On May 7, attackers defaced LockBit’s dark web infrastructure and released a comprehensive MySQL database dump, exposing sensitive operational details and internal communications.
Visitors to LockBit’s dark web panels were greeted with the taunting message:
Security researchers have verified the authenticity of the leak, which includes:
btc_addresses table).chats table).builds, builds_configurations tables).Initial analysis suggests the attackers exploited a critical vulnerability in PHP 8.1.2, tracked as CVE-2024-4577.
This OS Command Injection vulnerability allows remote code execution on servers running PHP in CGI mode, particularly on Windows systems with certain language locales.
By leveraging argument injection through specially crafted requests, attackers can bypass previous protections and gain unauthenticated access to execute arbitrary commands.
The compromised server was confirmed to be running PHP 8.1.2, making it susceptible to this exploit.
Notably, the same defacement message was used in a recent breach of the Everest ransomware group, further suggesting the exploitation of CVE-2024-4577 as the attack vector.
textGET /php-cgi.exe?%AD%AD-c+whoami HTTP/1.1
Host: vulnerable-site.com
This request can trigger command execution due to improper character encoding handling in PHP CGI mode.
The leak is a goldmine for law enforcement and cybersecurity professionals. The exposed Bitcoin wallet addresses and negotiation logs provide unprecedented insight into LockBit’s financial flows and extortion tactics.
The plaintext passwords and affiliate details could enable authorities to trace and identify key members and collaborators.
LockBit, which pioneered the ransomware-as-a-service (RaaS) model, has been responsible for up to 44% of global ransomware incidents in early 2023, amassing over $91 million in ransom payments from more than 1,700 attacks in the US alone.
The group’s tactics typically involve exploiting vulnerabilities such as CVE-2018-13379 in Fortinet VPNs, brute-forcing RDP credentials, and deploying payloads via PowerShell and PsExec.
In a statement posted in Cyrillic, LockBit attempted to downplay the breach, claiming only the “light panel” was compromised and no decryptors or stolen victim data were affected.
The group is reportedly offering a bounty for information on the Prague-based hacker behind the attack.
This breach follows February 2024’s Operation Cronos, an international law enforcement campaign that temporarily seized LockBit’s infrastructure.
While LockBit managed to resume operations, its reputation has been severely damaged, with affiliates reportedly recycling victim claims and losing trust in the platform.
The LockBit breach underscores the growing risk posed by unpatched software vulnerabilities and highlights the rapid weaponization of newly disclosed exploits like CVE-2024-4577.
As ransomware groups face mounting pressure from both law enforcement and rival hackers, operational security lapses can have catastrophic consequences.
For LockBit, this incident may mark the beginning of the end, as trust among affiliates erodes and law enforcement agencies gain critical intelligence to dismantle the group’s global network.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post Lockbit Ransomware Breach: Internal Chats and Sensitive Data Leaked appeared first on Cyber Security News.
The U.S. Forest Service awarded Newark’s Tree Canopy Initiative $8 million to plant 2,700 trees…
Mohamed K. Abdelaal, 24, from Iselin was arrested May 20. Police charged him with criminal…
Andrea Samson, a 30-year-old ambulance volunteer in Bergen County, needs a kidney transplant. Two earlier…
Eight bald eagles got sick after they ate the bodies of euthanized farm animals at…
New Jersey’s gaming market pulled in just over $600 million during April 2026. That’s a…
Top.Domains posted on X that they sold Maestro.trade for $19,988. This is the highest reported…
This website uses cookies.