Carder.life

Carder.life (http://txgate.io:443/index.php)
-   Carding News (http://txgate.io:443/forumdisplay.php?f=38)
-   -   LockBit ransomware gang hacked, victim negotiations exposed (http://txgate.io:443/showthread.php?t=51296628)

WWW 05-26-2025 12:03 PM
<div id="post_message_790291">

The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.<br/>
<br/>
All of the ransomware gang's admin panels now state. "Don't do crime <b><font size="3">CRIME IS BAD</font></b> xoxo from Prague," with a link to download a "paneldb_dump.zip."<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/ransomware/l/lockbit/admin-panel-data-breach/lockbit-panel-breached.png"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

LockBit dark web site defaced with link to database

</td>
</tr>
</table>
</div>As <a href="https://x.com/ReyXBF/status/1920220381681418713" target="_blank">first spotted</a> by the threat actor, Rey, this archive contains a SQL file dumped from the site affiliate panel's MySQL database.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://img.connatix.com/72e03304-4f57-4aca-a567-ac3a9c111d0a/2_th.jpg"/><br/>
<br/>
From analysis by BleepingComputer, this database contains twenty tables, with some more interesting than others, including:<ul><li>A '<b>btc_addresses</b>' table that contains 59,975 unique bitcoin addresses.</li>
</ul><ul><li>A '<b>builds</b>' table contains the individual builds created by affiliates for attacks. Table rows contain the public keys, but no private keys, unfortunately. The targeted companies' names are also listed for some of the builds.</li>
</ul><ul><li>A '<b>builds_configurations</b>' table contains the different configurations used for each build, such as which ESXi servers to skip or files to encrypt.</li>
</ul><ul><li>A '<b>chats</b>' table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th.</li>
</ul><img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/ransomware/l/lockbit/admin-panel-data-breach/chats-table.png"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Affiliate panel 'chats' table

</td>
</tr>
</table>
</div><ul><li>A '<b>users</b>' table lists 75 admins and affiliates who had access to the affiliate panel, with <a href="https://x.com/demonslay335" target="_blank">Michael Gillespie</a> spotting that passwords were stored in plaintext. Examples of some of the plaintext passwords are 'Weekendlover69, 'MovingBricks69420', and 'Lockbitproud231'.</li>
</ul>In a <a href="https://x.com/ReyXBF/status/1920245719434231900" target="_blank">Tox conversation with Rey</a>, the LockBit operator known as 'LockBitSupp' confirmed the breach, stating that no private keys were leaked or data lost.<br/>
<br/>
Based on the MySQL dump generation time and the last date record in the negotiation chats table , the database appears to have been dumped at some point on April 29th, 2025.<br/>
<br/>
It's unclear who carried out the breach and how it was done, but the defacement message matches the one used in a recent <a href="https://www.bleepingcomputer.com/news/security/everest-ransomwares-dark-web-leak-site-defaced-now-offline/" target="_blank">breach of Everest ransomware's dark web site</a>, suggesting a possible link.<br/>
<br/>
Furthermore, the phpMyAdmin SQL dump shows that the server was running PHP 8.1.2, which is vulnerable to critical and actively exploited vulnerability tracked as <a href="https://www.bleepingcomputer.com/news/security/critical-php-rce-vulnerability-mass-exploited-in-new-attacks/" target="_blank">CVE-2024-4577</a> that can be used to achieve remote code execution on servers. <br/>
<br/>
In 2024, a law enforcement operation called Operation Cronos <a href="https://www.bleepingcomputer.com/news/security/lockbit-ransomware-disrupted-by-global-police-operation/" target="_blank">took down LockBit's infrastructure</a>, including 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, 1,000 decryption keys, and the affiliate panel.<br/>
<br/>
Although LockBit managed to rebuild and resume operations after the takedown, this latest breach strikes a further blow to its already damaged reputation.<br/>
<br/>
It's too early to tell if this additional reputation hit will be the final nail in the coffin for the ransomware gang.<br/>
<br/>
Other ransomware groups who have experienced similar leaks include <a href="https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/" target="_blank">Conti</a>, <a href="https://www.bleepingcomputer.com/news/security/black-basta-ransomware-gang-s-internal-chat-logs-leak-online/" target="_blank">Black Basta</a>, and <a href="https://www.bleepingcomputer.com/news/security/everest-ransomwares-dark-web-leak-site-defaced-now-offline/" target="_blank">Everest</a>.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/" target="_blank">@ BleepingComputer </a>
</div>


All times are GMT. The time now is 07:45 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.