Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The once dominant ransomware gang has become the victim of a data leak that could be a boon for researchers and law enforcement.
Ransomware gang LockBit appears to be having a very bad, no-good time of things since it began suffering serious disruption at the hands of a global law enforcement partnership last year.
It’s had its darknet leak site seized multiple times, and one of its key members has been outed and sanctioned for his cyber crime activities. Since then, its criminal activity has dropped off a cliff, and the outfit is a shadow of its former self.
Now, it appears that LockBit has become a target for its fellow hackers after its leak site was taken offline and a considerable amount of technical data belonging to the group leaked at some time early this morning, Australian time.
As of the time of writing, a new entry on LockBit’s leak site outlines the current situation in Cyrillic text.
“On May 7, they hacked the light panel with autoregistration for everyone, took the database, not a single decryptor and not a single stolen company data was affected, I figure out how they hacked and am doing a rebuild,” the post, translated from the original Russian, said.
“The full panel and blog are functioning.
“It was allegedly hacked by some hacker **** from Prague, give me info for him who he is, I will pay money if the info is real.”
Prior to this update, LockBit’s leak site had shown a simple takeover message: “Don’t do crime CRIME IS BAD xoxo from Prague.”
At the time, the leak site also hosted a link to a .ZIP archive called paneldb_dump. According to Alon Gal, chief technology officer at cyber security firm Hudson Rock, the archive contained chatlogs of LockBit and its victims, bitcoin wallet addresses, victim profiles and custom ransomware builds, and – despite LockBit’s denials – possible decryption keys and configurations.
As Gal noted, if real – and it certainly looks to be – such a leak would be a boon for law enforcement and could allow possible tracking of ransom payments, while also proving a goldmine for security researchers and LockBit’s victims.
While the hacker did not identify themselves, beyond the reference to the Czech Republic’s capital city, Prague, security researcher Kevin Beaumont had some thoughts.
“Somebody has hacked LockBit. I’m going to guess DragonForce,” Beaumont said in a post on Mastodon.
“They’ve dumped their victim payment chats and backend SQL.”
Assuming Beaumont is correct, DragonForce has been very busy of late. According to reports from the BBC, the gang is behind several attacks on UK retailers over the past week and a half. Marks & Spencer, Co-op, and Harrods have all had their operations disrupted, and there is allegedly evidence of DragonForce code on the victims’ networks.
DragonForce’s darknet leak site is currently down for maintenance, and according to several threat trackers, the gang has not posted to its leak site since 23 April.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
