close
close
Ransomware: What the LockBit 3.0 data leak shows

Ransomware: What the LockBit 3.0 data leak shows

by

On May 7, 2024, the suspected identity of the operator of the Lockbit 3.0 franchise, also known as the Lockbitsupp, was announced during the British National Crime Agency and the Operation Cronos of his partners: Dmitry Yuryevich Khoroshev.

A year later, the entire content of the SQL database of a web administration interface was published for the company's connected companies. And not just somewhere – on the websites of the ransomware franchise. The irony is – they were hacked. The data was extracted on April 29. It affects a system that was set up on December 18 last year.

A rare light

This data offers unprecedented visibility in the activities of the LockBit 3.0 ransomware. The compilation dates of the encryption malware make it possible to adapt earlier estimates of the attack contour data. For certain known victims, you have already given a gap of up to 10 days between the end of the extent of the data of the victim and the introduction of encryption. This underlines the importance of efforts to recognize such a peeltration.

This data can also be used to attribute various victims to your attackers. This group will be useful to analyze negotiation methods and pursue ransom payments.

Activity of LockBit partners between December 18, 2024 and April 29, 2025 – Lemagit

This administrative interface for partners contained 75 user accounts, two of whom were most likely used by Lockbitsupp itself. No fewer than 35 accounts were “carried out”, two of which were used against victims in Russia. The company's operator has assured that this is the reason for her suspension.

However, only 44 accounts were used to generate ransomware and possibly start cyber attacks. 30 of them were active on April 29, but only seven seem to be attacking at that time.

Lemagit

Cumulative activity after month, segmented according to the world region.

A geographical spread

Studies on the geographical origins of the victims mentioned show an unusual trend – in all likelihood, the Asian -Pacific region was the focus 35.5% of the affiliated companies of attracted companies in the period of the period in question compared to 22% for Europe and less than 11% for North America, behind Latin America after 12%.

Lemagit

Global geographical distribution of the activities of Lockbit 3.0 partner from late 2024 to the end of April 2025.

However, there are very clear differences between partners. For example, Piotrbond focused on the Asian-Pacific region with 76% of its victims. The same applies to Umarbischof47 (81%). Darraghberg bet in this region and in Africa-Middle East alike (33.3%). Jamescraig also gave the Asian-Pacific space priority (42%).

This geographical review also underlines the lack of observability of the threat in this region, especially in China, which made 51 victims in the sample examined. Indonesia is a short second place with 49 victims, followed by India (35).

Lemagit

Geographical breakdown of the activities of the various partners of Lockbit between December 18, 2024 and April 29, 2025.

The data also indicates that South Korea is underrepresented in observable malicious activities worldwide.

This unusual geographical distribution can reflect changes in the profiles recruited by Lockbit 3.0. The most active partners don't seem to be those who pursue the most attractive victims.

The reflection of a cloudy picture

Instead, the available data indicate that those who multiply their victims try to potentially less mature people than others, even if they have to pay modest amounts worldwide in countries with Pro Hopta income.

Negotiations observed this analysis, whereby the ransom was very often applied for by less than 20,000 US dollars.

Overall, the LockBit 3.0 banner currently only seems to have two or three active high-flying partners. This is only half a surprise -the Cronos International Justicial Operation has affected the image of the Mafia -like franchise company. If someone attracts someone, his attraction is not surprisingly limited.

They even wonder whether some victims who refuse to pay the ransom are deliberately not claimed on Lockbits Showcase site so as not to cloud their image further.

And it is unlikely that this new leak will improve the matter -it has the encrypted E -Mail -IDs of certain partners, their passwords (stored in the clear text) and pseudonyms with which certain open source intelligence specialists are stored, undoubtedly expose the victim's private encryption key.

Leave a Comment