Black Eating Black: Analysis of the Cyber Attack on the World's Number One Ransomware Gang LockBit

Previous Overview: Who is LockBit?

LockBit is an active ransomware-as-a-service (RaaS, Ransomware-as-a-Service) group that first appeared in September 2019 and was once known as the "ABCD Ransomware" due to the initial version adding the '.abcd' suffix when encrypting files. Known for its technological maturity, high degree of automation, and high extortion efficiency, the group has launched a large number of attacks against businesses, governments, education, and medical institutions around the world, and has been classified as an advanced persistent threat by several national security agencies (APT) organization. We disclosed this organization last year.

LockBit's technology continues to iterate, developing multiple versions:

• LockBit 1.0 (2019): Characterized by the ".abcd" encrypted suffix, supports Windows platform, uses RSA + AES encryption algorithm, and has a fast execution speed;
• LockBit 2.0 (2021): Introduces automated propagation capabilities to enhance ransomware efficiency;
• LockBit 3.0 / LockBit Black (2022): Modular design with strong anti-analysis capabilities, and for the first time launched a vulnerability bounty program, rewarding external security researchers for testing the ransomware;
• LockBit Green (the rumored 2023 version): Suspected to incorporate some code from the dissolved Conti ransomware group.

As a typical representative of the RaaS model, LockBit attracts "Affiliates(" by providing ransomware toolkits through core developers, assigning them to be responsible for specific attacks, infiltration, and deployment, and incentivizing cooperation through ransom sharing, with attackers generally receiving a 70% cut. In addition, its "double extortion" strategy is also highly coercive: on one hand, files are encrypted, and on the other hand, data is stolen and threats to publish it are made. If the victim refuses to pay the ransom, the data will be posted on their dedicated leak site.

On the technical level, LockBit supports Windows and Linux systems, utilizing multi-threaded encryption technology and the AES-NI instruction set to achieve high-performance encryption. It has the capability for internal lateral movement (such as using PSExec, RDP brute forcing, etc.) and proactively disables critical services such as databases and deletes backups before encryption.

LockBit attacks are typically highly systematic and exhibit typical APT characteristics. The entire attack chain is roughly as follows:

• Initial Access (Phishing Emails, Exploit Vulnerabilities, RDP Weak Passwords)
• Lateral Movement (Mimikatz, Cobalt Strike, etc.)
• Privilege escalation
• Data breach
• File Encryption
• Ransom note popup
• Publish information to leak sites (if payment not made)

During its active period, LockBit has caused several sensational events:

• In 2022, an attack on the Italian Revenue Agency affected the data of millions of taxpayers;
• Claimed to have hacked a SickKids hospital in Canada and later apologized and provided a decryptor;
• Multiple manufacturers (such as defense and medical device companies) have been affected by LockBit encryption;
• In the second quarter of 2022, accounted for over 40% of global ransomware attacks;
• A cumulative impact on more than 1000 enterprises, far exceeding that of established groups like Conti and REvil;
• The success rate of ransom is extremely high; in 2022, more than half of the 100 million dollars in ransom proposed was successfully obtained.

However, even as formidable as LockBit is, it is not without flaws. On February 19, 2024, the LockBit website was shut down in a joint law enforcement operation by the UK's National Crime Agency, the FBI, Europol, and Interpol, resulting in the arrest or wanted status of several LockBit members. However, the core development team has not been completely dismantled, and some samples continue to circulate on the dark web, being used by affiliated groups.

) Breaking News: LockBit site has been hacked

Today, SlowMist ### received intelligence: LockBit's onion site has been hacked, and the attackers not only took over its control panel but also released a packaged file containing the database. This act has led to the leakage of LockBit's database, including Bitcoin addresses, private keys, chat records, and sensitive information related to its associated companies.

More dramatically, the hackers left a poignant message on the compromised site: "Don't commit crimes, crime is bad, from Prague."

Not long after, the relevant data was uploaded to platforms such as GitHub and quickly spread.

LockBit officials subsequently responded in Russian on their channel, roughly meaning as follows:

Rey: Has LockBit been hacked? Any progress?

LockBitSupp: Only the lightweight control panel with the authorization code was breached, no decryptor was stolen, and no company data was compromised.

Rey: Yes, but this means that Bitcoin addresses, conversation content, and keys have been leaked... This would also affect reputation, right?

Rey: Has the Locker Builder (勒索构建器) or the source code been stolen?

Rey: Will you be back online for work? If so, how long will it take?

