NOTE: We will discuss the leak, not the Technical inner workings of LockBit Ransomware. Consider this as a Breach Analysis of LockBit Ransomware.
INTRODUCTION
UNVEILING PKEYS
CHAT ANALYSIS
CLIENTS
NEWS
MIGRATIONS
FILES
INVITES
INVALID REQUESTS
BUILD & CONFIGURATIONS
BITCOIN WALLETS
WHAT AFTER THE LEAK?
REFERENCE
INTRODUCTION
On 7th May 2025, the server of LockBit was defaced and a file appeared on the server, namely: paneldb_dump sized at 7.12 MB (compressed). It contains the SQL file of LockBit’s internal server sizing at 26.3 MB.
The database is: paneldb_dump
In this article, we are going to focus the each section uncovered in the LockBit Breach.
On analyzing, it is found that LockBit is using:-
phpMyAdmin SQL Dump
version 5.1.1deb5ubuntu1
https://www.phpmyadmin.net/
Host: localhost:3306
Generation Time: Apr 29, 2025 at 05:26 PM
Server version: 8.0.41–0ubuntu0.22.04.1
PHP Version: 8.1.2–1ubuntu2.19InnoDB is being used by Lockbit as a Storage Engine for the Database Management System.
16 Sections are being stored in the Database, namely:-
Table structure for table `api_history`
Table structure for table `btc_addresses`
Table structure for table `builds`
Table structure for table `builds_configurations`
Table structure for table `chats`
Table structure for table `clients`
Table structure for table `events`
Table structure for table `events_seen`
Table structure for table `faq`
Table structure for table `files`
Table structure for table `invites`
Table structure for table `jobs`
Table structure for table `migrations`
Table structure for table `news`
Table structure for table `pkeys`
Table structure for table `system_invalid_requests`
Among them: API History, Jobs, FAQs, Events, Events Seen does not have any records in the LockBit Database.
The rest of them have a considerable amount of data which we will analyze in the following section:-
UNVEILING PKEYS
Notably, the Decryption ID is not the same as the Decryption Key in terms of LockBit. It’s the ID assigned for each victim to negotiate with the group on their Negotiation Portal.
Following is the decoded format of the stored data in the Lockbit database:-
ID: 1
TYPE: 25
Decryption ID: E26CE2BB152D23E4:
Public Key: 0x636f6e7374657870722065787465726e2022432220756e7369676e65642063686172206d5f7075626c5b33325d203d207b307861312c20307835662c20307833662c20307864312c20307864642c20307835632c20307837352c20307838372c20307863322c20307862662c20307866622c20307830382c20307866322c20307832352c20307831632c20307863312c20307836302c20307832382c20307833312c20307832372c20307834632c20307834332c20307836622c20307834342c20307838392c20307835612c20307837352c20307866382c20307865382c20307838332c20307839322c20307834627d3b
Extra: 0x5b5d
Status: 1
Created at: 2024–12–18 21:11:16
Updated at: 2024–12–18 21:11:33
Upon analyzing this section, it is found that there are 19,012 Client IDs present in the server.
There are 3 Public Keys used/stored in the server for different clients, as a single Public Key will serve for many clients.
PUBLIC KEY — 1: Customer Count #10K
0x636f6e7374657870722065787465726e2022432220756e7369676e65642063686172206d5f7075626c5b33325d203d207b307831632c20307837662c20307837642c20307864612c20307861622c20307864632c20307835342c20307861302c20307864662c20307836652c20307863392c20307863622c20307862662c20307862342c20307863612c20307839352c20307835622c20307836642c20307839392c20307861342c20307831622c20307863322c20307864342c20307863642c20307831632c20307830372c20307863612c20307862612c20307839372c20307861302c20307865372c20307831357d3b
PUBLIC KEY — 2: Customer Count #9011
0x41514142414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414339514373507759777a7855734d704d73705579466f5756484c452b33547567432b4e464d4c334f4c4b37764a566d314c7a31336738594a66704148425875616c2b7357462b532f6230464a6a6b594354434c66376c2b39386f356e674630667a4f38446a356b6664626f65765150696646374b4434684d7244693641374f446d5a75683369524471794e57675150546551484a3648687a49726b6573436d39597661614e4a556b4f6863513d3d
PUBLIC KEY — 3: Customer Count #62
0x7b2274797065223a22636c69656e74222c22616374696f6e223a22616c6c72656164227d
About 490 Clients are being entered/created into the Lockbit server on 18th December 2024 at 21:11:16 UTC.
