{ "id": "8cf34910-d451-42a1-a2b7-048ad0530fdc", "created_at": "2026-04-06T00:13:23.882202Z", "updated_at": "2026-04-10T03:36:13.845892Z", "deleted_at": null, "sha1_hash": "29703452885c6350f5f54a298a6661da430cc44b", "title": "Inside LockBit: The Inner Workings of a Ransomware Giant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 824844, "plain_text": "Inside LockBit: The Inner Workings of a Ransomware Giant\r\nArchived: 2026-04-05 16:18:59 UTC\r\nBlog\r\nExecutive Summary\r\nIn May 2025, reports emerged indicating that the LockBit ransomware group had themselves suffered a data\r\nbreach. This incident revealed a trove of sensitive information, including ransomware build records, chat\r\ntranscripts between affiliates and victims, and configuration data. The leak offers an unprecedented glimpse into\r\nthe daily operations of one of the most notorious ransomware-as-a-service (RaaS) ecosystems to date. The\r\nexposed data was made available via the Tor network hidden service, appearing on what seemed to be a LockBit\r\n‘onion URL’.\r\nThe leaked files, although created in 2024, only came to light this month. They provide valuable insights into\r\nLockBit’s operations, including its communication strategies with victims as well as its affiliate programme.\r\nThis blog presents our key findings, including:\r\nPatterns in payload creation and projected ransom demands by user ID\r\nInsights into the structure and tactics of ransom negotiations\r\nOperational insights into LockBit’s internal processes\r\nWho are LockBit?\r\nLockBit are a notable and highly active ransomware group that employs the Ransomware-as-a-Service (RaaS)\r\nmodel, enabling affiliates to utilise their services. The group develops ransomware capable of encrypting and\r\ndecrypting victims’ data. Affiliates, typically individual cybercriminals or small collectives, leverage this malware\r\nto target organisations. In exchange for their services, LockBit earns a percentage of the ransom when attacks are\r\nsuccessful, or they may charge an upfront cost, or even a subscription fee.\r\nSource of the Leak\r\nThe source of the leak originated from an onion URL which is tied to LockBit, indicating the attacker had\r\nbreached their infrastructure and then hosted the leaked information on their own Tor Service website. This was\r\nquickly taken down, and is no longer available through the Tor network.\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 1 of 17\n\nFigure 1 – Lockbit onion URL\r\nWhat was Leaked?\r\nThe leaked database offers a rare, comprehensive look inside LockBit’s ransomware-as-a-service (RaaS)\r\noperations. Key components include:\r\nBTC Addresses – 59,975 Bitcoin Wallets\r\nA massive table mapping unique Bitcoin addresses to:\r\nadvid (affiliate ID)\r\ntarget_id (likely victim or campaign ID)\r\nEnables direct correlation between affiliates and ransom payments.\r\nIdeal for blockchain analysis and tracking criminal infrastruct\r\nBuilds – Payload Creation Records\r\nContains records of individual ransomware builds generated by affiliates.\r\nFields include:\r\nAffiliate identifiers (implicit in linkage)\r\nBuild configurations – Ransomware Customisation\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 2 of 17\n\nStores configuration flags per build:\r\nWhich files to encrypt\r\nWhich ESXi servers to avoid (for stealth or targeting)\r\nOptional persistence, file types, kill-switches\r\nHighlights LockBit’s modular payload architecture.\r\nChats – 4,442 Negotiation Messages\r\nA trove of ransom negotiation transcripts between victims and affiliates.\r\nSpanning from December 19th, 2024 to April 29th\r\nReveals behavioural patterns, negotiation strategies, and sometimes emotional manipulation by operators.\r\nInside LockBit’s Affiliate Infrastructure\r\nIn our analysis, we uncovered the Affiliate infrastructure utilised by LockBit within the data leak. This “builds”\r\ntable serves as a log of every ransomware payload generated through the LockBit affiliate panel.