Found 94 bookmarks
Custom sorting
Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto
Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto
On May 7, 2025, the LockBit admin panel was hacked by an anonymous actor who replaced their TOR website with the text ‘Don’t do crime CRIME IS BAD xoxo from Prague’ and shared a SQL dump of their admin panel database in an archived file ‘paneldb_dump.zip’: There is not much information available regarding the individual identified as 'xoxo from Prague' whose objective seems to be the apprehension of malicious ransomware threat actors. It is uncommon for a major ransomware organization's website to be defaced; more so for its administrative panel to be compromised. This leaked SQL database dump is significant as it offers insight into the operational methods of LockBit affiliates and the negotiation tactics they employ to secure ransom payments from their victims. Trellix Advanced Research Center’s investigations into the leaked SQL database confirmed with high confidence that the database originates from LockBit's affiliates admin panel. This panel allows the generation of ransomware builds for victims, utilizing LockBit Black 4.0 and LockBit Green 4.0, compatible with Linux, Windows and ESXi systems, and provides access to victim negotiation chats. The leaked SQL database dump encompasses data from December 18, 2024 to April 29, 2025, including details pertaining to LockBit adverts (aka ransomware affiliates), victim organizations, chat logs, cryptocurrency wallets and ransomware build configurations.
#trellix#EN#2025#LockBit#Leak#Affiliates#Crypto#research
·trellix.com·
Inside the LockBit's Admin Panel Leak: Affiliates, Victims and Millions in Crypto
On Lockbit's plaintext passwords
On Lockbit's plaintext passwords
Today it was discovered that an unknown actor had managed to exploit a vulnerability in Lockbit’s PHPMyAdmin instance (on their console onion site). Apparently they were running PHP 8.1.2 which is vulnerable to an RCE CVE-2024-4577. Which uhh… lol? It probably would have been prudent to do a post-paid penetration test on their own infrastructure at some point. Further compounding the unfortunate situation, the actor was able to dump their database. This contained, as stated by Bleeping Computer, a number of tables such as bitcoin addresses, data about their build system such as bespoke builds for affiliates, A ‘chats’ table containing negotiation messages, which we’ll go through in a later post. And finally, of interest today, the usernames and passwords of LockBit agents using the console. Of special importance, making our work markedly easier, these passwords were not hashed. Which sure is a choice, as an organization that performs ransomware attacks. The vast majority of the passwords in this table as reasonably secure; it’s not solely hilariously weak credentials, but there still are a number that display poor security hygiene. The weak passwords Before going into my standard analysis, I’ll list off all of the weak passwords in question, and then we’ll go through the statistics of the whole set. The fun to highlight passwords: Weekendlover69 CumGran0Salis Lockbit123 Lockbitproud321 * Lavidaloca18
#dak.lol#EN#2025#Lockbit#leak#passwords#complexity#PHPMyAdmin#analysis
·dak.lol·
On Lockbit's plaintext passwords
LockBit ransomware gang hacked, victim negotiations exposed
LockBit ransomware gang hacked, victim negotiations exposed
The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump. All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip." LockBit dark web site defaced with link to database As first spotted by the threat actor, Rey, this archive contains a SQL file dumped from the site affiliate panel's MySQL database. From analysis by BleepingComputer, this database contains twenty tables, with some more interesting than others, including: A 'btc_addresses' table that contains 59,975 unique bitcoin addresses. A 'builds' table contains the individual builds created by affiliates for attacks. Table rows contain the public keys, but no private keys, unfortunately. The targeted companies' names are also listed for some of the builds. A 'builds_configurations' table contains the different configurations used for each build, such as which ESXi servers to skip or files to encrypt. A 'chats' table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th. Affiliate panel 'chats' table Affiliate panel 'chats' table A 'users' table lists 75 admins and affiliates who had access to the affiliate panel, with Michael Gillespie spotting that passwords were stored in plaintext. Examples of some of the plaintext passwords are 'Weekendlover69, 'MovingBricks69420', and 'Lockbitproud231'. In a Tox conversation with Rey, the LockBit operator known as 'LockBitSupp' confirmed the breach, stating that no private keys were leaked or data lost. Based on the MySQL dump generation time and the last date record in the negotiation chats table , the database appears to have been dumped at some point on April 29th, 2025. It's unclear who carried out the breach and how it was done, but the defacement message matches the one used in a recent breach of Everest ransomware's dark web site, suggesting a possible link.
