{
	"id": "43f21d13-4e71-4f48-afe4-51c79589b836",
	"created_at": "2026-04-06T00:10:11.736132Z",
	"updated_at": "2026-04-10T13:12:21.08763Z",
	"deleted_at": null,
	"sha1_hash": "08cba7f7b97a877099487a9667e1b5c2262e980f",
	"title": "LOCKDATA Auction – Another leak marketplace showing the recent shift of ransomware operators",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56082,
	"plain_text": "LOCKDATA Auction – Another leak marketplace showing the\r\nrecent shift of ransomware operators\r\nBy Deutsche Telekom AG\r\nPublished: 2021-07-14 · Archived: 2026-04-05 18:51:03 UTC\r\nBy now policy makers all over the world identify ransomware as a significant threat to our digital society. In the\r\naftermath of the Colonial Pipeline Attack in May 2021 that caused widespread gasoline shortages in several US\r\nstates, ransomware was more discussed than ever. President Biden recently requested Russian President Putin to\r\ncrack down on ransomware operations and the U.S. Department of Justice is elevating investigations of\r\nransomware attacks to a similar priority as terrorism. This caused panic in the ransomware underground with some\r\nunderground forums banning advertisements for ransomware operations.\r\nLOCKDATA Auction shows the recent shift of ransomware operators. (Bild von Gerd Altmann auf\r\nPixabay) © Gerd Altmann auf Pixabay\r\nThe ransomware underground is constantly innovating and finding new ways to operate. One of these recent\r\ninnovations is the rise of stolen data marketplaces. Instead of using the double extortion approach, i.e. encrypting\r\nthe infrastructure and threatening to release stolen data, former ransomware gangs shift to data-theft extortion\r\noperations only. One reason for this might be to evade the measures that authorities are now putting in place due\r\nto events like the Colonial Pipeline Attack. Two examples for such marketplaces are Marketo and File Leaks. \r\nIn this blog post, Thomas Barabosch and I will talk about another leak site that Deutsche Telekom\r\nSecurity recently encountered: LOCKDATA Auction. We will describe what LOCKDATA Auction is and give\r\ninsights into a CryLock ransomware case where the CryLock affiliate worked with this portal. And, of course we\r\nprovide analysis resources for CryLock ransomware including YARA rules at our Github repository. \r\nThe Incident Response Team at Deutsche Telekom Security GmbH can quickly investigate and help you remediate\r\nongoing ransomware intrusions. For more information, please contact: DFIR@telekom.de.\r\nWhat is LOCKDATA Auction?\r\nLOCKDATA Auction is a Darknet portal that Deutsche Telekom Security is aware of since May 2021. Figure 1\r\ndepicts the main page of LOCKDATA Auction. It appears to offer various auctions of stolen data from victims\r\nworldwide. The country of origin of the victims is always annotated, e.g. Saudi Arabia or USA. Auctions appear to\r\nbe open for more than one month in some cases.\r\nFigure 1: LOCKDATA Auction victim listing.\r\nThe registration for auctions is described as invite-only (see Figure 2). Underground marketplace operators\r\nfrequently use reputation based or referral systems to better protect their identities from investigators and shield\r\ntheir communication methods from outsiders.\r\nhttps://www.telekom.com/en/blog/group/article/lockdata-auction-631300\r\nPage 1 of 4\n\nFigure 2: Registration for auctions is invite-only.\r\nBut, to our surprise, when we looked through the page code to learn how invites worked under the hood, we\r\ndiscovered that the “Sign up” and “Sign in” functions were completely non-functional. \r\nUsually, when a user tries to log into a webpage, the user’s browser will have to check in with the server and\r\nverify that their credentials are correct. This page doesn’t do that at all - it will always just display a message like\r\n“Error: Login or password entered incorrectly” or “Error: Wrong invite code!” immediately when “Sign in” or\r\n“Sign up” is clicked.\r\nFigure 3: The code responsible for the “Sign up” and “Sign in” forms.\r\nSo, what does this mean? Most likely, since the portal is fairly new, functionality might still be in development.