Ethical Hacking News
LockBit ransomware gang suffers significant blow after dark web affiliate panels are defaced, exposing sensitive information about the operation, including victim negotiations.
The LockBit ransomware gang suffered a significant blow after its dark web affiliate panels were defaced. The breach exposed personal data of targeted companies and revealed sensitive information about the ransomware operation itself. A SQL file was dumped from the site's MySQL database, exposing 59,975 unique bitcoin addresses and individual builds created by affiliates. Various configurations used for each build were revealed, including ESXi servers to skip and files to encrypt. A list of 75 admins and affiliates who had access to the affiliate panel was exposed, with passwords stored in plaintext. The breach is believed to have occurred on April 29th, 2025, although the exact perpetrator remains unknown. The incident highlights the importance of prioritizing robust cybersecurity measures to mitigate such incidents.
The LockBit ransomware gang has suffered a significant blow after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump. This breach not only exposed the personal data of the targeted companies but also revealed sensitive information about the ransomware operation itself.
According to sources, the defacement occurred when the threat actor, Rey, discovered an archive containing a SQL file dumped from the site affiliate panel's MySQL database. The database in question contained twenty tables, with some of them being particularly revealing. For instance, the 'btc_addresses' table held 59,975 unique bitcoin addresses associated with the ransomware operation. Furthermore, the 'builds' table revealed individual builds created by affiliates for attacks, complete with public keys but unfortunately lacking private keys.
Moreover, the 'builds_configurations' table exposed various configurations used for each build, such as which ESXi servers to skip or files to encrypt. The 'chats' table proved to be particularly interesting, containing 4,442 negotiation messages between the ransomware operation and victims spanning from December 19th to April 29th.
In addition, the database revealed a list of 75 admins and affiliates who had access to the affiliate panel, with Michael Gillespie noting that passwords were stored in plaintext. Examples of these leaked passwords included 'Weekendlover69', 'MovingBricks69420', and 'Lockbitproud231'.
The breach is believed to have occurred on April 29th, 2025, although the exact perpetrator remains unknown. However, a crucial clue lies in the defacement message used by the LockBit gang. This message bears an uncanny resemblance to one used in a recent breach of Everest ransomware's dark web site, suggesting a possible link between the two incidents.
Furthermore, the phpMyAdmin SQL dump from the database indicates that the server running it was vulnerable to critical and actively exploited vulnerability tracked as CVE-2024-4577. This vulnerability can be used to achieve remote code execution on servers. In 2024, a law enforcement operation called Operation Cronos took down LockBit's infrastructure, including 34 servers hosting the data leak website and its mirrors, stolen data, cryptocurrency addresses, decryption keys, and the affiliate panel.
Despite the gang managing to rebuild and resume operations after the takedown, this latest breach marks another significant blow to their already battered reputation. It remains to be seen whether this further reputational hit will prove to be the final nail in the coffin for the ransomware gang.
This incident is reminiscent of other ransomware groups that have experienced similar leaks, including Conti and Black Basta. These breaches serve as a stark reminder of the ever-evolving threat landscape and the importance of staying vigilant against malicious actors.
In light of this breach, it highlights the need for organizations to prioritize robust cybersecurity measures and adhere to best practices in order to mitigate such incidents.
Related Information:
https://www.ethicalhackingnews.com/articles/The-LockBit-Ransomware-Gangs-Dark-Web-Affair-A-Breach-Defacement-and-Exposure-of-Victim-Negotiations-ehn.shtml
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/
Published: Wed May 7 19:24:26 2025 by llama3.2 3B Q4_K_M