#bleepingcomputer#EN#2025#Affiliates#Data-Breach#Defacement#LockBit#MySQL
·bleepingcomputer.com·
LockBit ransomware gang hacked, victim negotiations exposed
LockBit Ransomware v4.0
LockBit Ransomware v4.0
Malware Analysis Report - LockBit Ransomware v4.0 In this blog post, I’m going over my analysis for the latest variant of LockBit ransomware - version 4.0. Throughout this blog, I’ll walk through all the malicious functionalities discovered, complete with explanations and IDA screenshots to show my reverse engineering process step by step. This new version of LockBit 4.0 implements a hybrid-cryptography approach, combining Curve25519 with XChaCha20 for its file encryption scheme. This version shares similarities with the older LockBit Green variant that is derived from Conti ransomware. While the multi-threading architecture seems more streamlined than previous versions, it still delivers an encryption speed that outpaces most other ransomware families. As always, LockBit is still my most favorite malware to look at, and I certainly enjoyed doing a deep dive to understand how this version works.
#chuongdong#EN#2025#Malware#Analysis#Report#LockBit#LockBit4.0#ransomware
·chuongdong.com·
LockBit Ransomware v4.0
Inside the Open Directory of the “You Dun” Threat Group
Inside the Open Directory of the “You Dun” Threat Group
  • Analysis of an open directory found a Chinese speaking threat actor’s toolkit and history of activity. The threat actor displayed extensive scanning and exploitation using WebLogicScan, Vulmap, and Xray, targeting organizations in South Korea, China, Thailand, Taiwan, and Iran. The Viper C2 framework was present as well as a Cobalt Strike kit which included TaoWu and Ladon extensions. * The Leaked LockBit 3 builder was used to create a LockBit payload with a custom ransom note that included reference to a Telegram group which we investigated further in the report.
#thedfirreport#EN#2024#Analysis#open-directory#LockBit#operational#You-Dun#group#China#tools#scan
·thedfirreport.com·
Inside the Open Directory of the “You Dun” Threat Group
Further Evil Corp cyber criminals exposed, one unmasked as LockBit affiliate - National Crime Agency
Further Evil Corp cyber criminals exposed, one unmasked as LockBit affiliate - National Crime Agency
Sixteen individuals who were part of Evil Corp, once believed to be the most significant cybercrime threat in the world, have been sanctioned in the UK, with their links to the Russian state and other prolific ransomware groups, including LockBit, exposed. Sanctions have also been imposed by Australia and the US, who have unsealed an indictment against a key member of the group.
#nationalcrimeagency#EN#2024#organised-crime#Evil-Corp#UK#Russia#LockBit
·nationalcrimeagency.gov.uk·
Further Evil Corp cyber criminals exposed, one unmasked as LockBit affiliate - National Crime Agency
LockBit power cut: four new arrests and financial sanctions against affiliates | Europol
LockBit power cut: four new arrests and financial sanctions against affiliates | Europol
These are some of the results of the third phase of Operation Cronos, a long-running collective effort of law enforcement authorities from 12 countries, Europol and Eurojust, who joined forces to effectively disrupt at all levels the criminal operations of the LockBit ransomware group. These actions follow the massive disruption of LockBit infrastructure in February 2024, as well as the large series of sanctions and operational actions that took place against LockBit administrators in May and subsequent months. Between 2021 and 2023, LockBit was the most widely employed ransomware variant globally with a notable number of victims claimed on its data leak site. Lockbit operated on the ransom as a service model. The core group sold access to affiliates and received portions of the collected ransom payments. Entities deploying LockBit ransomware attacks had targeted organisations of various sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing and transportation. Reflecting the considerable number of independent affiliates involved, LockBit ransomware attacks display significant variation in observed tactics, techniques and procedures. #2024 #EN #Eurojust #LockBit #busted #disrupt #europol
#EN#europol#Eurojust#LockBit#2024#busted#disrupt
·europol.europa.eu·
LockBit power cut: four new arrests and financial sanctions against affiliates | Europol
Office of Public Affairs | Two Foreign Nationals Plead Guilty to Participating in LockBit Ransomware Group
Office of Public Affairs | Two Foreign Nationals Plead Guilty to Participating in LockBit Ransomware Group
Two foreign nationals pleaded guilty today to participating in the LockBit ransomware group—at various times the most prolific ransomware variant in the world—and to deploying LockBit attacks against victims in the United States and worldwide.