\r\nAnother hypothesis is that the site merely serves as a menacing mockup of an online auction site, to coerce\r\nvictims into paying the ransom. During our investigation, we have observed a ransomware operator change victim\r\ninformation on the auction site on the fly, which proves they have direct access to LOCKDATA Auction.\r\nAuctions have a start price (ranging from $50 000 to $500 000), a minimum deposit (ranging from $0 to $50 000\r\ndollars), and a blitz price (up to $1 500 000). The website shows the top bet for active auctions as well. In some\r\ncases, the top bet is less than the starting price. There is a link to preview data, which however was broken in most\r\ncases (as of time of writing). The descriptions of the victims and data sets is comprehensive. Data set sizes range\r\nfrom 50 GB to 2 TB. Figure 3 shows an example of an active auction. \r\nFigure 4: An active auction on LOCKDATA Auction.\r\nSuccessfully concluded auctions are still listed on the website. Their download link is “locked” but there is still a\r\nbutton to contact the seller. Figure 4 depicts an example of a finished auction. In this case, supposedly $40 000\r\nwere paid for 2 terabytes of personal data of a North American public entity.\r\nFigure 5: A completed auction on LOCKDATA Auction.\r\nWho offers leaks on LOCKDATA Auction?\r\nDeutsche Telekom Security was involved in a LOCKDATA Auction case. In this occasion, the threat actor utilized\r\nthe CryLock ransomware to encrypt the victim’s environment. \r\nCryLock is a ransomware from the Russian cybercrime underground. It follows a Ransomware-as-a-Service\r\n(RaaS) model, where “partners” (or “affiliates”) acquire the ransomware to deploy it in victim environments. The\r\nfirst reference to this ransomware was in 2014. Back then, it was publicly known as Crykal. A take-down of its\r\ninfrastructure took place in 2018, resulting in a decryptor being published. In 2020, Crykal was rebranded under\r\nthe name CryLock.\r\nCryLock is written in Delphi, so obfuscations are nearly non-existent. There is a check whether or not the victim\r\nis located in a CIS (Commonwealth of Independent States) country, which is a common check for malware\r\nfamilies from Russia and other CIS states. The ransomware encrypts files using a combination of RSA and a\r\ncustom symmetric algorithm. After encryption, it drops a file called “how_to_decrypt.hta” as seen in Figure 5. The\r\nhttps://www.telekom.com/en/blog/group/article/lockdata-auction-631300\r\nPage 2 of 4\n\nkey takeaway is that the victim must contact the ransomware affiliate using the provided email address and a\r\nunique victim ID. This is the general course of action that CryLock affiliates follow.\r\nFigure 6: how_to_decrypt.hta shows information to the victim.\r\nHowever, in this particular case the modus operandi was slightly different. We observed how the threat actor\r\nutilized a Batch file to also add a legal notice to show on startup of the encrypted systems. This legal notice stated\r\nthe following:\r\n“Your system has been tested for security by the CryLOCK Ramsoware team and has failed. We specialize in file\r\nencryption and are also involved in industrial (also economic or corporate) espionage. We don't care about your\r\nfiles and what you do, nothing personal - it's just business. We recommend contacting us, as your confidential files\r\nhave been stolen and will be sold to interested people if you do not pay for their removal or decryption of the files.\r\nOne of the email for communication: [REDACTED]@[REDACTED].com Do not use corporate email for\r\ncommunication, in most cases your letters will not reach us. Our auction of information and confidential files,\r\nhosted in Tor [REDACTED].onion or http://[REDACTED].”\r\nIn their notice, the threat actor refers to the “CryLOCK Ramsoware [sic] team”. In addition to the aforementioned\r\nemail address for communication purposes, they also provide the link to LOCKDATA Auction.\r\n“Search Keys” Utility\r\nThe notice also contained an additional (shortened) Internet link. This link resolved to a cloud hosting provider\r\n(see Figure 7), where the “Search_keys_CryLOCK_3.0.exe” tool could be downloaded.