Reports are emerging that the LockBit ransomware group has experienced a data breach. This breach has exposed information on the group’s inner workings, including:
- Ransomware build records
- Conversation transcripts between affiliates and victims
- Configuration data
This leak reveals unprecedented intelligence into the operations of one of the most prolific ransomware groups. Although the leaked files were created in 2024, they were leaked in May 2025.
Ontinue discussed findings from the leak in a blog. Here, we break down some of the key findings.
Who Is LockBit?
Mr. Saeed Abbasi, Manager, Vulnerability Research at Qualys Threat Research Unit, states, “LockBit is a prominent ransomware gang that has operated its ransomware-as-a-service (RaaS) family since 2019. The group has continuously developed its malicious software, releasing several iterations, including LockBit 2.0 in June of 2021 and LockBit 3.0 (also known as LockBit Black) in June of 2022. Each new version brought enhanced capabilities, targeting a wider range of operating systems, such as Windows, Linux, VMware ESXi, and macOS. LockBit operates on an affiliate model, where the core group develops and maintains the ransomware, and affiliates carry out the attacks, sharing a percentage of the ransom payments.”
Diving Into The LockBit Leak
The leak reportedly originated from an onion URL tied to LockBit. This suggests that the attacker breached LockBit’s infrastructure before hosting the leaked data on their own Tor Service website.
Mr. Abbasi states, “The recent LockBit leak reminds us of the persistent and evolving threat ransomware groups pose. By understanding their exploited vulnerabilities and targeted systems, as revealed in this data, vulnerability management professionals and practitioners can take immediate, actionable steps to harden their environments.”
Below are key findings from the exposed data.
Strategic Thinking in Affiliate Ransom Estimates
The report found that LockBit affiliates manually input projected ransoms in the payload creation process. Although the figures have not been financially verified, they provide insight into affiliates’ approaches, operational mindsets, and pricing models. This offers details on the economic drivers of the group’s affiliate structure.
Leveraging Tor Infrastructure
The Tor network is utilized to secure anonymity and obscure LockBit’s digital infrastructure. By depending on .onion domains, the group is more resistant against takedown efforts.
Operating With Business Mindsets
The leaked domains revealed examples of LockBit operating with business-like attitudes, replicating practices and processes used in legitimate tech organizations.
Using Emotional and Psychological Tactics
Transcripts show the use of emotional and psychological techniques in order to pressure targets into paying ransoms.
Mitigating Threats from LockBit
In order to mitigate the threats posed by LockBit, Mr. Abbasi shares, “The following key tactics are essential to disrupt LockBit’s common attack vectors and enhancing your organization’s resilience against ransomware threats: 1) Prioritizing patches for known exploited CVEs, 2) Securing often-overlooked systems like backup infrastructure and NAS devices, and 3) Reinforcing fundamental security hygiene like strong credentials and access controls.”