#justice.gov#EN#2024#LockBit#guilty#justice#US
·justice.gov·
Office of Public Affairs | Two Foreign Nationals Plead Guilty to Participating in LockBit Ransomware Group
Ransomware Diaries: Volume 1
Ransomware Diaries: Volume 1
The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang is behind attacks targeting private-sector corporations and other high-profile industries worldwide. News and media outlets have documented many LockBit attacks, while security vendors offer technical assessments explaining how each occurred. Although these provide insight into the attacks, I wanted to know more about the human side of the operation to learn about the insights, motivations, and behaviors of the individuals on the other side of the keyboard. To prepare for this project, I spent months developing several online personas and established their credibility over time to gain access to the gang’s operation.
#analyst1#EN#2023#LockBit#ransomware#Insights
·analyst1.com·
Ransomware Diaries: Volume 1
LockBit ransomware suspect nabbed in Canada, faces charges in the US
LockBit ransomware suspect nabbed in Canada, faces charges in the US
Automation features make LockBit one of the more destructive pieces of ransomware. Federal prosecutors on Thursday charged a dual Russian and Canadian national for his alleged participation in a global campaign to spread ransomware known as LockBit. Mikhail Vasiliev, 33, of Bradford, Ontario, Canada, was taken into custody in late October by authorities in Ontario, officials at Interpol said. He is now in custody in Canada awaiting extradition to the US.
#arstechnica#EN#2022#LockBit#Canada#member#arrest
·arstechnica.com·
LockBit ransomware suspect nabbed in Canada, faces charges in the US
 The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups
 The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups
The Trellix Advanced Research Center has recently observed an uptick of LockBit-related cyber activity surrounding vulnerabilities in ScreenConnect. This surge suggests that despite the Law Enforcement's (LE) "Operation Cronos" aimed at dismantling LockBit's infrastructure, the ransomware operators somehow managed to survive and stay a float. It appears that the cybercriminals group behind LockBit ransomware partially restored their infrastructure and created an impression that the LE actions did not affect their normal operation. Concurrently, alongside the resurgence of LockBit's exploitation of ScreenConnect vulnerabilities, we have seen other threat actors have either impersonated LockBit ransomware or incorporated LockBit into their own cyber attack campaigns.
#Trellix#EN#2024#LockBit-related#LockBit#campaigns#ransomware#LockBitSupp
·trellix.com·
 The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups
Ransomware Diaries: Volume 1
Ransomware Diaries: Volume 1
The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang is behind attacks targeting private-sector corporations and other high-profile industries worldwide. News and media outlets have documented many LockBit attacks, while security vendors offer technical assessments explaining how each occurred. Although these provide insight into the attacks, I wanted to know more about the human side of the operation to learn about the insights, motivations, and behaviors of the individuals on the other side of the keyboard. To prepare for this project, I spent months developing several online personas and established their credibility over time to gain access to the gang’s operation.
#analyst1#EN#2023#LockBit#ransomware#Insights
·analyst1.com·
Ransomware Diaries: Volume 1
LockBit ransomware suspect nabbed in Canada, faces charges in the US
LockBit ransomware suspect nabbed in Canada, faces charges in the US
Automation features make LockBit one of the more destructive pieces of ransomware. Federal prosecutors on Thursday charged a dual Russian and Canadian national for his alleged participation in a global campaign to spread ransomware known as LockBit. Mikhail Vasiliev, 33, of Bradford, Ontario, Canada, was taken into custody in late October by authorities in Ontario, officials at Interpol said. He is now in custody in Canada awaiting extradition to the US.
#arstechnica#EN#2022#LockBit#Canada#member#arrest
·arstechnica.com·
LockBit ransomware suspect nabbed in Canada, faces charges in the US