\r\nThe page also contained a wallpaper of a part of the legal notice quoted above. Again, the same typo can be seen\r\nhere. At this point, we are not sure whether this is an unintended typo or a stylization of the word “ransomware”.\r\nThere were several communication channels mentioned: two email addresses and the TOR link to LOCKDATA\r\nAuction. One email address refers to CryLock and one to the auctioneer who was responsible for the auction on\r\nLOCKDATA Auction.\r\nFigure 7: CryLock tool hosted at cloud hosting provider.\r\nThe tool “Search_keys_CryLOCK_3.0.exe” (see Figure 7) itself is rather interesting. This Delphi 7 utility can\r\nscan local disks as well as network storage for files that CryLock encrypted. It supposedly will also identify which\r\ngeneration of encryption mode was used on the files. Furthermore, it can kill CryLock related processes (e.g.\r\nmshta.exe, which shows the ransom note).\r\nFigure 8: CryLock Delphi Tool Search_keys_CryLOCK_3.0.exe.\r\nAccess Brokering\r\nNowadays, ransomware is teamwork. Administrator access to systems is gained and sold by specialized hackers,\r\nsometimes for as low as $10. When an access path changes hands, we typically observe a change in the way the\r\nattack is carried out.\r\nhttps://www.telekom.com/en/blog/group/article/lockdata-auction-631300\r\nPage 3 of 4\n\nIn this case, we discovered that the initial compromise of the victim’s environment had been supported by a very\r\ndistinct set of attacker infrastructure, tools, and mannerisms. The exact same behavior was observed in an entirely\r\ndifferent case that occurred around the same time, but where another RaaS was used. This indicates that the actor\r\nusing those tools may breach different victims and then either trade the access to one or more other group(s) or\r\ndeploy different last stage payloads themselves.\r\nConclusion\r\nLOCKDATA Auction is a new player in the field of darknet marketplaces. At this time, the site lacks basic\r\nfunctionality one would expect from an online auction site but is likely to grow over time.\r\nAt this point, it is not 100% clear whether LOCKDATA Auction is exclusive to CryLock affiliates or open to other\r\nransomware operations as well, even though the similarity in branding between CryLock and LOCKDATA is\r\nstriking. The attackers state with typos that the CryLock ransomware team attacked a victim’s environment, which\r\nmay suggest a group of people working together more closely than in a typical RaaS affiliate model. On the other\r\nside, the link to LOCKDATA Auction was not directly provided in the ransom note. It was shown to the victim\r\nonly through a pre-login “legal notice” in Windows. Also, separate email addresses are listed for communication:\r\none CryLock-related and one for the auctioneer at LOCKDATA Auction.\r\nThe ransomware landscape is innovating at a fast pace. Reactions of nation-states due to recent events like the\r\nColonial Pipeline Attack in May 2021 are just increasing the velocity. One recent trend are stolen data (or leak)\r\nmarketplaces like LOCKDATA Auction. These marketplaces offer threat actors a way to publish and monetize\r\nstolen data as leverage for their data-theft extortions. \r\nAppendix A: IOCs\r\nIOC Description\r\ne89135d80017e9da16b187ebe0a9de64 Search_keys_CryLOCK_3.0.exe\r\n58a65f8e2075fd8ea32cd2a0384de10c Sample “how_to_decrypt.hta”\r\n3139ca1821331314c95816b92fe24c29 Sample CryLock 2.3.0.0\r\nOn topicBleepingComputer: Data leak marketplaces aim to take over the extortion economy\r\nReuters: Exclusive: U.S. to give ransomware hacks similar priority as terrorism\r\nSource: https://www.telekom.com/en/blog/group/article/lockdata-auction-631300\r\nhttps://www.telekom.com/en/blog/group/article/lockdata-auction-631300\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.telekom.com/en/blog/group/article/lockdata-auction-631300"
	],
	"report_names": [
		"lockdata-auction-631300"
	],
	"threat_actors": [],
	"ts_created_at": 1775434211,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/08cba7f7b97a877099487a9667e1b5c2262e980f.pdf",
		"text": "https://archive.orkl.eu/08cba7f7b97a877099487a9667e1b5c2262e980f.txt",
		"img": "https://archive.orkl.eu/08cba7f7b97a877099487a9667e1b5c2262e980f.jpg"
	}
}