A Deep Dive Into The LockBit Data Leaks

(TC: 00:00:00) 

Aidan Murphy: Hello and welcome to the Dark Dive, the podcast that delves into the depths of the Dark Web and cybersecurity. My name is Aidan Murphy and I’m your host. And in this month’s episode we’re returning to one of the most notorious Ransomware groups: LockBit. On May 7th 2025 LockBit’s Dark Web leak site displayed an unusual message. It said, ‘Don’t do crime. Crime is...

(TC: 00:00:00) 

Aidan Murphy: Hello and welcome to the Dark Dive, the podcast that delves into the depths of the Dark Web and cybersecurity. My name is Aidan Murphy and I’m your host. And in this month’s episode we’re returning to one of the most notorious Ransomware groups: LockBit. On May 7th 2025 LockBit’s Dark Web leak site displayed an unusual message. It said, ‘Don’t do crime. Crime is bad. xoxo from Prague.’ Alongside this text was a link to an archive file containing data that appeared to have been stolen from the LockBit ransomware group itself. Quite ironic considering that LockBit usually uses its site to leak the data it’s stolen from companies. Of course, the response of our Threat intelligence team like many others was to download the files and see what we could learn from what was inside. And I’m going to say from the outset that some of the insights are pretty juicy. Joining me to discuss this leak data and what we learned from the files is Searchlight Cyber’s Head of Threat Intelligence Luke Donovan. Welcome back, Luke. 

(TC: 00:01:04) 

Luke Donovan: Thanks for having me, Aidan. 

(TC: 00:01:05) 

Aidan Murphy: And Threat Intelligence Analyst at Searchlight Cyber, Vlad. Welcome back to the podcast, Vlad. 

(TC: 00:01:09) 

Vlad: Thanks, Aidan. Happy to be here. 

(TC: 00:01:12) 

Aidan Murphy: Great, so as I alluded to in my intro, LockBit is a famous ransomware group and if listeners are interested, they can find another episode on LockBit that we recorded in season 2 called the LockBit Takedown. But to quickly bring everybody up to speed here, maybe Luke you could give us a very, very short potted overview of LockBit. Why are they so infamous? 

(TC: 00:01:33) 

Luke Donovan: Yes, no problems at all, Aidan. So, LockBit, they started off as a different name originally, back in 2019 called ABCD, but they changed their name to LockBit in 2020 and since then they have gone through a few iterations from LockBit 1, LockBit 2, 3, 4 and a few additional names there. They are what we call a Ransomware-as-a-Service operation. They have a number of affiliates. So, individuals who can go to them, utilize their infrastructure and their, sort of resources in order to conduct ransomware operations. So, it’s been around. They’ve been prolific in terms of a number of ransomware victims they’ve hit. So, to give a bit of an indication, back in 2023 they were the most prolific ransomware group. They hit the most ransomware victims. 2024, they were the second most prolific ransomware group and in 2025, we’ve seen a bit of a dip, but I’m sure we’ll cover that off a bit later on in the call. Back in 2024 1,042 ransomware victims during that year. So, it just shows how big this group is or this, sort of, organization. 

(TC: 00:02:40) 

Aidan Murphy: Yes, and I think the affiliate part of it, I guess I just wanted to go into a little bit more depth on because I think it’s going to be relevant for this story too. So, effectively just to make sure I’ve got this right, affiliates, kind of, sit outside of the group, but they are other hackers and they effectively, I mean in the most basic terms rent the ransomware let’s say from LockBit and they use that technology in their attacks and then they, kind of, get a cut, right of the takings. 

(TC: 00:03:11) 

Luke Donovan: That’s absolutely right, Aidan, absolutely. So, these individuals, they may not have the capability to create their own ransomware to then operate that against the victims which they’ve identified, but what they will do is they will utilize their own abilities, their own capabilities to gain access to victims. So, this could be through phishing attempts, brute force dictionary attempts. Initial access broken by access to organizations. But then using the infrastructure of that ransomware service group in this case LockBit and their infrastructure to store any of the content which has been exploited and downloaded to running the, sort of, communications between LockBit and the victim as well. 

