Gang Ransomware Lockbit suffered a violation of information after its dark web -associated panels were defined and replaced by a message connecting with the screenshot of the MySQL database.
All ransomware administrative panels at the moment are consistent. “Don’t do crime The crime is bad XOXO from Prague, “with a link to download” paneludb_dump.zip “.
How First noticed By the actor, REY, the archive is included within the SQL file dropped from the MySQL database of the partner panel.
From BleepingComputer evaluation, this database incorporates twenty tables, with some more interesting than others, including:
- A ‘Btc_addresses“Table containing 59,975 unique bitcoin addresses.
- A ‘compilation“The table incorporates individual compilations created by associated entities for attacks. Table rows contain public keys, but unfortunately there aren’t any private keys. The names of the goal firms are also listed for some compilations.
- A ‘configuration compilations“The table incorporates various configurations used for every compilation, akin to ESXI servers for skipping or encryption files.
- A ‘conversations“The table could be very interesting since it incorporates 4442 negotiating messages between Ransomware and victims from December 19 to April 29.
Table of “Chats” of the Associated Panel - A ‘users“The table lists 75 administrators and associated entities who had access to the partner panel, from Michael Gillespie Noticing that the slogans were stored in a simple text. Examples of some ordinary text slogans are “Weekendlover69,” Movingbricks69420 “and” LockbitProud231 “.
IN Conversation with toxThe Lockbit Operator referred to as “LockbitSUPP” confirmed the violation, stating that no private keys were leaked or lost.
Based on the time to generate MySQL and the last date of the date within the negotiating chats table, the database seems in some unspecified time in the future dropped on April 29, 2025.
It will not be clear who carried out the violation and the way it was done, however the Defacement message matches the Everest Ransomware within the recent violation of the dark website, which is recommended by a possible link.
In addition, the SQL PHPMYADmin screenshot shows that the server has worked PHP 8.1.2, which is at risk of critical and actively used tracked susceptibility as CVE-2024-4577, which may be used to realize distant code on servers.
In 2024, the operation of law enforcement agencies called Cronos Operation removed the Lockbit infrastructure, including 34 servers hosting the information leakage website and its mirrors, data stolen from victims, cryptocurrency addresses, 1000 keys of decryption and affiliate panel.
Although Lockbit was in a position to rebuild and resume surgery after removal, this latest violation is an extra blow to the already damaged fame.
It is simply too early to find out whether this extra hit of fame shall be the last nail within the Ransomware gang.
Other ransomware groups which have experienced similar leaks are Conti, Black Basta and Everest.
Based on the evaluation of 14 -meter malicious activities, discover the ten best Att & CK techniques for 93% attacks and the way to defend against them.
