LockBit in its Own Words: Further Analysis of the LockBit Data Leak

The Searchlight Cyber Threat Intelligence team shares further observations from its ongoing analysis of the LockBit leak data

what we’ve learnt so far

The treasure trove of data released in the LockBit data leak, published on its hijacked leak site on May 7 2025, continues to shed light on the operations of the group. Further analysis has allowed our threat intelligence team to make new observations on the set up of the group’s “Lite” RaaS program, its victimology, and its most prolific affiliates.

This blog builds on our initial observations as we continue to build out our picture of LockBit, based on analysis of the published data and – particularly in this blog – its affiliates’ conversations with victims. These chats give us a rare insight into the inner workings of LockBit, in the threat actors’ own words.

lockbit “lite”

One of the interesting aspects of this leak is that it relates to affiliates that were on the LockBit Lite panel, which – as the name implies – is a “lower-tier” Ransomware-as-a-Service (RaaS) offering compared to its “official” affiliate scheme. Under LockBit Lite, threat actors were able to launch attacks using Lockbit ransomware for a fee of $777 USD, significantly less than the 1 BTC deposit typically required.

It would also seem that Lockbit Lite required far less rigorous “background checks” than LockBit’s standard affiliate program, which ordinarily takes into account “reputation on the forums, the team composition, evidence of work with other affiliate programs, your wallet balance, the amount of previous payments and much more”.

As a trade off, these affiliates do not have access to the encryption keys, often saying in their conversations with victims that they have to wait for the “boss” or “tech support” to provide decryptors. This suggests a lack of trust placed by Lockbit in newly recruited/novice affiliates. The conversation records show it can also lead to victims waiting for days after payment to be able to decrypt their files – sometimes unsuccessfully:

“Tech support will come, he is the boss, will send the decryptor here and write everything.”

Lockbit’s leader stated in a March 2025 interview that “anyone can access a Ransomware panel and start working within five minutes after paying a symbolic fee of $777. Those who prove themselves as experienced pentesters will gain access to a more advanced and functional Ransomware panel.” It appears Lockbit began offering this tier in December 2024, which lines up with the first registration dates of users of the panel.

The fact that the data leak is from the LockBit Lite panel and from a relatively small time window (19 Dec 24 to 29 Apr 25) means that it should be viewed as an isolated snapshot rather than a complete picture of LockBit’s current operations.

the most active affiliates

The top five affiliates in the LockBit Lite program by number of negotiations conducted in the period covered by the data leak were:

1. Christopher – 44 negotiations
2. jhon0722 – 42 negotiations
3. PiotrBond – 19 negotiations
4. JamesCraig – 17 negotiations
5. Swan – 17 negotiations

Another affiliate of interest is matrix777, who is likely to be the same user as the “admin” due to matching TOX IDs and registration dates (November 15 2020, far before the Dec 2024 registration dates of the first Lockbit Lite affiliates). It’s unclear if this is the acting administrator of Lockbit or a senior member who has been tasked with managing the Lockbit Lite program.

victimology: Chinese and RUssian Victims

There is a relatively high incidence of Chinese targets. This could be for several reasons: ease of compromise, less law enforcement attention, or – as mentioned by affiliates in several negotiations – high likelihood of a ransom payment being made:

“We love working with China, they pay well.”

On more than one occasion, Russian organizations were targeted by operators using the Lockbit Lite panel, something that is expressly forbidden by Lockbit (and most RaaS programs). In one case, it appears to have been the result of the affiliate themselves being hacked. The admin/matrix777 intervened, expressing anger at the affiliate before sending free decryptors to the victim.

However, the decryptor did not work and it is unknown if the victim’s files were recovered. After discovering the affiliate had been hacked, admin/matrix777 hypothesized that the hack could be “a special FBI operation to destroy my reputation or a setup from competitors”. In another instance where a Russian organisation was targeted, the city administration of Chebarkul, affiliate amleto claimed the attack was “the work of our competitors” and offered a decryptor free of charge.

defunct decryptors

The Russian victim is not an outlier in having issues with LockBit’s decryptor. Multiple victims report problems with the decryptors provided to them after ransom payment, and many of the affiliates do not seem equipped to deal with this, instead relying on the “boss” or “tech support” to resolve any issues:

“Boss can help you, wait for him to answer, I don’t know for sure.”

Understandably, many of these victims express frustration at not being able to decrypt their data, even though they have paid the ransom:

“The files are encrypted by you, and you should know why they can’t be decrypted!”

attempts to recruit victims as ransomware affiliates

Perhaps one of the strangest findings of our analysis so far is the observation of LockBit trying to recruit their victims to join the RaaS scheme themselves. On a number of occasions the offer of the $777 USD sign up fee was advertised to victims via the following message:

“Want a lamborghini, a ferrari and lots of titty girls? Sign up and start your pentester billionaire journey in 5 minutes with us.”

This novel recruitment method may indicate the difficulty Lockbit has encountered attracting more experienced operators since the law enforcement action Operation Cronos against it in February 2024 dealt considerable damage to its reputation in cybercrime circles.

Several representatives of the targeted organizations did express interest in joining the program, mostly from Chinese companies, but it is unclear whether any of them followed through with applying. The existing affiliates did not appear interested in encouraging new members to join, sometimes even dismissing the victims’ enquiries, reflecting their status as independent contractors not particularly concerned with the broader success of the LockBit enterprise.

Advice Shared By Affiliates to Their Victims

Also somewhat unexpectedly, several affiliates offered victims recommendations on how to improve their security and prevent future attacks. Most of their advice is fairly basic, such as using more secure passwords, installing antivirus and “monitoring activity on the corporate network”. Further suggestions include removing admin rights from user accounts and closing certain ports. Christopher, the most prolific affiliate in this time period, advised multiple victims of the initial access technique used and subsequent attack chain:

“We got to you through phishing, captured the domain, and then the admin host”.

Another affiliate, BaleyBeach, gave a victim tips on how to avoid falling foul of sanctions when making a ransom payment, stating: “you just buy bitcoin for your own needs and send it to us. There is no need to mention “Lockbit” or any other related stuff” and “We can give you other btc wallet related to no group. Technically you don’t pay LockBit, you pay to independent researchers. It is the last chance how we can help you.”

Of course, as we have seen, even if the victim does pay the ransom that is not a guarantee of them recovering their data. Furthermore, this data leak shows that there is an additional risk for victims that their negotiations with ransomware operators may not remain private forever.

FOR MORE INFORMATION ON HOW TO PROTECT YOUR ORGANIZATION FROM RANSOMWARE ATTACKS, GET IN TOUCH.