(TC: 00:03:56) 

Aidan Murphy: Yes, and I think that explains for people how we get to, like, 1,000 victims. I do think it can sometimes be a bit confused in mainstream press, but to be clear LockBit the group is not one guy. They don’t get to 1,000 victims from one guy working very hard. The reason they can, kind of, reach that level and we’re talking more than 1,000 victims in one year is through the use of these affiliates and that’s how the system runs. Thanks for that, Luke. I think that’s a really good overview and now we’ve established who LockBit are, let’s get into the details of this story. So, as I mentioned this all kicked off on May 7th this year with that message on LockBit’s website. Is it fair to say, Vlad, that this was unusual? This wasn’t a normal day in the life of LockBit. 

(TC: 00:04:41) 

Vlad: That message on their blog was rather unusual, but it wasn’t the first time we saw that. So, as you mentioned in May 2025, LockBit was a victim of an attack which saw their blog temporarily defaced and the message, “Don’t do crime. Crime is bad. xoxo from Prague’ displayed. But the same message was posted before in a similar defacement attack against a victim shaming blog operated by the Everest Group. To those who don’t know, the Everest Group was initially a data breach group, then they moved over to ransomware. They used ransomware for a while. Then they started sending initial access. So, they were a, kind of, a Jack of all trades. So, it was interesting to see the same message. But in this case, the internal database was also  leaked, which didn’t happen in the case of Everest or at least it didn’t surface anywhere. So, this database contained affiliate chat logs including communication with victims, extortion attempts, negotiations and much more. Of course, affiliate details were visible alongside hints of the tactics, techniques and procedures used against those victims. 

(TC: 00:05:57) 

Aidan Murphy: So, this is a lot of data and like I say it’s very interesting that the same message appeared on another ransomware group, leaks like before. I think the golden question is who is behind it? But do we have any ideas or is that still a mystery? 

(TC: 00:06:14) 

Vlad: It’s unclear. Nobody knows who was beside this message. All we know is that even LockBit themselves don’t know who this perpetrator was. They were even offering a reward for anyone who could provide any kind of information about this guy. 

(TC: 00:06:29) 

Aidan Murphy: Wow, okay. 

(TC: 00:06:30) 

Vlad: To get back to your statement earlier, this is a huge data set. It is indeed. I have some figures here. So, there were about 63 crypto addresses being leaked; about 4,500 messages; 76 user names; and about 21 TOX IDs. It became clear quite quickly that the impact to the affiliates were actually part of the light version of the affiliate program. What that means, this meant that almost anyone who was willing to pay the $777 fee could gain access to the portal and you have to compare this to the usual 1 bitcoin deposit that was payable for joining the normal affiliate program. So, affiliates could keep 80% of the profits while the rest would be paid to LockBit. 

(TC: 00:07:22) 

Aidan Murphy: So, what we’re talking-, so, I guess this goes back to our conversation a second ago about Ransomware-as-a-Service schemes. So, what we’re now talking about is LockBit having tiered schemes so they have a standard ransomware service which I think you just said, Vlad, it was 1 bitcoin to participate in. Or you could join this lesser scheme for a cheaper price and I think the picture that people will be getting from listening to this is just, kind of, how commoditized ransomware is that you start to get into different levels of ransomware a service schemes, but it’s a very important point that this data comes specifically from the light version. Luke, you go on the record at the time in The Times, no less, as saying that this data was a potential goldmine for law enforcement and security professionals. What prompted you to say that? Why is this data that Vlad has outlined, you know, it contains a lot of information, but what exactly within it is so valuable? 

(TC: 00:08:22) 

