On May 7, 2024, the UK National Crime Agency and its partners revealed the suspected operator of the LockBit 3.0 ransomware, Dmitry Yuryevich Khoroshev, during Operation Cronos. Fast forward a year, and on the same date, a hefty leak occurred. The entire SQL database of a web admin interface for LockBit affiliates got dumped online, sourced from hacked franchise sites.
This leak sheds light on LockBit 3.0’s operations more than ever. The timestamps related to the malware show a significant delay—up to ten days—between the data exfiltration and the start of the encryption process for some victims. This underscores the need for better detection of these data breaches.
The database contained 75 user accounts; only 44 were used to generate ransomware or execute attacks. Of these, 30 were active by April 29, but only seven were involved in attacks at that time. Many accounts were “paused” due to their use against victims in Russia, according to the operator.
Geographically, LockBit’s affiliates targeted the Asia-Pacific region the most, accounting for 35.5% of their efforts, while Europe fell behind at 22%. North America trailed at under 11%. Notably, certain affiliates like PiotrBond focused heavily on Asia-Pacific, with 76% of their victims from that region.
Data analysis reveals a scarcity of observable malicious activity in regions like South Korea and suggests that many affiliates are opting for easier targets rather than high-profile victims. Ransom negotiations often involved demands under $20,000. While there are only a few high-profile affiliates left, the crackdown from Operation Cronos has damaged the franchise’s reputation.
Interestingly, some victims might be avoiding claims on LockBit’s showcase site to protect its image. This latest data leak not only revealed affiliates’ Tox email IDs and passwords but also exposed victims’ encryption keys, adding to the ongoing chaos surrounding LockBit.