CHAT ANALYSIS
During the Chat Analysis, some interesting facts are being uncovered:-
>>Accepts only BTC and Monero
>>Supplies Trustwallet and Binance for BTC Purchase for noobs
>>10–20% discounts are provided for fast payment
>>Offers free decryptor for Russian Victims, namely: LBG_decryptor_023A8A3EA0DC9498.zip
>>Weak Passwords are exploited by the group
>>Phishing is the main attack vector
The group had proudly boasted about the successful receipt of $500K in their Victim Negotiation to make them understand the seriousness of the Cyber Attack.
‘our last successful data deal that we had was for 500k clients pay well for their data not for encryption’
Affiliates of RansomHub joined the LockBit Group soon after the exit of the group. This is evident from the following Chat Transcript:
'We were affiliates of RansomHub now RansomHub closed we movede here. So existing companies (including yours) which we had to deal with still have chance to prevent their data leak.'
'We are the only owners of your data we - previous affiliates of RansomHub now LockBit. In any case this does not concern you. All you need to know that we are the only owners of your data. And our negotiation interrupted payment stage. Final price is 900k as we said.'
It is also found that the group does not delete the chat post payment as they promise:-
During the analysis, it is also found that one of the victim from Peru (inppares.org) suggest another company for Lockbit to carry out the attack:-
Some negotiators are interested in joining LockBit when their company releases funds.
Victim: "This industry is great. How can I join you?'
LockBit: What are you asking about?'
Victim: I mean, is there any opportunity in your industry?
This is another chat showcasing interest to join LockBit
The group provides step-by-step procedure for decrypting ESXi
log in to vCenter
enable ssh access to ESXi
upload decryptor to ESXi via WinSCP or FileZilla; navigate to /tmp folder
login to ssh with root privileges\n- set permissions to run the decryptor with the command — chmod 777 decrypt
launch decryptor ./decrypt
follow the first method of decrypting by viewing the log file: tail -f /tmp/decrypt.llg
wait for the message at the end of the log — Your system is decrypted
the second way is to check the presence on the disk file decrypt.pid command ls which protects the decryptor from the restart
the third way — ps | grep decrypt as soon as decrypt.pid will be removed from the disk or decrypt will disappear from the running processes
decrypt is complete
check the decrypt.llg log file and see the message at the end that the system was successfully decrypted \”Your system is decrypted\”
turn on virtual machines in ESXi
You cannot run multiple copies of a decryptor at the same time. After launching the decryptor deletes the executable file and is demonetized so that you cannot run the decryptor again and damage the files. this is normal
If you have more than one ESXi host then you should not run the decryptor on all hosts simultaneously make the decryption alternately in the case of simultaneous operation of two decryptors may corrupt files and not be able to decrypt
If any files in another folder stay crypted
please use this command with path\nExample:\n./decrypt -i /tmp/files1/’
During analysis, other kinds of queries are spotted raised by the victims during negotiation such as:
Victim: ‘Do you have the ability to anonymously send a recording file to a mobile phone in Taiwan?’