Luke Donovan: Yes, so I think there’s two main areas here which we can discuss. The first one is the chats which Vlad just mentioned there. Significant number of chats between the ransomware affiliates and the ransomware victim. Within those chats, you can identify the ID number associated to each one of the affiliates. So, what that means is over time because you’ve got these logs we can then start profiling some of the ransomware affiliates. We can start understanding how they operate, how they engage with the victims. Once we start profiling these individuals, it’s going to help us from an instant response point of view. Some of these ransomware affiliates will move across groups. They’ll go to a different ransomware group. They’ll be an affiliate there. So, when you start profiling these individuals, you can then from an instant response perspective understand how to deal with them, understand, sort of, what discounts are likely to get, understand how you can prolong that time period before your data’s leaked or raised onto the extortion site. The other thing which is very interesting-, so that’s looking at the chats. The other thing is looking at the records around these affiliates. So, they’ve all got screen names associated to them in the breached content. As Vlad’s mentioned, we’ve got TOX IDs as well associated to these individuals. Now, with that information, so with the screen names and the TOX IDs, what we can do is from a security point of view or an intelligence point of view, we could then run additional searches across the Dark Web, across market site, across forums and try and profile these individuals again. Who have they engaged with in order to gain access to their victims? What other information can we obtain? From a security perspective, it’s all about building up these use cases and target packs of these individuals, understanding what makes them tick. How can we engage with them? 

(TC: 00:10:20) 

Aidan Murphy: So, if anyone is unaware, TOX is a messaging platform and we did a podcast on messaging platforms, which Vlad was in, which again I’ll link to in the show notes and you can go and listen to that if you want to find out a bit more about TOX. For this conversation, I think all you need to know is TOX is a messaging platform popular among the hacking community. And what you’re saying, Luke, is well obviously these individuals use pseudonyms because they don’t want to be identified, but through this leak we have more identifying information because we can start to combine user names with TOX IDs with other information that might be out there on the Dark Web or even a clear web that could lead to further knowledge about these individuals. We build these profiles. Vlad, did you want to come in on that? 

(TC: 00:11:08) 

Vlad: Going back to Luke’s point about profiling victims, I wanted to emphasize how important this could be for analysts and researchers. So, let’s take a look at the act of using the Ken James Barr handle on the LockBit’s infrastructure. Based on their TOX ID, we were able to pivot with the help of Cerberus and find out more about this individuals. The handle itself doesn’t really reveal much as this appears to be uniquely used on the LockBit’s platform. However, based on the TOX ID, that was used on XSS on the cybercrime forum, Excesses, it was used by an actor using the atomic bot handle and this actor was observed selling initial access, selling stolen data as well as documents, credit card information and so much more. Moreover, this actor previously sought training material created by the Conti ransomware group which is rather interesting. It shows how inter-usable the knowledge from one ransomware affiliate program can be comparing it to how other ransomware groups operate. 

(TC: 00:12:18) 

Aidan Murphy: Yes, that’s a really good example as it’s illustrating what we can start to learn by, kind of, gathering this additional information. Cerberus, by the way is so it’s, like, cyber’s Dark Web investigation platform for anyone who was wondering. So, I think, Vlad, you mentioned there were 76 affiliates that were identified in this data leak and so you’ve just given the example of one and what we could learn about them. Luke, do you have any other examples that stood out that maybe could illustrate some of what we can learn about these affiliates from the new information that was gathered from this specific data leak?

(TC: 00:12:49) 

Luke Donovan: There’s a fair bit we can identify. So, one of the first things is, again, looking at the database itself, it lists what the affiliates are or the level those affiliates are. As you’ve already explained, we’re looking at the light panel here. Now that light panel, $777 to gain access to it. Associated to each one of those affiliates is a status. Now the majority to those affiliates were classed as being newbies. Okay, so, they’re brand new into this ransomware affiliate program. Okay, so they need to build up their capability. LockBit need to be trusting them that they’re going to get money out of the victims. When we start looking at those affiliates and we start looking at the Bitcoin addresses, we can start tying those together, working out whose Bitcoin addresses are associated with which affiliate and then we can then starting working out where payments have been made. So, are these ransomware affiliates making money or are they not? What tactics are working? What ones are not? By looking at the affiliates and also the conversations as well, what we can then start doing is looking at the probability of discounts being applied. So, from a security perspective or if you’ve been hit by ransomware, you could then start-, or when you start engaging with the ransomware groups, you can then start working out, okay, am I expected to pay the whole ransom? Or am I likely to get some discount? How am I going to get more discount? You know, what’s the probability of me getting a higher percentage of discount compared to a low percentage of discount? So, when we start looking at the chats, we can work out how do you engage with these affiliates to increase your probability of reducing that amount of money you’re going to pay. Obviously you should not pay ransomware, but it’s going to help you. 

