A massive data leak from the LockBit ransomware group, published on its hijacked leak site, has provided an unprecedented glimpse into the inner workings of one of the most notorious Ransomware-as-a-Service (RaaS) operations.
The leaked data, spanning from December 19, 2024, to April 29, 2025, primarily pertains to the group’s “LockBit Lite” panel a lower-tier affiliate program designed for novice threat actors.
Unlike the standard LockBit affiliate scheme, which demands a 1 BTC deposit and rigorous vetting based on reputation, team composition, and prior cybercrime experience, LockBit Lite offers access to ransomware for a mere $777 USD fee.
This accessible entry point, introduced in December 2024, allows affiliates to launch attacks within minutes of payment, though with significant trade-offs such as lack of direct access to encryption keys.
Affiliates often rely on a “boss” or “tech support” for decryptors, leading to delays and, in several cases, failed decryption even after ransom payments.
Prolific Affiliates
Analysis of the leaked data highlights the most active affiliates on the LockBit Lite panel, with “Christopher” leading at 44 negotiations, followed by “jhon0722” with 42, and others like “PiotrBond,” “JamesCraig,” and “Swan” trailing behind.
An intriguing figure, “matrix777,” appears to be a senior member or administrator due to matching TOX IDs and a registration date of November 15, 2020, far predating the Lite panel’s inception.
Victimology reveals a notable focus on Chinese organizations, potentially due to perceived ease of compromise and higher likelihood of ransom payment, as one affiliate noted, “We love working with China, they pay well.”
Surprisingly, Russian targets were also hit, despite LockBit’s explicit ban on such attacks.
In one instance, admin “matrix777” intervened after discovering an affiliate was hacked, suspecting an FBI operation or competitor sabotage, and provided free decryptors though they failed to work.
According to SearchLight Cyber Report, this incident, alongside repeated decryptor failures reported by victims, underscores the operational inefficiencies within the Lite program, often leaving victims stranded even after complying with demands.
Unusual Tactics
Perhaps the most bizarre revelation is LockBit’s attempt to recruit victims into its RaaS scheme, advertising the $777 entry fee with messages promising a lavish lifestyle.
While some Chinese victims expressed interest, existing affiliates showed little enthusiasm for onboarding new members, reflecting their independent contractor mindset.
In another unexpected twist, affiliates like “Christopher” offered victims basic security advice post-attack, detailing initial access methods such as phishing and suggesting measures like stronger passwords and network monitoring.
Some even provided tips to evade sanctions during ransom payments by framing transactions as payments to “independent researchers.”
However, the leak also exposes the inherent risks for victims, as negotiation records are now public, and successful decryption is never guaranteed.
This snapshot of LockBit Lite, while limited in scope, paints a picture of a group adapting to reputational damage from Operation Cronos in February 2024 by lowering barriers for new affiliates, even as it grapples with trust issues and operational hiccups within its ranks.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