LockBitSupp: Only the Bitcoin address and conversation content were stolen, no decryption tool was stolen. Yes, this does affect reputation, but the relaunch after fixing will also affect reputation. The source code was not stolen. We are already working on recovery.

Rey: Alright, good luck to you all. Thank you for your answer.

( Leak Analysis

SlowMist) SlowMist### has downloaded the relevant leaked files (for internal research purposes only, backups have been promptly deleted) at the first opportunity. We have conducted a preliminary analysis of the directory structure, code files, and database content, attempting to restore the architecture and functional components of the LockBit internal operating platform.

From the directory structure, this looks like a LockBit victim management platform written in a lightweight PHP framework.

Directory structure analysis:

• api/, ajax/, services/, models/, workers/ show a certain modularity of the project, but do not conform to the structural conventions of frameworks like Laravel (e.g., app/Http/Controllers);
• DB.php, prodDB.php, autoload.php, functions.php indicate that database and function bootstrapping are manually managed;
• vendor/ + composer.json uses Composer, indicating that third-party libraries may be introduced, but the entire framework may be self-written;
• The folder names such as victim/ and notifications-host/ are quite suspicious (especially in security research).

So we speculate that this hacker from "Prague" might be using PHP 0 day or 1 day to compromise the web site and control panel.

The management console is as follows:

Part of the chat communication information:

Let's take a look at the information highlighted in the red box: Victim CEO from co ... coinbase? Paid the ransom?

At the same time, the leaked database also involves about 60,000 BTC addresses:

The leaked database contains the account passwords of 75 users:

Interesting bargaining chat:

Randomly find successfully paid orders:

Order Address:

And use MistTrack to track Bitcoin receiving addresses:

The flow of money laundering is relatively clear, ultimately flowing into trading platforms. Due to space limitations, MistTrack will conduct further analysis on cryptocurrency addresses. If interested, you can follow X: @MistTrack_io.

Currently, LockBit officials have also released a latest statement regarding this incident. The rough translation is as follows:

"On May 7, 2025, our lightweight control panel with an automatic registration feature was breached, allowing anyone to bypass authorization and directly access the panel. The database was stolen, but there was no involvement of decryptors or sensitive data from the affected company. We are currently investigating the specific method of the breach and initiating the rebuilding process. The main control panel and blog are still functioning normally."

"It is said that the attacker is a person named 'xoxo' from Prague. If you can provide accurate information about his identity—just as long as the information is reliable, I am willing to pay for it."

LockBit's response is quite ironic. Previously, the U.S. Department of State issued a bounty notice, offering up to $10 million for information regarding the identities and locations of key members or collaborators of the LockBit group; at the same time, to encourage the disclosure of the attacks by its affiliates (Affiliates), an additional reward of up to $5 million was offered.

Now, LockBit has been hacked and is offering a bounty in the channel to find clues about the attacker - as if the "bounty hunter mechanism" has backfired on itself, which is both laughable and exposes further the vulnerabilities and chaos within its internal security system.

( Summary

LockBit has been active since 2019 and is one of the most dangerous ransomware gangs in the world, with an estimated total ransom collected (including undisclosed data) of at least $150 million. Its RaaS (Ransomware as a Service) model attracts a large number of affiliates to participate in attacks. Although the gang faced law enforcement action during "Operation Cronos" in early 2024, it remains active. This incident marks a significant challenge to LockBit's internal system security, potentially affecting its reputation, affiliate trust, and operational stability. It also highlights the trend of "counterattacks" against cybercriminal organizations in cyberspace.

The Slow Fog security team advises all parties:

• Continuous intelligence monitoring: Closely track the rebuilding dynamics and potential variant versions of LockBit;
• Monitor dark web trends: Real-time monitoring of relevant forums, sites, and intelligence sources to prevent secondary leaks and data misuse;
• Strengthen RaaS Threat Defense: Streamline your exposure and enhance the identification and blocking mechanisms for RaaS toolchains;
• Improved organizational response mechanism: If a direct or indirect association with one's own organization is discovered, it is recommended to immediately report to the competent authority and activate the emergency plan;
• Fund tracking and anti-fraud linkage: If suspicious payment paths are found flowing into the platform, anti-money laundering measures should be strengthened in conjunction with the on-chain monitoring system.

This incident reminds us once again that even highly skilled hacker organizations cannot completely avoid cyber attacks. This is one of the reasons why security professionals continue to fight.