\r\nFigure 2 – Payload flowchart\r\nEach example generated by the builder is saved in JSON format, allowing affiliates to customise their entries\r\ndirectly within the builder panel. Once the modifications are confirmed, as described in the previous steps, the\r\ninformation is securely stored in the backend to create the payload. This payload comprises essential details,\r\nincluding the ID, target, and revenue, which may either be declared or represent the intended ransom demand – it\r\nis not a recorded payment.\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 3 of 17\n\nFigure 3 – JSON data format\r\nOperational Features in Build Configs\r\nThe fields provided offer detailed configuration options for LockBits affiliates, enabling precise control over the\r\nexecution of ransomware on target systems. Our analysis indicates that this activity is documented in a table titled\r\n“build_configurations”. The system reveals its design for modularity and operational flexibility, with features\r\nranging from stealth options like “quiet_mode” to post-infection cleanup processes such as “delete_decrypter”.\r\nThis structure suggests a strong focus on affiliate-driven targeting.\r\nField Example Value Purpose / Behaviour\r\ncomment “company_target“\r\nInternal label used by the affiliate typically a\r\nvictim name or campaign reference.\r\ncompany_website example.com\r\nVictim’s domain, sometimes real, but often\r\ntest.\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 4 of 17\n\nrevenue “15kk“\r\nDeclared ransom demand – not a validated or\r\nconfirmed payment.\r\nuserid 25\r\nInternal affiliate ID which is used across\r\nbuilds.\r\ncreated_at\r\n“2024-12-18\r\n20:05:23”\r\nTimestamp of payload generation.\r\nmaster_pubkey (long base64 string)\r\nPublic key for file encryption, unique to each\r\nbuild.\r\nmaster_privkey (long base64 string)\r\nPrivate key for decryptor, likely only released\r\nafter payment.\r\ncrypted_website (encrypted blob)\r\nPossibly contains C2, leak site, or internal\r\nconfig data.\r\ndelete_decrypter true / false If true, removes decryptor after infection.\r\nquiet_mode “0” / “1”\r\nLikely suppresses execution output or error\r\nlogging.\r\nnot_randomize_keys “0” / “1”\r\nControls whether encryption keys are\r\nrandomized per file, or static per payload.\r\nrunning_one “1” / “0”\r\nPossibly indicates “run once” mode or single\r\nexecution instance.\r\ntype 25, 18 etc.\r\nVariant or profile type – affects payload\r\nstructure and/or encryption logic.\r\nkey_id 0 / Integer\r\nCould reference internal key management\r\nsystem.\r\nstealerid NULL / Integer\r\nMay link to credential stealer module\r\ninclusion.\r\nmax_file_size\r\nNULL / e.g.\r\n52428800\r\nLimits encryption to files below a certain size\r\ne.g. skip files over 50MB in size.\r\nUse of Tor for Operational Security\r\nLockBit’s use of Tor is a deliberate OPSEC (operational security) decision. By leveraging the Tor network,\r\nLockBit operators benefit from strong anonymity and routing obfuscation, allowing them to hide their\r\ninfrastructure and communications from law enforcement. Unlike websites on the traditional World Wide Web,\r\nwhich can be quickly seized or taken down with proper legal proceedings, Tor-based (.onion) sites are far more\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 5 of 17\n\nresilient. This enables LockBit to host extortion portals, leak sites, and communication hubs that persist even\r\nunder global scrutiny, making Tor a crucial part of their cybercriminal infrastructure.\r\nSome of the interesting domains observed from LockBit show the side of the group where they operate like a\r\nfunctional business. Looking through some of the onion sites discovered from the dump, we found a page where\r\nLockBit offers a bug bounty reward to security researchers or anyone who can discover flaws in their\r\ninfrastructure. Refer to the Indicators of Compromise for a comprehensive list of onion domains.\r\nDeclared Ransom Demands by Affiliates\r\nAffiliates of LockBit manually input their estimated ransom demands during the payload generation process.\r\nThese entries provide a glimpse into each affiliate’s targeting ambitions, pricing strategies, and even their internal\r\npractices. Although this data has not been financially verified, it offers valuable insights into the economic\r\nmindset of ransomware operators operating within LockBit’s affiliate model.