• Vulnerable U
  • Posts
  • Lockbit, laid bare: what a SQL dump tells us about the world’s most notorious ransomware-as-a-service

Lockbit, laid bare: what a SQL dump tells us about the world’s most notorious ransomware-as-a-service

Analysis of leaked builds, chat logs and wallet tables uncovers how new affiliates fuel global ransomware attacks.

Author

Newsroom
May 30, 2025

On 7 May 2025 someone hijacked several “light” login panels that LockBit had spun up to recruit new affiliates. The defacement banner was simple, “don’t do crime. crime is bad. xoxo from prague”, but the real payload sat underneath: paneldb_dump.zip, a 26 MB MySQL export stripped straight out of the gang’s back-end.

Yarix CTI downloaded the file, sifted its 114,055 rows and published the first deep dive into what the logs, builds and chat transcripts reveal about LockBit’s day-to-day business. (YLabs)

Below is a long-form guided tour of the dump, who the affiliates are, how many real victims they hit, where the ransom money flows and why a handful of power users still drive most of the carnage.

why this leak matters

Law-enforcement takedowns often grab “dark-web leak sites,” but the gold is usually missing: the admin panel where affiliates upload builds, track payouts and negotiate payment.

This dump is that panel, captured between 18 December 2024 and 29 April 2025, the exact window in which LockBit tried to relaunch as LockBit 4.0 after Operation Cronos shattered its old infrastructure. Instead of marketing hype we get raw SQL tables that map affiliate behavior in nearly real time.

inside the database: tables that matter

  • users – 75 accounts, each with rank, Tox/Session handles and timestamps.

  • builds / builds_configurations – every ransomware sample generated, plus victim domain, affiliate ID and encryption parameters.

  • chats – 4,000+ negotiation messages (208 separate victims).

  • btc_addresses – 3,449 Bitcoin/Monero wallets tied to invitation IDs.

  • invites – shows who paid the symbolic $777 buy-in fee to become an affiliate.

  • visits and events_seen – rough telemetry on which affiliates actually load the panel and test samples.

Together they provide a line-item ledger of LockBit’s “light” program, a cut-down SaaS meant to lure fresh talent after seasoned crews fled in 2024.

affiliate structure: a tiny elite and a crowd of rookies

Ranks break down like so:

Rank

Users

% of total

Notes

newbie

62

82 %

Self-service sign-ups via the defaced panel

verified

5

7 %

Hand-vetted by LockBit core; pay lower revenue share

pentester

4

5 %

Likely builders/testers, few real attacks

ru target

1

1 %

Special exemption to hit Russian-speaking orgs

scammer

1

1 %

Flagged for stealing ransoms

admin

2

3 %

Same creation stamp as Operation Cronos “admin” account

The five verified affiliates accounted for 55% of all real-world attacks (305 of 555 unique victim domains). The 36 newbies who actually launched malware collectively managed 42%.

Users identified in the leak

scale of operations: 555 unique domains, asia takes the hit

Yarix validated 555 victim indicators across 64 countries:

  • China tops the chart, followed by the United States and South Korea.

  • Asia, including the Middle East, dominates regional tallies.

  • A full 92% drop in LockBit leak-site “name-and-shame” posts between Jan–Feb 2024 and the same period in 2025 confirms the gang’s slump after Cronos.

Why so many Chinese targets when LockBit rarely publishes Chinese data? Possibilities:

  1. High payment rate keeps cases off the leak site.

  2. Language barriers stall negotiations, attacks happen but never make it to extortion.

  3. The dump’s timeframe ends 29 April; unpaid Chinese victims might surface later.

money trail: the $777 entry fee and thousands of wallets

The btc_addresses table shows one wallet per invitation. Converting historical rates puts most deposits between $750 and $800, matching an interview in which LockBitSupp bragged the access pass cost “seven-seven-seven.” Researchers already see some wallets active, others empty, classic churn designed to dodge tracing.

The dump does not expose the main revenue split, but chat logs hint at the usual 80/20 or 70/30 affiliate-to-core ratio, with verified actors getting the sweeter end.

negotiation chats: how attackers talk, how often victims pay

  • 208 separate victim threads

  • Only 18 confirmed ransom payments → 8.7 % conversion rate

  • 7.3 days average from first contact to payment

  • TTPs revealed directly by affiliates: weak domain admin passwords, phishing entry points, AnyDesk left installed for persistence, single-NAS “backups” that were easy to nuke.

Victims often begged for security advice post-payment; affiliates obliged with laundry lists, long passphrases, antivirus, network monitoring, ironically echoing SOC best practice.

the human element: most affiliates are dabblers

Only 47 of the 75 users ever fired a real build. Many generated “test” samples against their own VPS to learn the UI. Yarix concludes most newbies lacked the time or skill for serious campaigns; the light panel was effectively an experiment to onboard hobbyists in hopes a few might turn pro.

That choice speaks volumes about LockBit’s post-Cronos predicament: the group needs fresh blood, but lowering the bar fills the roster with low-return amateurs who inflate infrastructure costs without guaranteeing ransom revenue.

defensive insights for blue teams

Theme

Action item

Affiliate overlap

Hashes, Tox IDs and Session IDs in the dump can enrich threat-intel graphs that already track BlackBasta, Everest and others, re-used handles equal pivot points.

Victim geos

China rising as a target signals attackers follow new money, not just US/EU critical infra. Multinational enterprises should localize ransom playbooks for Asia-Pac offices.

Low barrier to entry

Expect more “spray-and-pray” LockBit clones. Tools like StealBit and the leaked 3.0 builder still circulate; light panels show how easily they can be repackaged.

Negotiation artifacts

The chats are a treasure for building behavioral YARA/ML models, spellings, timing, even polite sign-offs can fingerprint a specific affiliate across future incidents.

Mean time to payment

A one-week clock is realistic; monitoring outbound crypto after incident day 5 can flag hush-money transfers before IR teams finish triage.

bigger picture: Lockbit’s aura takes another hit

Operation Cronos proved law enforcement can seize infrastructure; this leak proves any competent pentester can too. Two takeaways:

  1. Trust in the brand erodes. Affiliates hate uncertainty. If a rival or vigilante can walk off with every chat log, newcomers will think twice before paying $777 for panel access.

  2. Law enforcement receives a roadmap. Every internal ID, every BTC address, every timestamp is a lead for subpoenas and blockchain tracing.

If the Conti leaks created a graduate-level syllabus on RaaS logistics, the LockBit panel dump is the updated edition, lighter on grandstanding, richer in operational minutiae.

conclusion

LockBit long sold itself as “the most professional ransomware project,” complete with bug-bounty program and slick affiliate dashboard. The May 2025 dump shatters that image. We now know:

  • Fewer than 100 humans, most unskilled, populate the latest affiliate roster.

  • Five veterans launch over half the confirmed attacks.

  • Even top-tier victims sometimes pay within eight days if the narrative feels credible.

  • The gang is gambling on self-service growth just as its brand credibility tanks.

For defenders, the leak hands us artifacts to hunt and block; on the other hand, it shows that LockBit’s bench is still deep enough to matter, especially with novice affiliates embracing global targets.

The safest bet is to treat every leaked build, wallet, and chat handle as live intel, plug it into detection pipelines immediately, and brace for the inevitable next version of a ransomware empire that refuses to stay down.