The LockBit ransomware-as-a-service (RaaS) operation has netted around $2.3 million USD within 5 months, the data leak stemming from the May 2025 hack of a LockBit affiliate panel has revealed.
From that sum, the operators took their 20% cut (approximately USD 456,000), and they additionally “earned” some $10,000-$11,000 USD from affiliates that registered through the panel.
“What this leak truly shows is the complex and ultimately less glamorous reality of their illicit ransomware activities. While profitable, it’s far from the perfectly orchestrated, massively lucrative operation they’d like the world to believe it is,” Trellix researchers noted.
(The US DoJ previously estimated that LockBitSupp – the leader of the LockBit outfit – “earned” around $100 million USD between 2019 and 2024).
LockBit on the ropes?
At one time, LockBit was among the most active and well known RaaS operation out there, but the May 2025 compromise of the group’s “Lite” affiliate panel was just the last in a series of blows to the outfit.
In early 2024, law enforcement disrupted the group’s infrastructure, its leak site, recovered decryption keys, frozen cryptocurrency accounts, and arrested some of its suspected affiliates. In May, UK, US and Australia law enforcement agencies revealed the alleged identity of LockBitSupp and sanctions have been imposed on him by the three nations.
In October, more Lockbit affiliates were arrested and identified, and in December, the US Department of Justice has unsealed charges against a dual Russian and Israeli national that’s suspected of being a developer for the LockBit ransomware group.
Insights from the LockBit data leak
The data leak, which Trellix researchers believe comes from the database behind LockBit’s “Lite” affiliates admin panel, encompasses data from December 18, 2024 to April 29, 2025, and contains details on LockBit ransomware affiliates, victim organizations, chat logs, cryptocurrency wallets and ransomware build configurations.
Their analysis of the data revealed that:
- The LockBit outfit is apparently working on a new version of its ransomware (LockBit 5.0), but it’s yet to be released
- The leaked negotiation chats point to most of the affiliates not being very successful at convincing target organizations to pay the ransom. Also, the ransom amounts are not very big – mostly between $2,000 and $40,000 USD, with one glaring exception: a single affiliate got $2 million from a Swiss software/IT firm
- Affiliates prefer to target organizations in the manufacturing, consumer services, finance, software/IT and government sectors
- Some affiliates seemingly specialize in hitting organizations in specific countries and/or specific sectors
“Our analysis of LockBit’s geographic targeting from December 2024 to April 2025 reveals China as the most heavily targeted country,” the researchers noted.
“The concentration of attacks in China suggests a significant focus on this market, possibly due to its large industrial base and manufacturing sector. Unlike BlackBasta and Conti RaaS groups that occasionally probe Chinese targets without encrypting them, LockBit appears willing to operate within Chinese borders and disregard potential political consequences, marking an interesting divergence in their approach.”
LockBit adverts’ (i.e., affiliates’) victims by country (Source: Trellix)
Organizations in the US and Taiwan are also popular targets. The latter are a particular favorite of one affiliate (who goes by “Christopher”), who might have “specialized knowledge of the region’s networks or specific vulnerabilities being exploited.”
LockBit’s Russian targets
Interestingly, two of the affiliates encrypted two Russian government entities: the Department of Bridge Constructions of Moscow and the Municipality of Chebarcul, the researchers found.
Organizations in Russian and CIS countries are generally considered off-limits by Russian-based cybercriminals, but affiliates may not be careful about toeing that line.
In both cases, LockBitSupp apologized, blamed affiliates/competitors/the FBI for the attack, and provided the decryptors for free, but they apparently did not work.
“This is not the first time LockBit ransomware has been used to attack Russian entities. In January 2024 when LockBit imposters attacked a Russian security company, AN-Security, LockBit stated that their competitors use a leaked builder to impersonate LockBit and inflict reputational damage to their ransomware program,” Trellix researchers noted.
More recently, Positive Technologies reported on the DarkGaboon APT group leveraging the LockBit 3.0 ransomware against Russian companies. That version was leaked in 2022 and is used by a number of cybercrime outfits, which are seemingly not connected to the LockBit RaaS.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
