Recap: Who is LockBit?

LockBit is an active Ransomware-as-a-Service (RaaS) organization that first appeared in September 2019. Due to its initial version adding the ".abcd" suffix when encrypting files, it was once referred to as "ABCD Ransomware." The group is known for its mature technology, high automation, and efficiency in ransom collection, having launched numerous attacks globally against enterprises, governments, educational institutions, and medical organizations, and has been classified as a high-level persistent threat (APT) organization by multiple national security agencies. We disclosed this organization last year.

LockBit's technology continues to iterate, developing multiple versions:

  • LockBit 1.0 (2019): Characterized by the ".abcd" encryption suffix, supports Windows platform, uses RSA + AES algorithms for encryption, and executes quickly;

  • LockBit 2.0 (2021): Introduced automated propagation capabilities, improving ransom efficiency;

  • LockBit 3.0 / LockBit Black (2022): Modular design, strong resistance to analysis, and for the first time launched a bug bounty program to reward external security researchers for testing ransomware;

  • LockBit Green (Rumored 2023 Version): Suspected to integrate some code from the disbanded Conti ransomware group.

As a typical representative of the RaaS model, LockBit offers ransomware toolkits provided by core developers, attracting affiliates responsible for specific attacks, infiltration, and deployment, and incentivizes cooperation through ransom sharing, where general attackers can receive a 70% share. Additionally, its "double extortion" strategy is also very coercive: on one hand it encrypts files, and on the other hand steals data and threatens to publish it; if the victim refuses to pay the ransom, the data will be posted on its exclusive leak site.

Technically, LockBit supports Windows and Linux systems, using multi-threaded encryption technology and the AES-NI instruction set to achieve high-performance encryption, with the ability to move laterally within the internal network (such as using PSExec, RDP brute force, etc.), and actively closes key services like databases and deletes backups before encryption.

LockBit's attacks are usually highly systematic, exhibiting typical APT characteristics. The entire attack chain is roughly as follows:

  • Initial access (phishing emails, exploit vulnerabilities, RDP weak passwords)

  • Lateral movement (Mimikatz, Cobalt Strike, etc.)

  • Privilege escalation

  • Data theft

  • File encryption

  • Pop up ransom message

  • Publish information to leak site (if payment is not made)

LockBit has sparked several sensational incidents during its active period:

  • In 2022, attacked the Italian Revenue Agency, affecting the data of millions of taxpayers;

  • Once claimed to have hacked into Canada's SickKids hospital, later apologized and provided a decryption tool;

  • Multiple manufacturers (such as defense and medical device companies) were encrypted by LockBit;

  • In the second quarter of 2022, accounted for over 40% of global ransomware attacks;

  • Affected over 1,000 companies cumulatively, far exceeding older groups like Conti and REvil;

  • Extremely high ransom success rate, with over half of the $100 million ransom demanded in 2022 successfully obtained.

However, even as strong as LockBit is, it is not without flaws. On February 19, 2024, the LockBit website was seized in a joint law enforcement operation by the UK National Crime Agency, the FBI, Europol, and Interpol, leading to the arrest or wanted status of several LockBit members, but the core development team has not been completely dismantled, and some samples are still circulating on the dark web, being used by affiliated groups.

Breaking news: LockBit site hacked

Today, SlowMist received intelligence: LockBit's onion site was hacked, and the attackers not only took over its control panel but also released a packaged file containing the database, leading to the leak of LockBit's database, including Bitcoin addresses, private keys, chat records, and sensitive information about its affiliated companies.

More dramatically, the hackers left a poignant message on the tampered site: "Don't commit crimes, crime is bad, from Prague."

Not long after, the relevant data was uploaded to platforms like GitHub and quickly spread.

LockBit's official response came shortly after in Russian, roughly meaning:

Rey: LockBit has been hacked? Any updates?

LockBitSupp: Only the lightweight control panel with the authorization code was breached, no decryption tool was stolen, and no company data was compromised.

Rey: Yes, but this means that Bitcoin addresses, conversation contents, and keys have been leaked... This will also affect reputation, right?

Rey: Was the Locker Builder (ransomware builder) or source code stolen?

Rey: Will you be back online again? If so, how long will it take?

LockBitSupp: Only Bitcoin addresses and conversation contents were stolen, no decryption tool was stolen. Yes, this does affect reputation, but a repaired relaunch will also affect reputation. The source code was not stolen. We are already working on recovery.