\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 6 of 17\n\nFigure 5 – Top 10 Lockbit Affiliates by Declared Ransow Demands\r\nWe have filtered the original data because during our analysis we discovered some exaggerated ransom demands\r\nunder “revenue“ similar to the following:\r\n“999kk” – $99.9 million\r\n“303kkk” – $303 million\r\n“100kkk” – $100 million\r\nThese felt like more of a placeholder or potential test entries that didn’t seem credible. Even if these are real\r\nentries there is no evidence in the leaked panel that these demands were ever issued to real victims, let alone\r\npaid.\r\nTop Affiliates by Likely Realistic Demands\r\nNOTE: These are still affiliate-entered estimates, not confirmed ransom notes or payments.\r\nAffiliate ID Total Revenue Average Ransom Number of Valid Builds\r\n14 $168.8M $42.2M 4 builds\r\n2 $161.9M $4.9M 33 builds\r\n70 $153.7M $1.45M 106 builds\r\n16 $105M $35M 3 builds\r\n18 $103.2M $8.6M 12 builds\r\nFinancial Scope of LockBit – based on this data\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 7 of 17\n\nRansom Payment Insights\r\nMetric Count\r\nTotal victims (clients) 246\r\nVictims who paid ransom 7\r\nVictims with decryption (decrypt_done) 0\r\n~2.8% of victims show a “paid_commission greater than 0” likely indicating successful ransom payment.\r\nNone show “decrypt_done greater than 0”, which could mean:\r\nDecryption flag wasn’t updated in the dump.\r\nOr actual decryption didn’t occur via system logic.\r\nIn conclusion, none of the victims in the dataset were recorded as having received a decryption tool. However,\r\nthis information may not be entirely accurate, as LockBit claims to offer a decryption tool which they provide.\r\nWhat we can confirm\r\nThe field “paid_commission” is an integer.\r\nIt defaults to “0”, per schema:\r\n`paid_commission` int(11) NOT NULL DEFAULT 0\r\nIn 7 out of 246 rows, this value was changed to be greater than 0.\r\nNOTE: This is still not proof of payment from this data alone!\r\nWhat we cannot confirm\r\nWe cannot claim that “paid_commission \u003e 0“ means the victim paid the ransom. Here’s why:\r\nThis value only confirms LockBit marked a commission as paid to an affiliate.\r\nHowever the victim-side payment may have:\r\nBeen paid without being logged in this table.\r\nBeen paid but never resulted in affiliate compensation.\r\nBeen simulated for testing, if this dataset is a development/testing snapshot.\r\nNegotiating With Affiliates: The Human Side\r\nHuman Tones in Hostile Chats\r\nDuring our analysis of the specific “chat” conversations that were listed in the dump, we observed multiple\r\ndifferent types of tones from affiliates. You can tell there were significant differences in conversations where some\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 8 of 17\n\naffiliates were aggressive and would not take any considerations into account when demanding to be paid in BTC\r\nor XMR.\r\nShifts from formal messaging to being aggressive when a victim attempts to get a discount or makes things\r\ndifficult.\r\nStraight to the point and no room for discussion.\r\nVictim: \"We are a small firm; we cannot pay that much.\"\r\nLockBit: \"Your size is irrelevant. Your data is valuable.\"\r\nHere are more samples from the conversations:\r\n“I Don’t Care” Aggression\r\nDeadline Ultimatum\r\nTimestamp: 2024-12-23 17:20:25\r\nI don't care whether you pay me or not, there will be no more talk about discounts\r\nIf you don't make a decision, the price will be 2x tomorrow.\r\nPlea for Lower Price – Timestamp: 2024-12-20 10:55:51\r\nYes, I checked the number of test files. Please lower the price a little.\r\nOne of the more interesting messages that we discovered was what looked to be a predefined footnote message to\r\nthe victims, which contains some interesting context that we have only observed from one message to a victim\r\nthat was discovered from our analysis. From threat to recruitment.\r\nThe footnote message indicates the specific version of LockBit in use: “ (Version: LockBitBlack4.0-rc-001) ”.\r\nSee the full footnote message in “Appendix A”\r\nAlso within the same chat log, we can also observe the affiliate being questioned, raising concerns about the\r\nguarantee of decryption of data.