(TC: 00:14:44) 

Aidan Murphy: Yes, I mean you’ve jumped to a point that I did want to talk about a little bit which is that and I want to come back to the affiliates, but you’ve brought up the, kind of, discounting and charging of ransomware victims. So, let’s stick with that for now. It did occur to me that one of the outcomes of this particular data leak might be an incentive for people not to pay ransomware on effectively two fronts: one of them is obviously that these victim negotiations have been leaked and I imagine if you are somebody who’s been affected by ransomware and have potentially been in conversations with hackers about paying or not paying, you wouldn’t necessarily want those details to be out there in the wild where you as the organization could potentially be identified. The other thing is that I think you flagged to me Luke that within these conversations there’s also quite a lot fo evidence of the decryptors that are then provided to victims who pay not even working. So, it sheds, kind of, an interesting perspective in here on the argument of whether or not to pay ransom as well, right. It’s quite a complex one. 

(TC: 00:15:47) 

Luke Donovan: It is a complex one. You should not pay the ransom because that just fuels the whole ransomware environment. Although it means you’ll take some pain as an organization, it’s about looking at the bigger picture because they will just keep on coming back for more and more. In terms of the communication, you know, we’ve got to think here what we’ve got here is a complete list, or a list of chats between December last year and April this year. So, there’s going to be more chats out there sort of prior to this. The group’s been around for along time. But as Vlad’s mentioned, these ransomware affiliate will go off and utilize other ways of communicating with organizations. They’ll go off, they’ll utilize the likes of TOX to engage with the victims. And that’s really interesting information from a security point of view or if you are engaging with these ransomware affiliates. So, if you’re able to get the communications off onto a different platform, you are likely to save your reputation slightly. It’s less likely that those conversations are going to be breached and made public. 

(TC: 00:17:01) 

Aidan Murphy: Yes, lots of interesting information that people can use. 

(TC: 00:17:04) 

Luke Donovan: Sorry, Vlad, do you want to come in on that? 

(TC: 00:17:08) 

Vlad: Sure. Luke mentioned about the trust between LockBit representatives and affiliates, but from our experience analyzing this data it appeared that the affiliates carried out most interactions with their victim. However, they needed to receive the decryption keys from the admin on the case of a successful negotiation. So, they did not have full autonomy. It’s clear that there isn’t much trust. This meant that both affiliates and victims were at the mercy of the admins who were often unavailable for longer periods of time. Hours, even days sometimes. Affiliates made all sorts of statements in this data set that we collected. So, those interesting statements include, for example, actor Bailey Beach who claimed that they joined LockBit but they worked for another notorious ransomware group known as Ransom Hub. This actor also gave advice to a victim on how to make the cryptocurrency payment while avoiding sanctions. So, they are aware that some individuals have to obey the admin and so on. Actor Cody Allen told a victim that the network was encrypted by LockBit and Hell Cat, possibly indicating an example of an affiliate using multiple types of ransomware. There’s another actor using the Loft handle that stated that previously they used their own ransomware variant, but it wasn’t that good, so therefore they moved over to LockBit which seems that there’s some sort of trust between regular users who are looking to get into the higher echelon of ransomware. 

(TC: 00:18:45) 

Aidan Murphy: It’s incredible. I mean the amount of, yes, the amount of detail you can pull out of these chats and the picture it creates. One thing I just wanted to highlight as you were going there Vlad is this, kind of, crossover that you see between the groups. I think it’s a really, really important point. It’s something we’ve spoken about on this podcast before. Lots of researchers have, you know, pointed to potential crossover between ransomware groups or often proof that that happens, but I think these chats really do illustrate the, kind of, fluid nature of the ransomware landscape and how these affiliates move between groups and as you’ve been highlighting might even be attacking the two at the same time. It’s a really, really fascinating point. 

(TC: 00:19:34) 

Luke Donovan: I think it also highlights how financially motivated these groups are that they’re going to move around, they’re going to try and obtain the best ransomware possible in order to hit their victims. Not only that, you know, but through the logs or through the chats, what we can also see is additional strains of trying to get money out of victims. So, we see the ransomware affiliates advertising to their victims about the intrusion path which they took to gain access to their systems and how they would sell that onto the victim so the victim can then protect themselves moving forward. You’re looking at a fair bit of money. I think it’s $10,000 for them to tell you and even then the information they provided was very minimal, very minimal. That just shows how financially motivated these groups are. You know, anything they can put their hands on and monetize they will. 

