Inside LockBit: Defense Lessons from the Leaked LockBit Negotiations
The LockBit ransomware gang recently suffered a significant data breach. Their dark web affiliate panels were defaced with the message “Don’t do crime CRIME IS BAD xoxo from Prague,” linking to a MySQL database dump. This archive contains a SQL file from LockBit’s affiliate panel database that includes twenty tables, notably including a ‘btc_addresses’ table with 59,975 unique bitcoin addresses and a ‘chats’ table containing over 4,400 victim negotiation messages from December 2024 to the end of April 2025.
This blog post will leverage insights from this recent breach and the Qualys Threat Research Unit’s existing knowledge of LockBit to detail the group’s methods and lessons we can learn from the additional information gained from the exposed data. We aim to equip security teams with practical knowledge to enhance their defenses.
Who is LockBit? How it Evolved and Operates
LockBit is a prominent ransomware gang that has operated its ransomware-as-a-service (RaaS) family since 2019. The group has continuously developed its malicious software, releasing several iterations, including LockBit 2.0 in June 2021 and LockBit 3.0 (also known as LockBit Black) in June 2022. Each new version brought enhanced capabilities, targeting a wider range of operating systems like Windows, Linux, VMware ESXi, and macOS. LockBit operates on an affiliate model, where the core group develops and maintains the ransomware, and affiliates carry out the attacks, sharing a percentage of the ransom payments.
Their attacks typically follow a systematic pattern involving:
- Initial access (phishing, exploits, weak RDP)
- Lateral movement (tools like Mimikatz, Cobalt Strike)
- Privilege escalation
- Data exfiltration for double extortion
- File encryption
- Ransom note delivery
- Eventual data publication if demands are unmet
LockBit 3.0 notably incorporated techniques from other ransomware and improved its ability to evade detection and hinder recovery efforts.
Monero: The Coin of the Realm
Based on leaked chats from ransomware negotiations, the ransom amounts demanded by attackers vary widely, ranging from $4,000 in Bitcoin (BTC) for smaller incidents to a staggering $150,000 in Bitcoin for major attacks involving large-scale encryption and threats of data leaks. What makes this data particularly striking, however, is the payment options offered by the attackers: Bitcoin (BTC) remains a staple, but Monero (XMR) is gaining traction. In fact, the leaked chats reveal a fascinating twist—attackers offer up to 20% discounts to victims who choose to pay in Monero instead of Bitcoin. This isn’t just a random perk; it signals a deliberate preference for Monero, likely due to its privacy-centric design.
Patch or Mitigate Now: Critical CVEs Exploited by LockBit
Analysis of leaked information and historical data points to a consistent playbook of weaponized vulnerabilities. For security teams, the following list represents critical exposures that demand immediate patching or mitigation to remove known entry points for LockBit:
| CVE ID | Product Name | Vendor | QDS (QVS) | QID |
| CVE-2023-4966 | NetScaler ADC/Gateway | Citrix | 95 | 378935 |
| CVE-2023-27351 | PaperCut MF/NG | PaperCut | 95 | 730790, 378441 |
| CVE-2023-27350 | PaperCut MF/NG | PaperCut | 100 | 730790, 378441 |
| CVE-2023-0669 | GoAnywhere MFT | Fortra | 95 | 730720 |
| CVE-2022-36537 | ZK Framework | Potix | 95 | 378,061 |
| CVE-2022-22965 | Spring Framework | VMware | 100 | Multiple QIDs |
| CVE-2022-21999 | Windows Print Spooler | Microsoft | 95 | 91857 |
| CVE-2021-44228 | Apache Log4j2 | Apache | 100 | Multiple QIDs |
| CVE-2021-36942 | Windows LSA | Microsoft | 95 | 91813, 91803 |
| CVE-2021-34523 | Exchange Server | Microsoft | 100 | 50114, 50112 |
| CVE-2021-34473 | Exchange Server | Microsoft | 100 | 50114, 50107 |
| CVE-2021-31207 | Exchange Server | Microsoft | 95 | 50114, 50111 |
| CVE-2021-22986 | BIG-IP | F5 Networks | 100 | 38833, 375344 |
| CVE-2021-20028 | SMA Firmware | SonicWall | 94 | 731853 |
| CVE-2020-1472 | Netlogon | Microsoft | 100 | Multiple QIDs |
| CVE-2019-7481 | SMA100 | SonicWall | 95 | 730221 |
| CVE-2019-19781 | Citrix ADC/Gateway | Citrix | 100 | 372685, 372305 |
| CVE-2019-11510 | Pulse Connect Secure | Ivanti | 100 | 38771 |
| CVE-2019-0708 | Remote Desktop Services | Microsoft | 100 | 91893, 91541, 91534 |
| CVE-2018-13379 | FortiOS SSL VPN | Fortinet | 100 | 43702 |
This is not an exhaustive list of all vulnerabilities ever exploited by LockBit, but these CVEs have been frequently observed in their attack chains. Prioritizing patches for these vulnerabilities is a crucial, immediate step to reduce your attack surface. When patching is not immediately feasible, organizations should temporarily deploy proactive remediation techniques to mitigate the associated risks.
