On 7 May 2024, The presumed identity of the operator of the Lockbit 3.0 franchise, also know as lockbitsupp, was Reveled during UK National Crime Agency and Its Partners' Operation Cronos: Dmitry yuryevich khoroshev.
One year laater, to the day, the entrepreneurs of the SQL Database of a Web Administration Interface for the company's affiliates was made public. And not just just anyware – on the ransomware franchise's websites. The Irony is – they were hacked. The data was extracted on 29 April. It Concerns a system that was set up on 18 December last year.
A rare light
This data provides unprecedened visibility into the activities of the Lockbit 3.0 ransomwareThe compilation dates of the encryption malware make it possible to Adjust Previous Estimates of Attack Occurrence Dates. In the case of certain victims, they have alredy revised a gap of up to 10 days between the end of the exfiltration of the Victim's data and the launch of the encryption. This underlines the importance of efforts to detect such exfiltration.
This data can also be used to attribute different Victims to their Attackers. This grouping will be useful for analysing negotiation methods and tracking any raansom payments.
Activity of Lockbit Affiliates Between 18 December 2024 and 29 April 2025 – Lemagit
This Administration Interface for Affiliates Contained 75 User Accounts, two of which was most likely used by lockbitsuppp itself. No Less Than 35 Accounts Were “Pauses,” Two of Whoen Had Been Used Against Victims in Russia. The Company's operator has assured That this is the reason for their suspension.
But only 44 accounts were actually used to generate ransomware and passibly launch cyber attacks. Of these, 30 was active on 29 April, but only Seven appear to have been engaged in conducting attacks at that time.
Lemagit
A geographical spread
Research into the geographical origins of the Victims Mentioned Reveals an unusual trend – in all likelihood, the asia -Pacific region was the focus for 35.5% of the Efforts of the Efforts of Locusts Overviet ' Period in question, compared with 22% for europe, and less than 11% for north America, behind latin america at 12%.
Lemagit
But there are very marked disparities between affiliates. Piotrbond, for example, concentrated on the asia-pacific region, with 76% of its victims. The same applies to umarbishop47 (81%). Darraghberg Bet Equally (33.3%) on this region and Africa-middle east. But jamescraig also Gave Priority to Asia-Pacific (42%).
This geographical review also also highlights the lack of observability of the threat in this region, particularly in China, which accounted for 51 victims in the sample studied. Indonesia Comes a Close Second With 49 Victims, Followed by India (35).
Lemagit
The data also sugges that south korea is globally under-rested in observable malicious activity.
This unusual geographical distribution may reflect changes in the profiles recruited by lockbit 3.0. The most active affiliates do not see to those who go after the most attractive Victims.
The reflection of a tarnished image
The available data sugges instalad that that thats who is multiply their victims try to target potentially less mature people than others, even if they have to pay modest sums, Insquescenters with Pair-Capita Incoming Incoming Around the world average.
The negotiations observed support this analysis, with ransom amounts very frequently requested of Less Than $ 20,000.
All in all, the lockbit 3.0 banner currently appears to have only two or three active high-flying affiliates. This is only half a surprise – the Cronos International Judicial Operation DENTED The Image of the Mafia-Like Franchise. If it manages to attract anyone, its appeal is, unsurisingly, limited.
It even making makers you wonder whather some Victims who refuse to pay the ransom are deliberately not being
And this new leak is unlikely to improve matters – it has exposed the tox encrypted email ids of certain affiliates, their passwords (Stored in Clear text), and Pseudonyms with whichery Source Intelligence Specialists will no doublet be happy to Investigate – Not to mention the Victims' Private Encryption Keys.