(TC: 00:20:29) 

Aidan Murphy: Yes, that is a really interesting aspect of it. I guess while we’re talking about negotiating with victims, I think one thing I did just want to maybe focus on is we do get a sense I guess from this chat and Luke and Vlad have rightly pointed out that we are talking about the light ransomware as a service scheme here and that we’re talking at a very specific amount of time, but we also get a sense of the amount that people are asking for ransom. I don’t know, Luke or Vlad, if either of you want to come in. What’s the range we’re talking about in this time period of this set of victims? 

(TC: 00:21:02) 

Vlad: Victim size and revenue, they varied significantly. So, the smallest victim we were able to identify only had a yearly revenue of $24,000 which is not much. The highest single transaction was in the region of $400,000. However, most were much smaller than that. Some payments were as little as 5,000 and on some occasions even less than that. So, they went down to $2,000. 

(TC: 00:21:32) 

Luke Donovan: Just to back that up, Vlad, just to look at the demands which the affiliates are requesting, they range from $2,000 up to four and a half million US dollars. This is predominantly through Bitcoin, sometimes through Monero. Vlad, I think you saw some cases of additional payments? 

(TC: 00:21:52) 

Vlad: Yes, even Feather was also used, USDT and this was especially true in the case of Taiwanese victims because the motivation behind that was that affiliates knew that in Taiwan it’s allegedly easier to get a hold of Feather instead of Bitcoin. So, they were happy to accept that as payment. 

(TC: 00:22:14) 

Luke Donovan: And then out of that, that, sort of, price range, that $2,000 to four and a half million, you’re seeing discounts being applied to that between 5% and 87%. But generally speaking you’re looking around 20% discount on those prices. 

(TC: 00:22:30) 

Aidan Murphy: And you mentioned this discounting earlier, Luke, what were the, kind of, negotiating tactics? So, is it just a plain ‘I’m not going to pay that’ or is it ‘If I pay within a certain time-frame, then can I have some money off?’ Or how did that seem to work in the chats? Obviously this is anecdotal but did we get a sense of how the different tactics that were used there? 

(TC: 00:22:48) 

Luke Donovan: Time frame was massive. If you pay fast, you’re going to get a bigger discount than if you try and prolong those conversations. It also comes down to the tone in which the victim deals with that ransomware affiliate. So, if you engage with the ransomware affiliate, if you’re responsive, if you seem like you’re trying to help them out, the probability is you’ll get a higher discount, rather than if you go in there in a negative mindset, post negative messages. They get fairly annoyed and the probability of getting a discount is reduced. So, it’s about that mindset. How do you deal with that affiliate? 

(TC: 00:23:28) 

Aidan Murphy: Yes, and I think this is why these chats are so fascinating and similar, you know, data leaks around ransomware groups that they’ve been in the past. And it occurs to me this is a really good illustration of the fact that security is often seen as a, kind of, technical issue, right. It’s about vulnerabilities and it’s about applying security technology, but at the end of the day it’s one human attacking another and when you say, Luke, when it comes down to the action of negotiation here, a lot of it is about the relationship between the victim and the attacker and the attacker’s ego or the attacker’s, you know, sense of fairness. You know, it’s a strange thing to think about, but they do. And it’s just a very interesting dynamic between these affiliates, LockBit itself, because like you said Vlad there is also a trust relationship there between the affiliates and LockBit and the victims. It’s a, kind of, strange three-way dynamic and how it plays out in these chats. 

(TC: 00:24:27) 

Luke Donovan: I think the other area you’ve got to think about here is that the ransomware groups or the affiliates, they do their due diligence as well when it comes to thinking about the price which these organizations are going to pay. You know, we’ve got organizations which have been breached, service providers who have got multiple different customers associated to them. These ransomware affiliate are aware that they’re service providers, aware of all these different customers. So, when they’re engaging in the chats, they will mention, ‘You’ve got a lot of different customers. Get them to fork in to get to the ransomware or to the ransomware demand required.’ They’ve done their due diligence in these organizations they pick. 

