Article Details
Scrape Timestamp (UTC): 2025-05-08 00:13:53.520
Original Article Text
Click to Toggle View
LockBit ransomware gang hacked, victim negotiations exposed. The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump. All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip." As first spotted by the threat actor, Rey, this archive contains a SQL file dumped from the site affiliate panel's MySQL database. From analysis by BleepingComputer, this database contains twenty tables, with some more interesting than others, including: Based on the last date record in the negotiation chats table, the database appears to have been dumped at some point on April 29th, 2025. It's unclear who carried out the breach and how it was done, but the defacement message matches the one used in a recent breach of Everest ransomware's dark web site, suggesting a possible link. Furthermore, the phpMyAdmin SQL dump shows that the server was running PHP 8.1.2, which is vulnerable to critical and actively exploited vulnerability tracked as CVE-2024-4577 that can be used to achieve remote code execution on servers. In 2024, a law enforcement operation called Operation Cronos took down LockBit's infrastructure, including 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, 1,000 decryption keys, and the affiliate panel. Although LockBit managed to rebuild and resume operations after the takedown, this latest breach strikes a further blow to its already damaged reputation. It's too early to tell if this additional reputation hit will be the final nail in the coffin for the ransomware gang. Other ransomware groups who have experienced similar leaks include Conti, Black Basta, and Everest. Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Daily Brief Summary
LockBit ransomware gang's dark web affiliate control panels were compromised and defaced.
The incident involved the panels displaying a message and linking to a downloadable database dump from the MySQL affiliate panel.
Analysis of the database shows details from 20 tables, including negotiation chats with last entries dated April 29th, 2025.
The cause and perpetrator of the data breach remain unclear, though signs suggest similarities to another recent ransomware group breach.
The server was found to be running a vulnerable version of PHP that allowed remote code execution.
Despite a significant law enforcement operation in 2024 that weakened LockBit, they managed to continue operations until this latest breach.
It is uncertain if this breach will critically impact LockBit’s operational capabilities and reputation permanently.