Unfiltered look into LockBit’s operations

May 21, 2025, 8:42 p.m.

Description

A breach of LockBit's dark web affiliate panels exposed a rare glimpse into their operations. The leaked data included Bitcoin addresses, admin credentials, and a chat log revealing negotiation tactics and ransom demands. Ransom amounts varied widely, with some victims confused about the demands. The breach exposed LockBit's research into victims' finances and their willingness to provide additional services for a fee. The incident highlights the complexities of cybercrime negotiations and the human stories behind the headlines. Additionally, Cisco Talos observed a trend of attack kill chains being split into two stages, executed by separate threat actors, leading to refined definitions of initial access brokers.

External References

https://blog.talosintelligence.com/xoxo-to-prague/
https://otx.alienvault.com/pulse/682671c9405674c9b44141b2
Tags
ransomware
lockbit
data breach
initial access brokers
dark web
2025-05-15
affiliate panels
negotiation tactics

Date

  • Created: May 15, 2025, 10:59 p.m.
  • Published: May 15, 2025, 10:59 p.m.
  • Modified: May 21, 2025, 8:42 p.m.

Indicators

  • e00aa8146cf1202d8ba4fffbcf86da3c6d8148a80bb6503d89b0db2aa9cc0997
  • a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
  • 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
Download all indicators here!

Attack Patterns

  • LockBit
  • LockBit