Inside a Ransomware Gang's Operations
- danielweis
- May 8
- 3 min read
Yesterday I came across a post regarding the Lockbit ransomware gang, who had been hacked big time (they clearly pissed off someone), and their entire database (and ecosystem) made available online via the darkweb for download. The file really is a fascinating read!
The Lockbit Ransomware Gang
The LockBit ransomware gang is a significant threat actor that has been around for a long time, they employ the typical Ransomware-as-a-Service (RaaS) model for their operations. LockBit first appeared in September 2019, initially known as "ABCD" ransomware back then. The named "LockBit" ransomware was seen on Russian-language cybercrime forums in January 2020. It has since evolved through several versions, including LockBit 2.0 (released in June 2021) and LockBit 3.0 (also known as LockBit Black, released in March 2022), each with enhanced capabilities. Newer versions like LockBit Green have also emerged, incorporating features from other ransomware families like Conti.
LockBit affiliates use various methods to gain initial access to victim networks, including:
Phishing emails
Exploiting software vulnerabilities, such as the Citrix Bleed vulnerability (CVE-2023-4966)
Using stolen credentials obtained through VPNs, Remote Desktop Protocol (RDP), or from initial access brokers
Brute-force attacks against user credentials Drive-by compromise (website visits)
Compromised Group Policy Objects
Once inside a network, LockBit uses tools like Windows PowerShell, PsExec, and Server Message Block (SMB) to move laterally and spread to other systems.
The group typically targeted critical infrastructure sectors globally, but also included Financial services, Healthcare, Education, Government and emergency services, Manufacturing, Transportation, Energy, and Food and agriculture.
Whats inside their data
The SQL database from their C2 infrastructure was made available within the last few days, which contained just a single SQL file containing all data:
It contains all of their bitcoin wallet ID's, which will be super useful for law enforcement:
But more interestingly, the data contained chat logs of their discussions with their victims from December 28 last year to April 26 2025.
Analysing the chats, their is a number of common themes.
Negotiation for Ransom amount: A central theme across the chats is the victims attempting to negotiate the ransom amount. Victims express their financial constraints, sometimes pleading for lower amounts, but the average ransomware amount requested was $22,526.26, with some as low as $210, and some as high as $80,000.
Proof of Decryption: Victims often requested proof that decryption is possible before paying. The perpetrators were typically instructing them to upload test files for decryption, with size limitations. They also provide links to file-sharing services for larger files.
Technical Assistance: There is stacks of technical assistance chatter with the threat actor(s). With the perpetrators offering some level of technical assistance to victims, such as instructions for ESXi decryption.
Victim Distress: Some victims convey a sense of desperation, mentioning potential job loss and the pressure they are under to recover the data.
For example, My time is running out... My bosses want to fire me... We can recover my environment for $4000... please help me I will be fired.
Another victim explains their financial limitations, stating, 2K represents 10% of what we currently have. We are trying to cooperate in a reasonable way, but we simply cannot pay what we dont have.
Victims also frequently expressed their need for quick resolution and assistance, with messages like When will our data be recovered? and Please spend more time online. My boss has been scolding me.
In one instance a When a victim offers $2000, the response is 2k? I will not reply further to such ridiculousness. Im sure you will come around with a much better offer in the following days.
No love from the gang it seems, with responses like Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you.
As expected, the victims also expressed concern about the potential loss of data and the need to keep the incident confidential.
Check it out Researchers
A really good resource for threat intelligence folk and researchers alike, you can download it here:
Also inside the file (besides chats & BTC addresses) is victim profile information, including domains, estimated revenue, and custom ransomware builds and References to encryption configurations, decryption keys and technologies used by the threat actor.
Comentarios