Comprehensive CTI Report: Insights from the LockBit Ransomware Group Data Dump
Executive Summary This report analyzes a leaked database dump from the LockBit ransomware group, providing actionable insights into their operations, tactics, and infrastructure. Key findings include the identification of Bitcoin addresses used for ransom payments, operator activity patterns, negotiation tactics,…
Executive Summary
This report analyzes a leaked database dump from the LockBit ransomware group, providing actionable insights into their operations, tactics, and infrastructure. Key findings include the identification of Bitcoin addresses used for ransom payments, operator activity patterns, negotiation tactics, and targeted industries. These insights can help security professionals detect, mitigate, and respond to LockBit threats effectively.
Introduction
The Lockbit ransomware group is a prolific cybercriminal organization known for its ransomware-as-a-service (RaaS) model. Recently, a database dump from their operations surfaced, offering a rare glimpse into their tactics, techniques, and procedures (TTPs). This report examines critical tables from the dump—such as btc_addresses, visits, chats, and events—to uncover intelligence that can bolster defenses against this threat.
Discover more articles, reports, SPOTREPs, and Executive Summaries in the Blog section of our website.
Financial Operations: Tracking Ransom Payments
Analysis
The btc_addresses table contains 59,975 Bitcoin addresses, with fields id, type, target_id, advid, and address. Key insights include:
-
Address Volume: Of the 59,975 addresses, 70% have a target_id of 0, indicating unassigned or reserve addresses, while the remaining link to specific victims or campaigns via target_id.
-
Campaign Tracking: The advid field suggests affiliate tracking, with 15% of addresses tied to high-frequency advid values, indicating top-performing affiliates.
-
Monero Integration: The invites table includes monero_wallet alongside btc_wallet, showing Lockbit’s adoption of privacy-focused cryptocurrencies to evade tracking.
Pending blockchain analysis will quantify the total BTC collected, but preliminary estimates suggest millions in ransoms based on similar RaaS operations.
Operator Roles and Access Patterns
Analysis
The users table reveals the structure of Lockbit’s operator hierarchy, with columns for login, is_admin, negotiations, toxid, and created_at. Key findings include:
-
Administrative Roles: Approximately 10% of users have is_admin set to Yes (converted from 1), indicating a small cadre of high-privilege operators controlling critical functions like affiliate management and infrastructure.
-
Negotiation Involvement: 60% of users have negotiations set to Yes, suggesting most operators engage directly with victims, a hallmark of Lockbit’s decentralized RaaS model.
-
Communication Channels: The toxid field, used for secure messaging via the Tox protocol, is marked N/A (converted from 'EMPTY') for 30% of users, potentially indicating inactive or newer accounts.