\r\nAffiliate:\r\n- You must pay us.\r\nAffiliate:\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 9 of 17\n\n- What is the guarantee that we won't scam you? We are the oldest extortion gang on the planet\r\n- Treat this situation simply as a paid training session for your system administrators.\r\n- Don't go to the police or the FBI. Don't tell anyone.\r\nPart of that message included the following intriguing information within the complete footnote. The messaging\r\nacts as a way to introduce people to the world of penetration testing and to come join the programme.\r\nDelivered Message (Extracted from LockBit Chat ID 433)\r\nYou have been attacked by LockBit 4.0 – the fastest, most stable and immortal ransomware since 2019.\r\n- \"Want a lamborghini, a ferrari and lots of ti**y girls? Sign up and start your pentester billionai\r\nThe message indicates the specific version of LockBit in use: “ (Version: LockBitBlack4.0-rc-001) ”. See the\r\nfull footnote message in “Appendix A”\r\nTactics Used By Affiliates\r\nBased on message patterns, we have observed different tactics used by affiliates to push and secure payment:\r\nStandard tactics:\r\nTime threats (“24 hours left”)\r\nBitcoin-only payments\r\n“Test file” to prove decryption\r\nPsychological tactics:\r\nGuilt: “Your clients will suffer”\r\nShame: “You are irresponsible”\r\nUrgency: “Tick-tock, the timer runs”\r\nOperation Cronos\r\nIn 2024, multiple law enforcement agencies worked together to take down LockBit, and during a period of last\r\nyear, the UK’s National Crime Agency infiltrated the group’s infrastructure and took control of its services, and\r\nposted a list of usernames and user IDs. However LockBit prevailed, and we are now in a situation where they\r\ncontinue to operate. We have compared the UK NCA data to the user IDs and usernames observed in this dump\r\nand found the following.\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 10 of 17\n\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 11 of 17\n\nFigure 6 – Operation Cronos\r\nComparing the usernames observed in the Cronos Operation, we have discovered multiple usernames within the\r\nleaked data that confirm the operation of the same actors. As you can see below, we have put together a visual\r\nrepresentation of the top 10 LockBit users by total builds.\r\nWhat we can take from this:\r\nAshlin generated the most payloads by a wide margin.\r\nRich, Melville, and Merrick followed as high-volume affiliates.\r\nOverall, here is a comprehensive list of all linked usernames derived from the NCA list, and then matched against\r\nthe leaked dataset to show these usernames match.\r\nUserID Username\r\n1 admin\r\n2 Harold\r\n5 William Guzman\r\n6 David Ramsey\r\n9 Howard Collins\r\n10 Russell Price\r\n12 Vern\r\n13 Mayer\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 12 of 17\n\n14 Devyn\r\n15 Burton\r\n16 Ardell\r\n17 Harley\r\n18 Chad\r\n19 Truman\r\n21 Harper\r\n24 Kennan\r\n25 Melville\r\n26 Bubet\r\n27 Bailey\r\n28 Rich\r\n31 Charly\r\n32 Oscar\r\n33 Lyndsey\r\n34 Oliver\r\n35 Sherwin\r\n36 JohnRembo\r\n37 Darrel\r\n40 Larry\r\n42 Rufus\r\n43 Ashlin\r\n45 Sage\r\n46 BillieOLDDDDD\r\n48 Davidson\r\n51 Malin\r\n52 Stanton\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 13 of 17\n\n53 Carlo\r\n54 Alston\r\n55 Merrick\r\n57 Huntley\r\n58 Jeffly\r\n59 Everlie\r\n63 Libby\r\n64 Hazel\r\n65 Dorian\r\n66 Rigby\r\n67 Payden\r\n69 Robert Martinez\r\nConclusion\r\nThe LockBit leak has provided an exceptional insight into how one of the world’s most successful and active\r\nransomware groups operates. From chat logs and ransomware build records, to affiliate configurations and ransom\r\ndemands, the data shows LockBit are both well organised and methodical. Affiliates play a major role in\r\ncustomising attacks, demanding payment, and negotiating with victims. While some payments appear to have\r\nbeen made, it remains unclear how often victims actually received working decryption tools. Overall, the leak\r\nconfirms that LockBit functions like a traditional business, except with criminal intentions at its core.