LockBit: Pay $210,000
During the chat, it was found that the group had initiated ransom and agreed on the negotiated price:-
Demanded $4000, but accepted $3600
Demanded $80,000, then $60K
Demanded $40K, agreed on $1K
Demanded $70K, agreed on $15K
Demanded $4K
Demanded $50K, agreed on $35K
Demanded $110K or $90K in XMR, agreed for $50K
Demanded $10K
Demanded $30K
Demanded $500K
Demanded $50K, agreed on $20K
Demanded 0.2 BTC agreed on 0.17 BTC
Demanded $120K, agreed on $60K
Demanded $12K
Demanded 3 BTC, agreed on $40K
Received 0.24 BTC
Demanded $5K
Demanded $50K, agreed on $13K
Demanded $500K
Demanded $90K
Demanded 0.33 BTC, agreed on 0.25BTC
Deamnded 2BTC, agreed on 80K
Demanded 0.1BTC
Demanded $21K, agreed on #3500
Demanded $13K, agreed on $12K
Demanded 4 BTC
Demanded $7K
Demanded 0.75 BTC, agreed on $2K
Demanded $100K, agreed on $20K
Demanded $2M
Demanded 1.5 BTC, agreed $60k
Demanded 21 BTC
CLIENTS
This section involves the active tracking of the clients’ status regarding the payment. There are 26 fields, namely:-
id
important
advid
master_pubkey
session_key
paid_commission
trial_done
decrypt_done
decrypt_2_done
decrypt_3_done
decrypt_done_at
decrypt_2_done_at
decrypt_3_done_at
chat_status
can_chat
banned
views
date_first
date_last
toxid
toxdata
session_pub
session_priv
last_download
created_at
build_id
There are 245 Entries found for clients from 19th December to 29th April 2025.
NEWS
This section briefly describes the latest announcement of LockBit Group with their newer Onion Domains. It also consists of messages.
MIGRATIONS
This is the log of Migrations happened to LockBit Group since 2022. Upon checking the log, we can see there are 34 updates related to Migration of LockBit Servers.
1, 20220407, 2022–04–07 21:16:43
2, 20220424, 2022–04–24 16:33:37
3, 20220429, 2022–05–08 16:50:35
add_column_save_decryptor: 2022–05–09 10:03:45
create_table_incorrect_requests: 2022–05–09 10:03:45
add_owner_to_chat: 2022–06–01 21:03:11
add_defaults_alter_chats: 2022–07–14 18:03:38
alter_system_invalid_requests: 2022–08–01 09:38:12
socket_messages: 2022–08–03 18:49:25
fix_socket_messages: 2022–08–08 21:04:29
add_session_id_to_users: 2022–08–19 18:17:08
index_add_user_session_is: 2022–08–19 18:17:08
testfiles_alter: 2022–10–16 19:50:03
add_seen_column_invalidrequests: 2022–12–19 21:25:39
add_important_to_clients: 2023–01–21 14:32:07
fix_chats_datetime: 2023–04–05 12:06:41
add_column_chat_status: 2023–04–05 12:07:38
add_column_default_settings: 2023–04–07 07:18:40
events_table: 2023–04–13 10:55:42
events_seen_table: 2023–04–13 10:55:42
add_tag_to_users: 2023–06–05 17:16:56
alter_table_invalid_requests: 2023–06–05 17:20:12
files_table: 2023–06–13 10:06:46
create_api_history_table: 2024–12–18 19:42:13
create_user: 2024–12–18 19:42:13
create_table_invites: 2024–12–18 19:42:13
add_monero_wallet_to_invites: 2024–12–18 19:42:13
pkeys: 2024–12–18 19:42:13
add_key_id_to_builds: 2024–12–18 19:42:13
remove_builders_no_need_columns: 2024–12–18 19:42:13
add_crypted_site_to_builds: 2024–12–18 19:42:13
add_invite_id_to_users: 2024–12–18 19:42:13
Upon analyzing, we can see that there are 11 Functionalities added in both 2022 and 2024 and 9 Functionalities added in 2023.
It is also evident that the group had not made any popular changes in this year to their site.
FILES
This section contains the files that are being prepared by the group to supply to the victims once the payment is successfully made.
