One of the most prolific ransomware groups in the world just suffered a rare setback: a major internal leak revealing how it truly operates.
The breach offers an unprecedented look into LockBit's ransomware-as-a-service (RaaS) ecosystem, providing cybersecurity defenders with valuable intelligence on affiliate operations, payload generation, and negotiation tactics. The leaked data includes ransomware build records, chat logs, configuration files, and internal documentation, providing one of the most detailed pictures to date of how the group operates its criminal enterprise.
The findings come from new research published by cybersecurity firm Ontinue, which analyzed the contents of a compromised LockBit onion URL believed to be tied to its backend infrastructure.
"This data leak offers a rare opportunity to understand not just LockBit's tooling but also its business model, communication style, and attack lifecycle," wrote Rhys Downing, a SOC Analyst for Ontinue.
LockBit's evolution: from stealth to scale
Since emerging in 2019, LockBit has continuously evolved its ransomware family to target an increasingly broad range of systems.
As Saeed Abbasi, Manager of Vulnerability Research at Qualys Threat Research Unit, explains: "LockBit is a prominent ransomware gang that has operated its ransomware-as-a-service family since 2019. The group has continuously developed its malicious software, releasing several iterations, including LockBit 2.0 in June of 2021 and LockBit 3.0 (also known as LockBit Black) in June of 2022. Each new version brought enhanced capabilities, targeting a wider range of operating systems, such as Windows, Linux, VMware ESXi, and macOS."
This technical evolution, paired with a business-first affiliate model, has transformed LockBit not only into a malware developer but also into a ransomware franchise.
[RELATED: LockBit Bounces Back Shortly After Takedown and Police Trolling]
A franchise model, exposed
The affiliate-based RaaS model allowed LockBit to scale rapidly. According to the leaked records, affiliates could build and customize ransomware payloads for specific victims using a centralized toolset. Once deployed, ransom negotiations would take place via LockBit's platform, often following aggressive scripts and escalation playbooks.
Transcripts from the leak reveal how affiliates pressured victims, sometimes offering discounts or threatening to disclose sensitive data. The group's operation mirrors a professionalized criminal enterprise, where attackers act more like account managers than rogue hackers.
Tactics, techniques, and playbooks
The payload data analyzed by Ontinue reveals how LockBit affiliates configure encryption options, customize ransom notes, and select communication channels, all from a centralized portal. This modularity enabled attackers to tailor campaigns to specific victim profiles, system architectures, or regions.
"LockBit's ability to provide 'white-glove' ransomware services has blurred the line between state-sponsored sophistication and profit-driven crime," Ontinue noted.
For defenders, these insights offer concrete steps for hardening their infrastructure.
As Abbasi from Qualys emphasized: "The recent LockBit leak reminds us of the persistent and evolving threat ransomware groups pose. By understanding their exploited vulnerabilities and targeted systems, as revealed in this data, vulnerability management professionals and practitioners can take immediate, actionable steps to harden their environments."
His recommended priorities:
• Patch known exploited CVEs
• Secure backup infrastructure and NAS devices
• Enforce strong credential and access control hygiene
Turning exposure into advantage
This leak gives defenders an edge, revealing not only how LockBit operates but also how it can be disrupted. With this intelligence now public, incident response teams can better prepare tabletop exercises, red teams can simulate real affiliate behavior, and security operations can update detection rules based on actual payload configurations.
More importantly, this leak proves ransomware gangs aren't invincible. The same vulnerabilities they exploit can exist in their infrastructure, and when exposed, they can shift the balance of power.
Follow SecureWorld News for more stories related to cybersecurity.