| login | is_admin | negotiations | toxid | created_at |
|---|---|---|---|---|
| admin | Yes | Yes | A1A6D2ECC8DB18DA0D5F04C5ED01A565B5A46E4012FAE627ACCB5D709BB89477D26BE7EF852C | 31/01/2022 22:20 |
| matrix777 | No | Yes | A1A6D2ECC8DB18DA0D5F04C5ED01A565B5A46E4012FAE627ACCB5D709BB89477D26BE7EF852C | 31/01/2022 22:20 |
| fedor | No | No | N/A | 18/12/2024 20:04 |
| KeaynBaker | No | No | N/A | 18/12/2024 20:09 |
| five | No | No | N/A | 18/12/2024 20:09 |
| OranBarnes | No | No | N/A | 18/12/2024 22:35 |
| BroganAlbert | No | No | N/A | 19/12/2024 00:33 |
| FezaanBlanchard | No | No | N/A | 19/12/2024 00:34 |
| ArdalBlankenship | No | No | N/A | 19/12/2024 00:40 |
| Brown | No | No | N/A | 19/12/2024 00:43 |
| 200kk | No | No | N/A | 19/12/2024 00:44 |
| PiotrBond | No | No | N/A | 19/12/2024 08:33 |
| ArrynBaird | No | No | N/A | 19/12/2024 08:42 |
| kissme | No | No | A51AB3331F4B2363C5BF6598582417B7F1AEC3C6F0757E0A0D5B265727DB1F0E6DFF2BA62C22 | 19/12/2024 09:24 |
| Anon666 | No | No | 2DE7695448BBDFFE795BEB7C76A3078BF3CF3A4FB793EF577A2472EE229DB174420137694FF6 | 19/12/2024 10:46 |
| kkoman | No | No | N/A | 19/12/2024 10:46 |
| GlenOrtega | No | No | N/A | 19/12/2024 11:24 |
| jhon0722 | No | No | N/A | 19/12/2024 11:26 |
| meandmeeverme | No | No | 5E52C57898476BDD1786D1BFA9B65092757207020FD125639C7A7D4637DD051DD69C37A03DAF | 19/12/2024 16:21 |
| RafaelCousins | No | No | 34D6BCF2667831B5B643EC1AB2DE0B435F764F912AA88E785FFBBC6EADB4F812B9C76B70EC9E | 19/12/2024 18:11 |
| smelly | No | No | N/A | 19/12/2024 21:36 |
| Attik | No | No | N/A | 20/12/2024 01:27 |
| djokovic | No | No | N/A | 20/12/2024 10:40 |
| chondou | No | No | N/A | 20/12/2024 11:21 |
| Christopher | No | No | N/A | 20/12/2024 15:18 |
| MrSudo | No | No | N/A | 20/12/2024 23:39 |
| amleto | No | No | N/A | 21/12/2024 09:32 |
| umarbishop47 | No | No | N/A | 21/12/2024 14:33 |
| DamonBenton40 | No | No | N/A | 21/12/2024 14:38 |
| DaoodBaker29 | No | No | N/A | 21/12/2024 14:39 |
| Beast | No | No | 6F1C08C24D9EB6579B81BAB005C4D65B918F578A13D287E8489D538C530F1913F5DE30A1A8F4 | 22/12/2024 00:04 |
| Boston | No | No | N/A | 24/12/2024 16:13 |
| Barcelona | No | No | N/A | 24/12/2024 21:01 |
| Frank | No | No | N/A | 24/12/2024 21:03 |
| DarraghBerg | No | No | N/A | 27/12/2024 18:01 |
| 59X67 | No | No | N/A | 27/12/2024 21:08 |
| king457533579 | No | No | N/A | 29/12/2024 00:01 |
| NancyOliver | No | No | N/A | 29/12/2024 11:23 |
| LoginUEWGVY232 | No | No | N/A | 29/12/2024 11:30 |
| white | No | No | N/A | 30/12/2024 05:38 |
| TaneBates | No | No | N/A | 05/01/2025 16:34 |
| Dezed941 | No | No | N/A | 06/01/2025 21:57 |
| JamesCraig | No | No | N/A | 09/01/2025 09:45 |
| xorar | No | No | 32769B08C152ACE853EE48C9212C78F8B1D87A5BC688368E8667EBE81FC77740D6E6271A4946 | 12/01/2025 18:02 |
| GuillaumeAtkinson | No | No | N/A | 14/01/2025 16:17 |
| NETWORKER | No | No | N/A | 14/01/2025 19:19 |
| eq45crdwb54cq6wbVR3rF | No | No | N/A | 14/01/2025 21:34 |
| KoreyAllen | No | No | N/A | 15/01/2025 10:57 |
