Lockbit internal data leaks contain the creation patterns and ransom requirements

In May 2025, the cyber security community received an unprecedented insight into the operations of one of the most notorious ransomware groups in the world, as an attraction itself fell victim to a data injury.

The infiltrated information, which was made available by an apparently hidden service network, unveiled a treasury of sensitive data, including ransomware -Build recordings, affiliate communication, victim negotiations and detailed configuration parameters that were used in attacks.

Inciting has established itself as a dominant force in the cybercrime ecosystem through its ransomware-as-a-service model (RAAS), with which individual cybercriminal or small collective sophisticated malware tools can use in exchange for a percentage of successful Ransom payments.

This business model has proven to be extremely effective and enables the group to scale the operation in a huge network of partners and at the same time maintain operational security.

Ontinue researchers found that the exposed files were created in 2024, but they only appeared in May 2025, which a retrospective view provided in about six months.

The analysis of the data resulted in almost 60,000 Bitcoin letters' addresses, over 4,400 negotiation transcripts with victims and extensive adaptation records on how different partners configured their payloads for certain goals.

The LECK provides concrete evidence that combines user names with certain attacks that correspond to the former law enforcement authorities, including surgery cronos, in which the national crime authority in Great Britain had previously infiltrated the group's infrastructure and published a list of affiliate identifiers.

Inside the creation process of the payload

The most technically revealing aspect of the leak is the detailed “builds” table, which logs every ransomware load that is generated via the attract bit -refiliate panel.

Each build is saved in a JSON format that reveals the highly developed configuration options of the group. With your partners, your attacks can adapt with modular components that can be activated or deactivated on the basis of the target requirements.

{
    "userid": 3,
    "comment": "Hello",
    "company_website": "example.com",
    "crypted_website": "[encrypted string]",
    "revenue": "10kk",
    "delete_decryptor": true,
    "type": 25,
    "created_at": "2024-12-18 20:05:23"
}

The configuration options show highly developed functions, including fields that control the encryption behavior, the stealth mechanisms and the cleaning after infection.

Parameters such as “Quiet_Mode” suppress execution outputs to avoid recognition, while “Delete_decryptor” determines whether the malware eliminates the decryption functions after the infection.

The “income” field is particularly remarkable, which rather indicates the company's intended ransom demand than the actual payment.

The analysis of these configurations shows affiliates that aim at certain sectors with tailor -made approaches.

The most productive attraction partner (ID 42, username “Ashlin”) generated the highest number of payloads, while another partner (ID 14) aimed fewer victims, but with significantly higher average ransom requirements of $ 42 million per finish.

The leak also reveals the recruitment tactics of LockBit, whereby the partners are completed with invitations to “start in 5 minutes in 5 minutes” and reveal how these criminal organizations continue to attract new technical talents despite the increasing pressure of law enforcement.

Use a deep threat analysis for a faster reaction -> equip your SOC team -> Get extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for fREE