Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The LockBit ransomware site was breached, database dump was leaked online

Lockbit ransomware group has been compromised, attackers stole and leaked data contained in the backend infrastructure of their dark web site. Hackers compromised the dark web leak site of the LockBit ransomware gang and defaced it, posting a message and a link to the dump of the MySQL database of its backend affiliate panel. “Don’t […]

Lockbit ransomware

Source X @vxdb

Lockbit ransomware group has been compromised, attackers stole and leaked data contained in the backend infrastructure of their dark web site.

Hackers compromised the dark web leak site of the LockBit ransomware gang and defaced it, posting a message and a link to the dump of the MySQL database of its backend affiliate panel.

“Don’t do crime CRIME IS BAD xoxo from Prague,” reads the message published on the group dark web leak site.

Lockbit ransomware
Source X @vxdb

The LockBit operator ‘LockBitSupp’ confirmed the data breach in a private conversation with the threat actor Rey, however, he said that no private keys were leaked or data lost.

BleepingComputer analyzed the leaked database and reported that it has 20 tables, including BTC addresses, builds with target names, build configurations, 4,442 victim chat logs, and user data with plaintext passwords.

“A ‘chats‘ table is very interesting as it contains 4,442 negotiation messages between the ransomware operation and victims from December 19th to April 29th.” states BleepingComputer.

Researchers noticed that only 44 user accounts are associated with actual encryptor builds for LockBit affiliates, among which 30 were active at the moment of the dump.

    The Italian cyber security expert Emanuele De Lucia extracted the 60k+ addresses in the dump and argued that the presence of a large number of private keys, linked to specific build configurations or victims (via build_id) suggests these are the actual key data. This data could be critical for developing universal or victim-specific decryption tools.

    De Lucia added that the chat logs show a significant range in the initial ransom amounts demanded (from $50,000 to at least $1,500,000). The ransomware gang demands are tailored based on the perceived value of the victim.

    The top victim TLDs are:

    • .et (Ethiopia)
    • .co (Colombia)
    • .jp (Japan)
    • .br (Brazil)
    • .tw (Taiwan)
    • .ph (Philippines)
    • .fr (France)

    “Finally, this is a rich source of operational and technical intelligence. Its contents enable a deeper understanding of the threat actor’s capabilities and methods (i.e. FortiVPN is reported as an initial access point) and infrastructures.” said De Luci

    The attacker behind the breach is still unknown, but the defacement message matches a recent Everest ransomware hack, hinting at a possible link between the two defacements.

    Follow me on Twitter: @securityaffairs and Facebook and Mastodon

    Pierluigi Paganini

    (SecurityAffairs – hacking, Lockbit ransomware)