The filenames are masked, hence not revealing the victim firm by LockBit Group. Some of the examples are:-
LBG_241************_8FCED3A3A04F1E01_19.12.24_241218.zip
LBB_241************_419E60AB37B1C740_19.12.24_241218.zip
LBB_glo************_CD8B8A4071503B96_19.12.24_us.zip
ESXi_glo************_11C874A2E276A015_19.12.24_us.zip
LBG_glo************_8F192E5A218935DB_19.12.24_us.zip
LBB_zwa************_FF3251D3C3704BD9_19.12.24_indian_tech_company.zip
LBB_zwa************_5150CB33290ED8C9_19.12.24_indian_tech_company.zip
Here, the label LBB stands for LockBit Black, LBG stands for LockBit Green, and ESXi is the VMWare files.
INVITES
This module focuses on the affiliates who are being invited to LockBit via their Onion Domains. It contains Invite ID, Bitcoin Wallet Address, Amount and Timelines.
This roughly contains about ~3,700 entries in the section. You can find on my GitHub at the end of this article.
INVALID REQUESTS
As the name suggests, this module discusses the invalid request received, that captured on the server log. There are about 2760 Invalid CSRF requests captured, 68 Non JSON Response.
There are 57 Occurrences of the “Password isn\’t secure enough” message that appeared. “Invite code not found” message appeared 71 times, “Tox ID must be 76 symbols long” appeared 13 times, Special symbols are not allowed appeared 11 times.
Among these, we have found users registered with LockBit. Their info such as Login, Password and qTOX are stored in the website. But Passwords are deleted by the group due to security reasons or inactivity.
During the investigation, it was found that the Ajax backend setting password got changed and new password is set to “Lockbit123$”. It is unclear whether this password is the master password of the backend.
BUILD & CONFIGURATIONS
This belongs to the affiliates that facilitate making the build for victims. This employs various checks, such as Language, Revenue, Network Share, Event Log Deletion.
In the Build File, it contains various fields such as User ID, Stealer ID, Master PubKey, Master Private Key, Key ID, Crypted Website, etc.
In this record, we have spotted the usage of a string for Master Pub Key, 504 times.
AQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
So this indicates that there are about 500+ entries (builds) for victims.
BITCOIN WALLETS
In total, there are 59,975 Bitcoin Wallets scooped up from the leaked data. Among them, most of the Wallets does not have any balance as they are only generated for once and not yet seen any amount.
Hence, we can consider them as a failed negotiation or the clients who did not compromise with Lockbit!!!
WHAT AFTER THE LEAK?
LockBit Group confirmed that the hacked data belongs to a lightweight panel with an Auth Code, and there are no notable changes.
To confirm their message, the following message was posted under a domain: vzlom7may.omg
TRANSLATED TEXT
On May 7, they hacked the light panel with autoregistration for everyone, took the database, not a single decryptor and not a single stolen company data was affected, I figure out how they hacked and I'm doing a rebuild. The full panel and blog are functioning.
It was allegedly hacked by some hacker hoho from Prague, give me info for him, who is he, I'll pay money if the info is real.
Upon analyzing the Russian Text; it is estimated that the person/group had used a translator rather than a native Russian Speaker.
The phrasing is somewhat unnatural in places, especially the structure of sentences like “ни один декриптор и ни одна украденная дата компаний не пострадали”. A native speaker might use a smoother construction.
The mix of slang and technical terms, like “ребилд” (which comes from English), could mean the writer is more comfortable in another language or used a translator.
Certain sentence structures feel slightly off for fluent Russian
The group had gained back the control and revamped their website and started their workarounds to restore.
This indicates that the group is back in business, even if the leak marks a black mark on their reputation as a long-running business in the Ransomware Ecosystem.
REFERENCE
To investigate further, you may check out my GitHub Repo where I have uploaded the complete leak, compartmentalized for your better understanding.
https://github.com/TheRavenFile/LEAKS/tree/main/LockBit%20Leak
NOTE: The article is purely an Individual Research that belongs to THE RAVEN FILE and is not subject to be used/published anywhere without the Author’s consent.
Follow me on X/Twitter for interesting DarkWeb/InfoSec Short findings! 😉
Leave a Reply