LockBit in Its Own Words: Further Analysis of the LockBit Data Leak
Summary:
The recent LockBit data leak, published on its hijacked leak site in May 2025, has offered unprecedented insight into the inner workings of the group, particularly its lower-tier "LockBit Lite" Ransomware-as-a-Service (RaaS) program. Unlike the main affiliate scheme, which typically required a deposit of 1 BTC and a background check evaluating forum reputation and prior cybercriminal experience, LockBit Lite lowered the entry barrier to just $777. Paying this fee would grant immediate access to the ransomware panel, attracting a larger pool of less experienced affiliates. However, these Lite affiliates operated under tighter control, they did not have access to decryption keys and instead had to wait for the core team, or "tech support," to deliver them post-payment. This dependency often resulted in long delays for victims and sometimes failed data recovery altogether. Victim conversations reveal mounting frustration over undelivered decryptors, with affiliates frequently deferring blame to their handlers. These interactions not only exposed operational inefficiencies but also suggested a lack of trust between LockBit leadership and its lower-tier affiliates. Despite being a scaled-down version of the original operation, LockBit Lite enabled affiliates to conduct dozens of successful extortion campaigns, with “Christopher” and “jhon0722” emerging as the most prolific attackers.
Security Officer Comments:
The leak has exposed troubling operational inconsistencies and unexpected behavioral trends among LockBit affiliates. For instance, while LockBit’s rules traditionally prohibit targeting Russian organizations, several incidents involving Russian victims were uncovered, prompting the admin (possibly “matrix777”) to issue apologies and free decryptors, although not always successfully. In some cases, these missteps were attributed to affiliates being hacked themselves, further eroding LockBit’s internal stability. The victimology also revealed a notable focus on Chinese organizations, which affiliates said were more likely to pay ransoms. Surprisingly, the data also showed LockBit affiliates attempting to recruit their victims into the ransomware ecosystem, often using crude marketing lines that promised wealth and luxury. This unconventional recruitment strategy may reflect the group’s struggle to attract competent affiliates following the reputational damage caused by Operation Cronos in early 2024. Additionally, some affiliates offered post-attack cybersecurity advice to victims, ranging from basic hygiene practices like better password policies to technical guidance on avoiding sanction violations during payments. These interactions reveal a chaotic and somewhat amateurish undercurrent to the group’s operations, where affiliates act with a high degree of autonomy and the overall enterprise appears fractured, desperate, and increasingly misaligned.
Link(s):
https://slcyber.io/blog/lockbit-in-its-own-words/
The recent LockBit data leak, published on its hijacked leak site in May 2025, has offered unprecedented insight into the inner workings of the group, particularly its lower-tier "LockBit Lite" Ransomware-as-a-Service (RaaS) program. Unlike the main affiliate scheme, which typically required a deposit of 1 BTC and a background check evaluating forum reputation and prior cybercriminal experience, LockBit Lite lowered the entry barrier to just $777. Paying this fee would grant immediate access to the ransomware panel, attracting a larger pool of less experienced affiliates. However, these Lite affiliates operated under tighter control, they did not have access to decryption keys and instead had to wait for the core team, or "tech support," to deliver them post-payment. This dependency often resulted in long delays for victims and sometimes failed data recovery altogether. Victim conversations reveal mounting frustration over undelivered decryptors, with affiliates frequently deferring blame to their handlers. These interactions not only exposed operational inefficiencies but also suggested a lack of trust between LockBit leadership and its lower-tier affiliates. Despite being a scaled-down version of the original operation, LockBit Lite enabled affiliates to conduct dozens of successful extortion campaigns, with “Christopher” and “jhon0722” emerging as the most prolific attackers.
Security Officer Comments:
The leak has exposed troubling operational inconsistencies and unexpected behavioral trends among LockBit affiliates. For instance, while LockBit’s rules traditionally prohibit targeting Russian organizations, several incidents involving Russian victims were uncovered, prompting the admin (possibly “matrix777”) to issue apologies and free decryptors, although not always successfully. In some cases, these missteps were attributed to affiliates being hacked themselves, further eroding LockBit’s internal stability. The victimology also revealed a notable focus on Chinese organizations, which affiliates said were more likely to pay ransoms. Surprisingly, the data also showed LockBit affiliates attempting to recruit their victims into the ransomware ecosystem, often using crude marketing lines that promised wealth and luxury. This unconventional recruitment strategy may reflect the group’s struggle to attract competent affiliates following the reputational damage caused by Operation Cronos in early 2024. Additionally, some affiliates offered post-attack cybersecurity advice to victims, ranging from basic hygiene practices like better password policies to technical guidance on avoiding sanction violations during payments. These interactions reveal a chaotic and somewhat amateurish undercurrent to the group’s operations, where affiliates act with a high degree of autonomy and the overall enterprise appears fractured, desperate, and increasingly misaligned.
Link(s):
https://slcyber.io/blog/lockbit-in-its-own-words/