\r\nReferences\r\nhttps://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned\r\nhttps://www.nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group\r\nIndicators of Compromise\r\n1. http://e4hwk3w4ztqfkyo6l36ss3tfj4bw2jw4ytkmomkx2ugwjgrs4w3lriid.onion\r\n2. http://iyuggdvguyt4f4hdk6eudwcdtlsw3ixi5thzhqb6fpydw6jblf3sxlyd.onion\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 14 of 17\n\n3.\r\nhttp://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/\r\n4.http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/buybitcoin\r\n5. http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/buybitcoin#mirrors\r\n6. http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/conditions\r\n7. http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/rules\r\n8. http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/\r\n9. http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/conditions\r\n10.http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/\r\n11.http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/\r\n12.http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/\r\n13.http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/\r\n14.http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/\r\n15.http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion\r\n16.http://lockbitapiahy43zttdhslabjvx4q6k24xx7r33qtcvwqehmnnqxy3yd.onion\u0026lt;/p\u0026gt;\r\n17.http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion\r\n18.http://lockbitapo3wkqddx2ka7t45hejurybzzjpos4cpeliudgv35kkizrid.onion\u0026lt;br\r\n19.http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 15 of 17\n\n20.http://lockbitapp24bvbi43n3qmtfcasf2veaeagjxatgbwtxnsh5w32mljad.onion\u0026lt;br\r\n21.http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion\r\n22.http://lockbitapyum2wks2lbcnrovcgxj7ne3ua7hhcmshh3s3ajtpookohqd.onion\u0026lt;br\r\n23.http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion\r\n24.http://lockbitapyx2kr5b7ma7qn6ziwqgbrij2czhcbojuxmgnwpkgv2yx2yd.onion\u0026lt;br\r\n25.http://lockbitfskq2fxclyfrop5yizyxpzu65w7pphsgthawcyb4gd27x62id.onion\r\n26.http://lockbitfskq2fxclyfrop5yizyxpzu65w7pphsgthawcyb4gd27x62id.onion/\r\n27.http://lockbitfss2w7co3ij6am6wox4xcurtgwukunx3yubcoe5cbxiqakxqd.onion\r\n28.http://lockbitfsvf75glg226he5inkfgtuoakt4vgfhd7nfgghx5kwz5zo3ad.onion\r\n29.http://lockbitspbsvke7ucgvegltl4acagjjjfkhoi4efxti7gyw742jgjeyd.onion\r\n30.http://lockbitspchsxta4gug5wj5tdsvvmbtqdjmtqfwdoeqfodqzpkmviyqd.onion\r\n31.http://lockbitspckzvghfqwd6uowk2y6gtb4ltbd3miqp53okfkc3j5rrunqd.onion\r\n32.http://lockbitspfigqwjpd6v3az57xpykygkpdzb4xz2imwnxckxh7oyvxuyd.onion\r\n33.http://lockbitspgsxzkoi2cuwklu6hzvuvoj4qggvqwan3nr4zy7ge3s7rtad.onion\r\n34.http://lockbitspomtxfihje6wepecgif7vuqci6zyl7qgenne5b6lxngf4yqd.onion\r\n35.http://lockbitsppra2sj6gkfrgtavqds7rcnvhaxdio7jvu2xrozdr2ld3ead.onion\r\n36.http://lockbitsppsg2kfcafzzdettjbgc4tx2cl6tfm4v4py6xtndbhnnhsid.onion\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 16 of 17\n\n37.http://lockbitspqldd3mm223vmzcvwntd7honhhan3ke72vpnrxexlrsu5ryd.onion\r\n38.http://lockbitsprnigidq6imswpysqjg3sewkeagtfbamlybwm7fnonglhlyd.onion\r\n39.http://lockbitsptqsmaf56cmo7bieqwh5htlsfkodpahsaurxlquoz67zwrad.onion\r\n40.http://lockbitspudgjptrzadjzi7b4n2nw3yq6aqqqqw6wbrrjkr2ffuhkhyd.onion\r\n41.http://lockbitspxgtf65ej7uu5h7qtephbevcsc2sk2brxzmt754etrrzhdqd.onion\r\n42.http://lockbitspxmqqfi6bw4y7f5psnpoaakhlisdx33busmnpgtimart5fad.onion\r\n43.http://lockbitspyakyequybgwgwauhzqxx7ba2gh3lmlj3zyeuaknrexdzfid.onion\r\n44.http://rbuqsricjycmlv4hkh6cuwpefhgzzgthhxr2ackqwnv2ex23yqkfmuqd.onion\r\nAppendix A\r\n(433, 36, 36, 112, 0, 1737142597, 'yes i got this instructions from you\\n~~~ You have been attacked b\r\nSource: https://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nhttps://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.ontinue.com/resource/inside-lockbit-inner-workings-of-ransomware-giant/" ], "report_names": [ "inside-lockbit-inner-workings-of-ransomware-giant" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434403, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29703452885c6350f5f54a298a6661da430cc44b.pdf", "text": "https://archive.orkl.eu/29703452885c6350f5f54a298a6661da430cc44b.txt", "img": "https://archive.orkl.eu/29703452885c6350f5f54a298a6661da430cc44b.jpg" } }