Early Analysis of the LockBit Data Leak

Searchlight’s threat intelligence team shares their early observations from the LockBit data leak

initial observations may 8 2025

On May 7 2025 it was reported that the dark web affiliate panel of the Ransomware-as-a-Service (RaaS) group LockBit has been hijacked. It has been replaced with a message linking to a MySQL database dump containing data relating to the group’s operations.

Below are our initial observations based on early analysis of the data:

The first thing to highlight is that LockBit’s site has been defaced with the same message that was posted on another ransomware group’s site last month, the Everest ransomware group. While we cannot be certain at this stage, this does suggest that the same actor or group was behind the hack on both of the sites and implies that this data leak is the result of infighting among the cybercriminal community.

Early analysis of the data itself reveals that it is partly composed of ‘user data’ for the LockBit site, almost certainly relating to affiliates or administrators of the group. We have identified 76 users in the data, whose usernames and passwords are contained in the leak.

This user data will prove to be valuable for cybersecurity researchers, as it allows us to learn more about the affiliates of LockBit and how they operate. For example, within those 76 users, 22 users have TOX IDs associated with them, which is a messaging service popular in the hacking community.

These TOX IDs have allowed us to associate three of the leaked users with aliases on hacking forums, who use the same TOX IDs. By analyzing their conversations on hacking forums we’ll be able to learn more about the group, for example the types of access they buy to hack organizations.

The data leak also appears to contain conversations between LockBit affiliates and their victims. Based on session IDs, we have identified 208 conversations that are between the date range of 19 December 2024 and 29 April 2025. Again, this data could be valuable for learning more about how LockBit’s affiliates negotiate with their victims.

update may 13 2025

LockBit’s ransomware leak site is now back up and functioning after being hijacked last week. However, the data that was leaked offers rare intelligence into the operation of one of the most notorious ransomware groups. Following additional analysis, Searchlight Cyber has extracted the following insights from the LockBit data leak:

LockBit’s ransomware negotiations with victims

Out of the 208 conversations with victims, 103 mentioned ransom payment amounts. This is what we learnt:

• Currency: Most ransom demands were stated in USD but on some occasions BTC amounts were used. For consistency, we have converted the figures below into USD based on the exchange rate on 12 May 2025. Payments were requested in cryptocurrency, with both BTC and XMR observed.
• Ransom demands: Ransom payment requests ranged from $2,000USD to $4,500,000USD. More than half (56) of the 103 ransom payment conversations started with an initial demand of over $50,000USD. Three demands were over $1,000,000USD.
• Discounts: There were 33 conversations where a discount on the payment was discussed. Discounts ranged from 5% – 87% and appeared not to require a significant amount of effort to achieve some level of discount.
• Negotiating tactics: ZoomInfo was often used by the LockBit affiliates as a way of arguing that the victim had the revenue to pay. Where discounts were achieved, they were often associated with meeting some form of criteria, such as making a payment within 72 hours.

LockBit’s affiliates

The LockBit data leak confirmed a regular observation that ransomware affiliates will often move from one ransomware group to another. For example, one affiliate mentioned in negotiation with a victim that they were previously a RansomHub affiliate but had moved over to LockBit. Registrations to LockBit’s affiliate panel were said to be open but require a down payment of $777USD.

As well as collecting the ransom, the data shows that LockBit affiliates would also try to sell the victim information on how they breached the company as an additional form of revenue. We observed intrusion paths and protection suggestions being advertised by LockBit affiliates for $10,000USD.

The leaks also demonstrate the risks of repeated ransomware attacks and affiliates working through the supply chain to attack other organizations. One affiliate claimed that through one victim they had been able to attack 24 additional companies through the victim’s network.