Beyond Traditional Endpoints: Other Compromised Systems
The leaked negotiation chats also reveal a broader scope of targeted systems and tools beyond standard Windows and Linux servers, highlighting the need for a holistic defense strategy:
Veeam Backup Software: Discussions around difficulties restoring from Veeam backups indicate attackers are targeting backup infrastructure. While a specific CVE wasn’t explicitly named in the chat, known exploited vulnerabilities in Veeam (e.g., CVE-2023-27532, CVE-2024-40711, CVE-2022-26500, and CVE-2022-26501) are actively exploited to gain access to backup metadata and credentials. The above-mentioned CVEs are also part of the CISA KEV catalog.
Ensure your Veeam installations are fully patched, especially when addressing known critical CVEs, which is essential. Isolating backup networks and repositories from the production environment and enforcing strong authentication for access are also of vital importance to secure against the targeting of backup software.
vCenter Server and ESXi: LockBit 2.0 introduced a Linux-based variant specifically designed to encrypt VMware ESXi virtual machines, multiplying the blast radius by hitting entire hypervisor hosts at once, and in the conversations, often they instruct victims to log into vCenter for decryption.
Treat your VMware and vCenter instance as a critical asset. Ensure it is fully patched against known exploited vulnerabilities (e.g., CVE-2021-44228, CVE-2024-38813, CVE-2024-38812, CVE-2022-22948, CVE-2023-34048, CVE-2021-22017, CVE-2021-22005, CVE-2020-3952, CVE-2021-21972, CVE-2021-21985, CVE-2021-21973, CVE-2019-5544, CVE-2025-22225, CVE-2024-37085, CVE-2020-3992, CVE-2025-22224, CVE-2025-22226), all part of CISA KEV catalog. Also, enforcing multi-factor authentication (MFA) and the principle of least privilege for all vCenter access would be most helpful.
NAS Devices: Encryption of NAS systems alongside other network assets points to their vulnerability, likely through exposed SMB/NFS shares or weak network segmentation. It is essential to update NAS firmware regularly. Implement strict access controls (ACLs) and segment your network to limit access to NAS devices only to necessary systems and users, ideally via secure protocols or VPNs.
File Transfer Tools (FileZilla, WinSCP): The mention of using these tools to transfer decryptors to ESXi suggests attacker familiarity with standard IT tools and the potential for their abuse. While not directly exploited for initial access in this context, their presence highlights potential avenues for malicious file transfer post-compromise. FileZilla and WinSCP have been associated with vulnerabilities exploited by malware for credential harvesting in the past.
These examples highlight the need for comprehensive detection capabilities across network, host, and container environments. At Qualys, we proudly offer almost 100% coverage of CISA’s Known Exploited Vulnerabilities (KEVS), and the Qualys Threat Research Unit team is actively working to stay ahead of such threats.
Initial Access and Deployment
The leak also offered glimpses into initial access methods, with one notable hint pointing towards using weak or default credentials (“you know your pass P@ssw0rd”). Additionally, mentions of removing administrators from the domain-controlling infrastructure suggest the exploitation of misconfigured or overly privileged domain controllers. While specific deployment scripts weren’t detailed, the customization of payloads for different architectures (x32 and x64) and platforms (Windows .exe, ESXi via file transfer) underscores the need for defense across heterogeneous environments.
Conclusion
The LockBit leak reminds us of the persistent and evolving threat ransomware groups pose. By understanding their exploited vulnerabilities and targeted systems, as revealed in this data, vulnerability management professionals and practitioners can take immediate, actionable steps to harden their environments.
The following key tactics are essential to disrupt LockBit’s common attack vectors and enhancing your organization’s resilience against ransomware threats:
- Prioritizing patches for known exploited CVEs
- Securing often-overlooked systems like backup infrastructure and NAS devices
- Reinforcing fundamental security hygiene like strong credentials and access controls
Talk to a Qualys Expert to see how you can implement this guidance today.