A major data leak has exposed the inner workings of the notorious ransomware group LockBit. The leak contains thousands of chat conversations between the hackers and their victims, revealing for the first time how structured and businesslike this criminal organization operates.
Security company Defenced analyzed the data dump and gained insight into the group’s modus operandi. The leaked SQL database includes chat conversations between victims and LockBit operators, which Defenced reconstructed to expose their negotiation tactics.
Businesslike ransom negotiations
What stands out in the chats is the professional and customer-friendly tone with which LockBit negotiates. The ransomware group appears willing to offer substantial discounts on the initial ransom demand. In one case, the amount demanded was reduced from $120,000 (€108,000) to $40,000. In another case, a reduction from $80,000 to $50,000 was accepted, after which the decryption software was delivered immediately.
Analysis of 208 chat conversations shows that payments were made in 18 cases. The ransoms ranged from a few thousand dollars to approximately $60,000. In total, Defenced verified payments of over $348,000, although the total is likely much higher.
Criminal business operations with structure
LockBit operates according to a Ransomware-as-a-Service (RaaS) model. The organization develops the malware but leaves the attacks to “partners” who receive a percentage of the ransom. This structure is confirmed in the chats, which often refer to “the boss” who makes the final decisions and has access to the decryption tools.
It is striking that LockBit considers cyber insurance loot. In one case, the ransom was increased to $4.5 million after it was discovered that the victim had $5 million in coverage. In addition, the conversations reveal that Russian targets are spared and even receive free decryption software, which reinforces suspicions about the group’s Russian origin.
Lessons from the data breach
Defenced has drawn five practical lessons from the leaked conversations. The most important one: backups are only valuable if they actually work and are stored offline. Many victims did have backups, but still chose to pay because restoring them proved too complex or costly.
Other lessons concern the importance of quick decision-making during an attack and the need for good basic security. The chats show that LockBit often exploits simple vulnerabilities, such as weak passwords or poorly patched servers. Sometimes, the ransomware group even asked for extra money to reveal how they had gained access.