(TC: 00:25:07) 

Aidan Murphy: Yes. Yes, it’s really, really interesting. Both of you have highlighted a few trends to me and that we’ve extracted from these chats. I don’t know if I’ve said to this point that there are 208 conversations with victims. So, there’s quite a lot going on here. There are a few that really, really stood out to me as being quite eye-opening and I wanted to just bring up and discuss. One that really stood out to me when it was highlighted by a threat intelligence team was the attempted recruitment of victims in these conversations, which I think needs some level of explanation. Maybe Vlad you can do the honors because it wasn’t very obvious to me that this was something that would happen, but yes, it was highlighted as a trend that we observed in the conversations. 

(TC: 00:25:51) 

Vlad: Yes, of course. So, first of all I would say that this is not really a trend. Rather a one-off occasion. So this is yet another interesting discussion that we observed between LockBit. By LockBit I actually mean the LockBit affiliate Christopher and the representative one of their victims which included talks about how to join LockBit as an affiliate. So, the victim simply claimed to be interested in joining LockBit to make some extra money, but they also claimed that they didn’t have any experience. To which Christopher replied that any particular skills are not actually needed. So, this is another indication that the light affiliate program was open to anyone happy to pay the joining fee. Christopher doesn’t appear to be particularly opsec  savvy himself. So, for emphasizing that anyone can join. And why I say that, this actor was seen transferring funds to cryptocurrency exchanges like WhiteBIT or Cucoin. This was done directly without using any cryptocurrency mixers so it’s fairly easy to race him. So, yes, it’s open for anyone. They’re recruiting. They’re open to suggestions, to referrals. It’s basically a free for all. 

(TC: 00:27:07) 

Aidan Murphy: And I just find it incredible. So, you’ve hacked somebody, they’re trying to deal with the fallout of this and at the same time you’re saying would you like to make some money and join, you know, and join the scheme. It is, kind of, hard to comprehend, but apparently it’s something that happens. 

(TC: 00:27:23) 

Vlad: I would say it’s hard to comprehend but it’s understandable in the same time because more often than not those who are in charge of negotiating with ransomware groups are part of the IT department and more often than not they’re not managers, they are one of the lower level members of the IT department. So, they may not earn enough money, especially in developing countries. So, it is to be expected from them to be looking to make additional income and when they saw the amount of money LockBit required as payment, they were probably interested in how they could get part of those for themselves. 

(TC: 00:28:00) 

Aidan Murphy: Really, really interesting. You mentioned there from developing countries and I think it is worth saying that this dateset also gives us an idea of LockBit attacking, kind of, across the spectrum of countries. Another trend, or again maybe just anecdotal you guys highlighted to me was the mention of specifically targeting Chinese entities, but that was mentioned, I think, by a couple of actors. Is that right, Vlad? 

(TC: 00:28:27) 

Vlad: Yes, that is true. So, there is a relatively high incidence of Chinese targets. This could be for several reasons. One of them being ease of compromise, less law enforcement attention or, as some affiliates mentioned in several negotiations, there is a high likelihood of ransom payments being made. When affiliates actually stated that ‘We love working with China. They pay well.’ The second most targeted country is the United States, followed closely by Taiwan and on one occasion it appeared that the affiliate who encrypted a Taiwanese company could not really differentiate between China and Taiwan. There are other, for example, there was friendly fire at some point on more than one occasion, actually. Russian organizations were targeted by operators using LockBit. 

(TC: 00:29:17) 

Aidan Murphy: Just to explain when you say friendly fire, this is on the assumption that LockBit is run by Russian actors. 

(TC: 00:29:25) 

Vlad: Yes, that was actually proved because some of the main representatives of LockBit were named in a previous law enforcement operation. The Cronos law enforcement operation. But yes, this is something that is expressly forbidden by LockBit and most ransomware service programs. In one case it appears to have been the result of an affiliate being hacked. The admin going by the name of Metric 777  intervened, expressed anger at the affiliate before sending three decryptors to the victim. However, they did not work and it’s now the victim files for whatever recovered. And after discovering the affiliate has been hacked, Metric 777 hypothesized that the hack would be a special operation to destroy the reputation and set up of competitors. There’s another instance where the Russian organization was targeted, a city administration where an affiliate going by the name of Amletto Claimed the attack was the work of their competitors and offered the encryptor free of charge after they realized who they attacked. So, yes, granted it’s all over the world are targeted, some of them should not be, but some of them potentially are allowed to be attacked. 

