Lockbit Ransomware Breach: Internal Chats and Sensitive Data Leaked

The LockBit ransomware group, long considered one of the world’s most prolific cybercrime syndicates, has suffered a devastating breach.

On May 7, attackers defaced LockBit’s dark web infrastructure and released a comprehensive MySQL database dump, exposing sensitive operational details and internal communications.

Defacement and Data Dump

Visitors to LockBit’s dark web panels were greeted with the taunting message:

Security researchers have verified the authenticity of the leak, which includes:

• Nearly 60,000 unique Bitcoin wallet addresses used for ransom payments (btc_addresses table).
• 4,442 negotiation messages between LockBit operators and victims, spanning December 2024 to late April 2025 (chats table).
• Details of custom ransomware builds, including targeted company names and build configurations (builds, builds_configurations tables).
• A user table listing 75 administrators and affiliates, with passwords stored in plaintext-examples include “Weekendlover69” and “Lockbitproud231”.

Technical Analysis: The Breach Vector

Initial analysis suggests the attackers exploited a critical vulnerability in PHP 8.1.2, tracked as CVE-2024-4577.

This OS Command Injection vulnerability allows remote code execution on servers running PHP in CGI mode, particularly on Windows systems with certain language locales.

By leveraging argument injection through specially crafted requests, attackers can bypass previous protections and gain unauthenticated access to execute arbitrary commands.

The compromised server was confirmed to be running PHP 8.1.2, making it susceptible to this exploit.

Notably, the same defacement message was used in a recent breach of the Everest ransomware group, further suggesting the exploitation of CVE-2024-4577 as the attack vector.

Example Exploit (CVE-2024- 4577):

textGET /php-cgi.exe?%AD%AD-c+whoami HTTP/1.1
Host: vulnerable-site.com

This request can trigger command execution due to improper character encoding handling in PHP CGI mode.

Impact and Fallout

The leak is a goldmine for law enforcement and cybersecurity professionals. The exposed Bitcoin wallet addresses and negotiation logs provide unprecedented insight into LockBit’s financial flows and extortion tactics.

The plaintext passwords and affiliate details could enable authorities to trace and identify key members and collaborators.

LockBit, which pioneered the ransomware-as-a-service (RaaS) model, has been responsible for up to 44% of global ransomware incidents in early 2023, amassing over $91 million in ransom payments from more than 1,700 attacks in the US alone.

The group’s tactics typically involve exploiting vulnerabilities such as CVE-2018-13379 in Fortinet VPNs, brute-forcing RDP credentials, and deploying payloads via PowerShell and PsExec.

LockBit’s Response and Industry Repercussions

In a statement posted in Cyrillic, LockBit attempted to downplay the breach, claiming only the “light panel” was compromised and no decryptors or stolen victim data were affected.

The group is reportedly offering a bounty for information on the Prague-based hacker behind the attack.

This breach follows February 2024’s Operation Cronos, an international law enforcement campaign that temporarily seized LockBit’s infrastructure.

While LockBit managed to resume operations, its reputation has been severely damaged, with affiliates reportedly recycling victim claims and losing trust in the platform.

Broader Implications

The LockBit breach underscores the growing risk posed by unpatched software vulnerabilities and highlights the rapid weaponization of newly disclosed exploits like CVE-2024-4577.

As ransomware groups face mounting pressure from both law enforcement and rival hackers, operational security lapses can have catastrophic consequences.

For LockBit, this incident may mark the beginning of the end, as trust among affiliates erodes and law enforcement agencies gain critical intelligence to dismantle the group’s global network.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates