusive: After LockBit’s takedown, its purported leader vows to hack on
Exclusive: After LockBit’s takedown, its purported leader vows to hack on
This week, the Click Here podcast landed a rare interview with the purported leader of the LockBit ransomware group – he goes by the name LockBitSupp. He’s under pressure because last month an international police operation infiltrated the group and seized not just their platform, but their hacking tools, cryptocurrency accounts and source code ending a four year ransomware rampage.
#therecord.media#EN#2024#LockBit#LockBitSupp#ransomware
·therecord.media·
Exclusive: After LockBit’s takedown, its purported leader vows to hack on
FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga. – Krebs on Security
FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga. – Krebs on Security
The FBI’s takedown of the LockBit ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in Fulton County, Ga. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the county’s ongoing criminal prosecution of former President Trump, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials
#krebsonsecurity#EN#2024#lockbit#Fulton-County#leak#Trump#FBI#claim
·krebsonsecurity.com·
FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga. – Krebs on Security
U.S. and U.K. Disrupt LockBit Ransomware Variant | United States Department of Justice
U.S. and U.K. Disrupt LockBit Ransomware Variant | United States Department of Justice
The Department of Justice joined the United Kingdom and international law enforcement partners in London today to announce the disruption of the LockBit ransomware group, one of the most active ransomware groups in the world that has targeted over 2,000 victims, received more than $120 million in ransom payments, and made ransom demands totaling hundreds of millions of dollars.
#justice.gov#EN#2024#lockbit#Disrupt#press-release#US
·justice.gov·
U.S. and U.K. Disrupt LockBit Ransomware Variant | United States Department of Justice