The notorious LockBit ransomware operation has suffered a significant breach. Attackers defaced their dark web infrastructure and leaking a comprehensive database containing sensitive operational details on May 7.

The hack represents a major blow to one of the world’s most prolific ransomware groups.

Visitors to LockBit’s dark web sites are now greeted with a defiant message: “Don’t do crime CRIME IS BAD xoxo from Prague,” alongside a link to download a file named “paneldb_dump.zip” containing a MySQL database dump.

Security researchers have confirmed the authenticity of the leaked data, which contains a treasure trove of information about the ransomware operation.

The database includes approximately 60,000 unique Bitcoin wallet addresses used for ransom payments, 4,442 negotiation messages between LockBit operators and their victims spanning from December to late April, and details of custom ransomware builds created for specific attacks.

Perhaps most embarrassingly, the leak exposed a user table containing plaintext passwords for 75 administrators and affiliates.

Alon Gal, Co-Founder and CTO at Hudson Rock, called the breach “a goldmine for law enforcement” that could significantly aid in tracing cryptocurrency payments and attributing attacks to specific threat actors.

LockBit has attempted to downplay the incident. In a message posted on their leak site in Cyrillic text, the group claimed: “On May 7, they hacked the light panel with autoregistration for everyone, took the database, not a single decryptor and not a single stolen company data was affected”. The group has offered payment for information about the Prague-based hacker responsible for the breach.

This hack comes just months after Operation Cronos, a coordinated law enforcement action that temporarily disrupted LockBit’s infrastructure in February 2024.

While the group managed to rebuild and resume operations after that takedown, its reputation had already suffered significant damage. Researchers noted that many of its recent victim claims were recycled from earlier attacks or from other ransomware groups.

The breach resembles a recent attack against the Everest ransomware operation, which used an identical defacement message. Cybersecurity researchers speculate that both attacks might be related to a critical vulnerability in PHP 8.1.2 (CVE-2024-4577) that allows for remote code execution.

For LockBit, which was responsible for approximately 44% of all ransomware incidents globally in early 2023, this breach represents a potentially devastating setback that could undermine affiliate trust and further hinder their operations.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar