Table of Contents
Inside the Lockbit Leak
In another shakeup in the ransomware world, the Lockbit ransomware gang has suffered a major leak. Many of the group’s onion addresses currently redirect to an SQL database containing a trove of sensitive information, exposing not just victim data but also the inner workings of Lockbit’s negotiation tactics, technical support processes, and attack strategies.
The leaker’s identity is anonymous; however, they did leave the message “Don’t do crime, CRIME IS BAD, xoxo from Prague”. The same message was seen on the Everest PR page in April 2025 before going offline, suggesting it could be the same individual or group. Kevin Beaumont has suggested that it could be the DragonForce gang behind the attacks, however, no group has taken credit yet. Lockbit has an open ransom available for any information related to who is behind the attack.
Key Takeaways from the Leak
Technical Support for Victims
Lockbit went beyond the typical role of a cybercriminal organization by providing “technical support” to victims. They guided them through the decryption process, even allowing uploads of up to 100MB and over 100 files to prove that their decryptors worked as promised.
Controlled File Sharing
In maintaining operational security, Lockbit refused to engage with external file-sharing links. They relied solely on their own internal upload service during negotiations and communications.
Varied Negotiation Tactics
The leaked chats reveal Lockbit’s flexible pricing strategy, which included ransom demands ranging from $3,800 to $4,500,000 in Bitcoin
In one specific instance, they accepted a $5,000 deposit to grant the victim an extension on their payment deadline.
Limited Transparency on Exfiltrated Data
Victims were not given complete file trees of stolen data. Instead, Lockbit provided high-level descriptions, listing servers and shares (e.g., ESXi, shares) without offering deeper insights.
Disturbing Interactions
In one instance, a victim even asked for career advice on getting started in ransomware, highlighting the normalization of cybercrime in certain circles:
“Bro, I want to ask for your advice. If I want to make some extra money on the side but do it safely like you guys, do you have any recommended directions?”
Tools and Techniques
Lockbit promoted the use of Eraser by heidi.ie, for securely deleting files after operations. They were also transparent about their infiltration methods:
- Following employee activity and exploiting weak points (e.g., Google Backup logins)
- Leveraging manager accounts with user privileges to escalate access
- Using AnyDesk installed across hosts for lateral movement
- Offering to sell intrusion paths and defense recommendations for $10,000 USDT
Aggressive Threats to Victims
If victims resisted paying, Lockbit escalated to direct threats:
- “If you choose to give up paying the ransom, we will follow up.”
- “We will conduct subsequent attacks, incidents, and data disclosure.”
Multilingual Negotiations
Victims often requested that Lockbit operators communicate in languages other than English, highlighting the global nature of their attacks. In some leaked exchanges, victims expressed difficulty with English and asked if the gang could converse in their native language:
- “Can you speak Chinese? Writing in English is so hard.”
- “What is your mother language?”
Lockbit, however, generally maintained English as the default language for most negotiations.
Targeting Chinese Companies and Supply Chains
Multiple attacks appeared aimed at Chinese companies, with Lockbit acknowledging that these ransoms were seen as affordable by their standards. Additionally, the leaked data suggests they leveraged supply chain connections, attacking multiple victims via compromised networks of other organizations.
Conclusion
This leak offers another window into the inner machinery of ransomware operations. From their structured support model to aggressive extortion methods and detailed infiltration techniques, the revelations emphasize the professionalization of ransomware groups and the ever-evolving threat they pose.
Organizations must take this moment as a wake-up call—bolstering network defenses, conducting thorough security audits, and ensuring incident response plans are in place.