Rey: Okay, good luck to you. Thank you for your response.

Leak analysis

SlowMist downloaded the relevant leaked files immediately (some images are sourced from the 2024 leaked dashboard and source code screenshots, used for internal research purposes, and backups have been promptly deleted). We conducted a preliminary analysis of the directory structure, code files, and database content to try to restore the architecture and functional components of the LockBit internal operation platform.

From the directory structure, this seems like a LockBit victim management platform written in a lightweight PHP framework.

Directory structure analysis:

  • api/, ajax/, services/, models/, workers/ show that the project has a certain modularity, but does not conform to the structure convention of frameworks like Laravel (such as app/Http/Controllers);

  • DB.php, prodDB.php, autoload.php, functions.php indicate that database and function bootstrap are manually managed;

  • vendor/ + composer.json used Composer, indicating that third-party libraries may have been introduced, but the entire framework might be self-written;

  • The folder names such as victim/ and notifications-host/ are quite suspicious (especially in security research).

So we speculate that this hacker from 'Prague' might have used PHP 0 day or 1 day to compromise the web site and console.

Historical leakage management console as follows:

Some historical chat communication screenshot information:

Let's take a look at the information circled in red: Did the victim's CEO pay the ransom to co ... coinbase?

Additionally, the leaked database also involves about 60,000 BTC addresses:

The leaked database contains account passwords of 75 users:

Interesting bargaining chat:

Randomly find successfully paid orders:

Order address:

And use MistTrack to track Bitcoin receiving addresses:

The flow of money laundering is relatively clear, ultimately flowing into trading platforms. Due to space limitations, MistTrack will conduct further analysis on cryptocurrency addresses, and those interested can follow X: @MistTrack_io.

Currently, LockBit has also issued the latest statement regarding this incident. The rough translation is as follows:

"On May 7, 2025, our lightweight control panel with automatic registration feature was compromised, allowing anyone to bypass authorization and directly access the panel. The database was stolen, but there was no involvement of the decryption tool or sensitive data of the victim companies. We are currently investigating the specific method of intrusion and initiating the reconstruction process. The main control panel and blog are still operating normally."

"The attacker is allegedly a person named 'xoxo' from Prague. If you can provide exact information about his identity — as long as the message is reliable, I am willing to pay for it."

LockBit's response is quite ironic. Previously, the U.S. State Department issued a bounty notice for information on the identity and location of core members or key collaborators of the LockBit group, with a maximum reward of $10 million; additionally, to encourage the exposure of their affiliates' attack behaviors, they offered another reward of up to $5 million.

Now, LockBit has been hacked, turning around to offer a bounty for leads on the attackers in its channel — as if the "bounty hunter mechanism" has backfired on itself, which is both amusing and further exposes the vulnerabilities and chaos of its internal security system.

Summary

LockBit has been active since 2019 and is one of the most dangerous ransomware groups in the world, with an estimated total ransom (including undisclosed data) of at least $150 million. Its RaaS (Ransomware-as-a-Service) model attracts a large number of affiliates to participate in attacks. Although the group encountered law enforcement strikes in early 2024 during "Operation Cronos," it remains active. This incident marks a significant challenge to LockBit's internal system security, potentially affecting its reputation, affiliate trust, and operational stability. It also demonstrates the trend of "counterattacks" against cybercriminal organizations in cyberspace.

The SlowMist security team suggests all parties:

  • Continuous intelligence monitoring: closely track LockBit's reconstruction dynamics and potential variant versions;

  • Monitor dark web trends: real-time monitoring of related forums, sites, and intelligence sources to prevent secondary leaks and data misuse;

  • Strengthen RaaS threat defense: sort out exposure and enhance recognition and blocking mechanisms for RaaS toolchains;

  • Organizational response mechanism improvement: if direct or indirect associations with the organization are found, it is recommended to report to the competent authority immediately and initiate emergency plans;

  • Funding tracking and fraud prevention linkage: if suspicious payment paths flow into the platform, it should enhance anti-money laundering prevention in conjunction with on-chain monitoring systems.

This incident once again reminds us that even hacker organizations with strong technical capabilities cannot be completely immune to cyberattacks. This is also one of the reasons security practitioners continue to fight.