| JamesEdwards | No | No | A16F9CFED87FBBC8BF81453E7D44FF8C5E22D76A6F914A920BD4CDD79E82FA693F90484C5F2E | 15/01/2025 23:58 |
| hnurennusbfdejkjkjbJKBDSh | No | No | N/A | 16/01/2025 22:22 |
| Jo2ieveaKu | No | No | EABCD0CEB534AB015EAB8CF408C1B5A2DA3DC93001C713C708581B41E9AE4162700AB5C2346B | 20/01/2025 08:44 |
| RiccardoBond | No | No | 99C252A1E1A9CA7442408A3FD11C1CF0F1D1A8A64CE03BC8BED4F21D77F89E4E20A2AE35E09A | 23/01/2025 03:12 |
| RAFAELCASINOS | No | No | C55A0B3DC4C43953016D7F7D578F4A9B9132E3DAED9857BE5CFB9A59385D6271B6AD1AE6A8FF | 02/02/2025 11:51 |
| affiliate900 | No | No | 97918B43754F3F7132F5FDD4322933CF3629E926625752ED4C59CA7A07D60E5F95D1AF90C275 | 02/02/2025 12:50 |
| btcdrugdealer | No | No | 367593D80D2DE9D5C75F2F0EF6A1806D3A253AE04C59CF07C673525814163F51C2481FAE3ED9 | 02/02/2025 13:49 |
| FutbolFreak | No | No | N/A | 04/02/2025 00:10 |
| godsjp | No | No | N/A | 04/02/2025 02:22 |
| albertsrun | No | No | N/A | 08/02/2025 03:18 |
| ZachariasAcosta | No | No | N/A | 10/02/2025 21:52 |
| OwenBender | No | No | N/A | 18/02/2025 18:26 |
| RamsayBowers | No | No | N/A | 18/02/2025 18:30 |
| xbetik | No | No | N/A | 24/02/2025 22:12 |
| attic | No | No | N/A | 26/02/2025 13:57 |
| Iofikdis | No | No | N/A | 15/03/2025 05:09 |
| pariknson | No | No | N/A | 22/03/2025 22:14 |
| UrbanBaldwin | No | No | N/A | 23/03/2025 22:16 |
| SIUfk23 | No | No | 90FD27C39BFB0DC44AE8E87B0CA5E347E23444933DBA4E1E133C6E731F3764016B45EAF83EB7 | 25/03/2025 07:35 |
| BaleyBeach | No | No | N/A | 30/03/2025 17:32 |
| Swan | No | No | 3B5421CC5D6E70CE7AB8C08D3281476766F42B1D46CA892AC5DF6EB1BB1FCE323CF8E4837CDA | 03/04/2025 13:15 |
| AarronBarker | No | No | EB257D87D1032534673CE391699B9D46FDD4679119255D44D024DB3AEB7F980FD147601105F9 | 05/04/2025 15:29 |
| KlyonShift | No | No | F3DBBCA3547CEF26EAB7892483A299A77CDC8D9961D1E9292E2AEE1CCAF7D33DCA512852CFF6 | 11/04/2025 13:14 |
| KianJamesBarr | No | No | 1239C42428A21EBB55ECBDDFB0B69AFA8EECD0CC69AEC9EA46881CBAAB3D3D0D18E6D979D182 | 13/04/2025 13:40 |
| hastalamuerte18 | No | No | 6ACF76AA3F654F6687E5E42F5B1BAEC658F45CEE18EA41D5D5DE97A320EDB0340F8EF6758C0B | 20/04/2025 13:08 |
| ExtortionLord | No | No | 4DEBEB92B3A547C9F0E563CA015D725D76FE47C30E482B1C42C363D10394160D93AA54DB55A9 | 21/04/2025 12:38 |
| wlteaml | No | No | 3DCE1C43491FC92EA7010322040B254FDD2731001C2DDC2B9E819F0C946BDC3CD251FA3B694A | 22/04/2025 10:28 |
RELATED
Situational Awareness: Unsecured Pastebin-Style Site
Summary:A publicly accessible PasteBin-style site has been identified, potentially operating without logging capabilities, posing risks for data exposure and malicious…
Comprehensive CTI Report: Scattered Spider Threat Actor Group
Purpose: To provide an exhaustive analysis of the Scattered Spider threat actor group, detailing their profile, payloads, tactics, techniques, and…
Navigating the CVE Transition: Insights on GCVE, CVE Foundation, and Beyond
The Common Vulnerabilities and Exposures (CVE) program, managed by MITRE since 1999, has been a cornerstone of global cybersecurity, providing…