Data loss shows leading partners and how they work

A massive data leak from the Lockbit Ransomware Group, which was published on its kidnapped leakage, has given an unprecedented insight into the internal functionality of one of the most noticeable ransomware-as-a-service operations (RAAS).

The leaked data, which extends from December 19, 2024 to April 29, 2025, mainly affects the group's “Lockbit Lite” panel of a partner with a lower level for beginners.

In contrast to the Standard Lockbit -Affiliate system, in which a 1 -BtC deposit and a stricter check on the basis of reputation, team composition and earlier cyber criminal experience are required, Lockbit Lite offers access to ransomware for a fee of only 777 USD.

This accessible entry point introduced in December 2024 enables connected companies to start attacks within payment more after payment, but with considerable compromises such as lack of direct access to encryption keys.

Affiliates often rely on a “boss” or “technical support” for decrypers, which leads to delays and, in several cases, has also been deciphered according to ransom payments.

Productive partner

The analysis of the leaked data shows the most active partners in the LIGBIT LITE PANEL, whereby “Christopher” leads to 44 negotiations, followed by “Jhon0722” with 42 and others such as “Piotrbond”, “Jamescraig” and “Swan”.

A fascinating illustration “Matrix777” seems to be a high -ranking member or administrator, since the tox -ids with suitable tox -ids and a registration date of November 15, 2020 went far before the Lite panel was founded.

Victimology shows a remarkable focus on Chinese organizations, possibly due to the perceived lightness of the compromise and the greater probability of a ransom payment, as a partner stated: “We love to work with China, you pay well.”

Surprisingly, Russian goals were also hit despite the Lockbits Explicit ban on such attacks.

In one case, admin “Matrix777” intervened after he had found that a partner was hacked, which suspected an FBI operation or sabotage of the competitor, and delivered free decrypates, although they did not work.

According to Searchlight Cyber ​​Report, this incident, together with repeated decryption errors, reported by the victims, underlines the operational inefficiencies within the Lite program and often have the victims stranded after compliance with the requirements.

Unusual tactics

Perhaps the most bizarre revelation is Lockbits's attempt to recruit victims to his RAAS program and to promote the entry fee of 777 US dollars with messages that promise a wasteful lifestyle.

While some Chinese victims expressed interest, existing affiliated companies showed little enthusiasm for the onboarding of new members, which reflected their independent thinking for the contractor.

In another unexpected twist, partners such as “Christopher” offered the victims to the victims after the attack, whereby initial access methods such as phishing and suggestions of measures such as stronger passwords and network monitoring were described.

Some even gave tips to avoid sanctions during ransom payments by making transactions as payments to “independent researchers”.

However, the leak also reveals the inherent risks for victims, since the negotiating documents are now public and successful decryption is never guaranteed.

This snapshot from Lockbit Lite draws, paints a picture of a group that adapts to reputation damage through surgery cronos in February 2024 by reducing the obstacles for new connected companies, even if it deals with trust problems and operational hiccups in its ranks.

Find these messages interesting! Follow us in Google News, LinkedIn and X to get immediate updates!