(TC: 00:30:43) 

Aidan Murphy: Yes and I think it gives well two things that I would call out there. One is the very complex geopolitical aspect of this and maybe some unexpected things. So, you may expect that China wouldn’t be a massive target, but apparently it was. The other thing being again this very complex hacking landscape where there is accusations of groups trying to discredit other groups and are the FBI involved and it’s very, very, very murky. Luke, did you want to come in on something Vlad had said? 

(TC: 00:31:11) 

Luke Donovan: Yes, yes, just very briefly. It goes slightly away from the LockBit situation here, but fairly recently what I’ve been doing is I’ve been looking at the ransomware victims and their country of origin. So, just to back up that point around the geopolitical side of things about Russia being hit compared to the West. Over the first half of this year, so the first six months, I’ve only seen ten ransomware victims associated with Russia whereas if we start looking at North America as a continent, it’s 1,779 ransomware victims. You know, so I think that just shows the difference between that geo-regions. 

(TC: 00:31:55) 

Aidan Murphy: Yes, yes, that really does put it into perspective when you look on the, kind of, grand level doesn’t it. I’m going to open this up now, were there any other interesting trends that either of you pulled out of this data that you think, you know, that stood out or you think shed some light on the ransomware ecosystem, either about the actors or their tactics or their victims? I’ll call on you first, Luke. 

(TC: 00:32:18) 

Luke Donovan: So, by going through the chats, looking at the conversations between the affiliates and also the ransomware victims, there was one particular chat which I found really fascinating. So, a victim had been hit by ransomware and throughout the chats or coming to the end of that chat, that ransomware victim engaged with the affiliate saying ‘Can you go off and hit this additional target in a different country because they pay really well.’ 

(TC: 00:32:48) 

Aidan Murphy: So, the organization’s been attacked by a ransomware group. They’re in negotiation with the affiliate and they’re now suggesting another target. 

(TC: 00:32:58) 

Luke Donovan: Absolutely, yes. Suggesting another target. The target’s supposed to be wealthy. There’s a high probability of it being a success so go and hit those. So, is this competition for that organization? They want them to be hit? Who knows. Who knows, but I found it fascinating that during that conversation you’re paying because you’ve been hit by ransomware. You’re asking that ransomware group to go and hit another organization as well. Love it. Absolutely love it. 

(TC: 00:33:24) 

Aidan Murphy: Yes, I mean the things that go on in these negotiations are really quite unexpected. That is definitely a strange occurrence. Vlad, was there anything else that stood out to you from the chats that you think might benefit the listeners to know about? Any kind of trends in the tactics or anything? 

(TC: 00:33:42) 

Vlad: Yes, so Luke mentioned earlier that some affiliates started making security recommendations and they were often vague, but these recommendations could supposedly help victims secure and prevent future attacks. And most of this advice that was mentioned was fairly basic, but it included information such as using more secure passwords, installing antivirus and monitoring activity on the corporate network. Further suggestions included removing domain admin rights from user accounts and closing certain ports. Again, affiliate Christopher advised multiple victims of the initial access technique used in subsequent attacker attaching and some remarks made by affiliates also include, for example, ‘We go to you through phishing, captured the domain and then the admin host. Or another one, ‘We go to you through phishing but I don’t remember the first host. You had very easy passwords. I followed the work of a certain employee and waited for him to log into the Google backup solution. We got into the network through a manager that had user privileges and dumped the NTLM local admin access on all the hosts in the domain.’ And other remarks like that. So, there’s plenty of information in this database showing how these affiliates operated. 

