One of the world’s most notorious hacking groups appears to be receiving a taste of its own medicine. The LockBit ransomware group appears to have lost control of at least one of its dark web sites, which was used to leak internal chat logs that contain negotiations with its victims among other things. It is unknown who is behind the data breach, but a cheeky message left on the site provides a possible link to whoever hacked the Everest ransomware group last month.
After multiple law enforcement campaigns, lockbit ransomware gang faces attack from fellow hackers
The LockBit ransomware group has proven to be resilient, weathering multiple law enforcement raids including the identification and arrests of key members in 2024. This time it appears to be some sort of fellow hackers that are after them. The only clue to the identity of the perpetrators is a message left on the website that is very similar to one left in the wake of the Everest data breach in April: “Don’t do crime CRIME IS BAD xoxo from Prague.”
Security analysts have yet to fully vet the leaked information, but early reports are that the data breach appears to be legit. It contains conversations between the LockBit ransomware operators and their victims about ransom payments, group Bitcoin payment addresses and what appear to be numerous plaintext passwords. However, the stash does not contain decryptors or keys that might help victims recover.
The data breach does provide some new concrete information on LockBit ransomware victims, however. The group seems to have switched from targeting North American firms, now comprising just over 10% of its targets, to those in the Asia Pacific region (35.5%). It is also going after smaller businesses than those it targeted in its heyday, and appears to be working very hard to secure payments from anyone it breaches (as well as settling for amounts as low as $4,000). It also seems to be operating with just a few ransomware affiliates at a time, with all of these signs pointing to the group facing serious struggles to hang on after being badly shaken up by the 2024 raids.
That law enforcement operation saw the seizure of a good deal of the LockBit ransomware infrastructure as well as the identification of group leader and ransomware designer “Lockbitsupp.” The group has continued to operate and tally new victims through all this however, though it has shrunk from its once-lofty stature and has been supplanted by other ransomware-as-a-service operators.
“Vigilante” data breach perpetrators remain a mystery
The LockBit ransomware gang has remained fairly active during its post-raid downturn, with the leaked materials indicating that it chatted with victims over 4,000 times from December 2024 to April of this year. But it is also clearly going after smaller fish and settling for smaller dollar amounts, and it is possible that the leakers are a rising rival looking to put the brand name out of business for good. The affiliate panel SQL database was leaked along with assorted builds and configurations of the LockBit ransomware as well as information on both administrators and affiliates.
A rival looking to send a message that LockBit is in disarray and cannot be trusted seems a likely explanation given that the perpetrators may have also hacked the Everest ransomware gang about a month ago, yet no one has formally stepped forward to take credit. The Everest data breach was not tied to any complaints from affiliates or any known rivalries, and appeared to happen rather out of nowhere.
Whatever the case, the data breach provides valuable intelligence about internal ransomware group operations that will likely be very useful to security researchers. The LockBit ransomware gang has survived numerous heavy blows since it first emerged over five years ago, and should not be counted out (particularly by smaller businesses that are now likely its primary focus). But at minimum the group will likely suffer further reputational damage from this data breach that turns away potential affiliates.
No one group has emerged to take the throne that LockBit held for the last several years, but there are now at least several major players that are raking in more money and considered bigger threats: RansomHub, Akira and DragonForce among the biggest names. Ransomware gangs tend to rise and fall in cycles, with those that get too big eventually targeted with special attention by international law enforcement operations (which generally leads to seizure of their assets and eventual downfall). Ransomware remains a leading global cyber threat, however, with major operators showing a renewed taste for smaller targets as the bigger ones tend to improve their preparation and incident response.
