The notorious LockBit ransomware group appears to have gone from cybercrime perpetrator to victim, as one of its dark web sites has been defaced.
A new message on the site reads: “Don’t do crime CRIME IS BAD xoxo from Prague”, with a link to a MySQL database containing chats between the hackers and their victims.
Other leaked data includes Bitcoin wallet addresses, affiliate accounts, details about attacks, and information on the group’s malware and infrastructure, as well as detailed information about victims, such as company websites, estimated revenue, and custom versions of the ransomware.
The data covers the period since December last year.
“While we’re still waiting for official confirmation, the leaked information looks real and has also been shared on Telegram,” said Christiaan Beek, senior director of threat analytics at security firm Rapid7.
“Looking at the leaked chats, we can see how aggressive LockBit was during ransom negotiations. In some cases, victims were pressured to pay just a few thousand dollars. In others, the group demanded much more: $50,000, $60,000, or even $100,000.”
The leak was spotted by threat actor Rey, who has apparently been in contact with the group. In a chat shared on X, LockBit support claims that neither source code nor decryptors were stolen, but admits that the incident will affect the group’s reputation.
It’s not known who hacked the site but, according to Rey, the message that’s appeared is the same as one that appeared on the Everest Ransomware Group’s site last month.
LockBit has attacked more than 2,500 victims in at least 120 countries, with victims including multinational corporations, as well as hospitals, schools, non-profit organizations, critical infrastructure and government, and law-enforcement agencies. It’s believed to have taken at least $500 million in ransom payments over the years.
Last year, the UK’s the National Crime Agency (NCA) led a law enforcement operation against LockBit that saw it take control of the group’s primary administration environment, which enabled affiliates to build and carry out attacks, along with its public-facing leak site on the dark web. However, it was soon up and running again.
“The leaked LockBit negotiations reveal just how professionalized ransomware operations have become. Victims were offered test decryption, given pricing based on company size, walked through ESXi recovery, and even received timezone-aware replies. It’s not just extortion — it’s structured customer service,” said Ferhat Dikbiyik, chief research and intelligence Officer at Black Kite.
“LockBit ran its operation like a SaaS platform, right down to scripted responses and technical support. They didn’t just operate like a business. They believed they were one.”
Dikbiyik added that the hack appears to have had an effect on thE GROUP’S business, with affiliates already having begun to migrate to other ransomware groups or to launch their own RaaS operations.
“In a business built on reputation and anonymity, LockBit’s loss of control doesn’t just damage them, it reshapes the ecosystem,” he said.
Source link
-
-
-
-
-
-
-
-