(TC: 00:35:06) 

Aidan Murphy: It’s interesting in itself that this is information that the attackers were offering to the victims. I guess like you said, Luke, some of them were charging for this information so it was additional revenue on top of the ransomware they’d already extorted. But I think, if I remember correctly, that Christoper actor volunteered some of this information and again I think it speaks to the slightly more nuanced relationship between victim and hacker than maybe sometimes we appreciate and also what we said at the beginning of this and your comment, Luke, that this was, kind of, goldmine information for security professionals. There are takeaways within this dateset that can be used to, you know, for people to learn from, I guess others mistakes and go away and try and remove some of the easiest ways that an affiliate of a ransomware group might try to exploit them. I’m going to stick with you, Vlad, what does this mean, this data leak mean for LockBit going forward? Has anything happened since? Luke mentioned that the group seems to have, kind of, decreased in operation this year. It feels like there’s been a few, kind of, false demises of the LockBit group and they’re still going, but it does seem like they’ve having a bit of a bad run. What do you think happens next? 

(TC: 00:36:23) 

Vlad: Yes, so the number of victims claimed by LockBit has definitely decreased. It’s unclear yet if they are completely out of the game. I would say they’re not because there were talks about refreshing the affiliate program, even developing a new strain going up to LockBit 5.0. We are not sure what’s going to happen, but we do notice some interesting factors that are not necessarily related to LockBit to the affiliate program but there are users of the LockBit ransomware. For example, a group they interact as the Dark Gaboon which is a Russian-speaking hacking group that has been using the LockBit 3.0 variant that leaked in 2022 to target Russia-based entities. So, this group is rather interesting because it uses homo-glyphs in the name of their samples, meaning that similar looking characters from both Cyrillic and the Latin alphabet are used interchangeably to make detection more difficult. 

(TC: 00:37:24) 

Aidan Murphy: So, this sounds like another case of almost friendly fire again. It’s not the official LockBit group itself, but another hacking group using the LockBit code to attack Russian-based entities, which is something we’ve already talked about and it seems to be quite an interesting trend. I guess is there a potential that their objective is to discredit LockBit or is it just opportunistic using a LockBit ransomware strain that they’ve found out there in the wild? 

(TC: 00:37:51) 

Vlad: It could be both these reasons actually. So, if this is a campaign to discredit LockBit, it could be used to attract the attention of Russian law enforcement because we know that they have been particularly lenient as long as no Russian entities are being targeted. But in this case if there’s a noticeable increase in Russian entities being targeted, then the Russian authorities might start making some efforts into either putting the LockBit’s infrastructure down or chasing the developers and trying to arrest them and to basically shut off the operations. At this point in time, they are probably the only ones who can make a definitive impact and finally put an end to this affiliate program. 

(TC: 00:38:39) 

Aidan Murphy: Yes, well I guess it looks like there’s some more interesting developments from LockBit to come. If the past is anything to go by, this won’t be the last time we’re talking about LockBit. Luke, I might come to you for the final point which is what do you think the takeaway should be from this data leak for the cybersecurity professionals? So, obviously there’s a lot of really interesting findings in there. We’ve talked about, I guess some of the learnings that can be extracted from the data, but if there’s a piece of advice I guess you’d give security professionals off the back of this what would it be? 

(TC: 00:39:12) 

Luke Donovan: Yes, so my overall advice here would be the importance of threat intelligence. Threat intelligence is all about looking outside your environment, looking outside your perimeter, understanding the actors who are potentially going to target you in the future. And also building up that insight and foresights of these individuals so if you do get hit in the future you know how to engage with these individuals. Build up these profiles. So, by rolling out the threat intelligence solution, whether it’s in-house, whether it’s been outsourced, it doesn’t necessarily matter, but by monitoring these ransomware groups by trying to monitor any breached content associated with these groups will enable you to better understand how you can deal with these individuals moving forward. 

(TC: 00:40:00) 

Aidan Murphy: Brilliant, well that seems like a good note to draw a line under this episode of the Dark Dive. A big thank you to Luke and Vlad for joining me. If you’d like to find out more about ransomware groups, the Dark Web, software vulnerabilities, data leaks and more, please follow us for free on Apple Podcasts, YouTube, Spotify or whatever app you use to listen to podcasts. And if you’d like to get in touch, if you have a question for us, a topic you’d like us to cover or a suggestion for a guest, you can find our contact information in the show notes. Until next time, stay safe.