Ransomware: Unknown attackers leak LockBit database – thanks to PHP exploit?

"Don't be a criminal, crime is bad, hugs and kisses from Prague" – is how several of the darknet pages of the LockBit ransomware received visitors on May 7, 2025. Apparently, unknown persons had gained access to the servers and extracted a copy of the database. This is now online, while LockBit's customer service is trying to limit the damage.

An almost 26 MB file called paneldb_dump.sql contains all kinds of details of the cybercrime operation, including almost 60,000 Bitcoin addresses, thousands of chat messages with victims of the ransomware and configurations for the "Locker", i.e. the ransomware itself.

Based on the timestamp, the date of the leak can be narrowed down – all messages bear date stamps between December 19, 2024 and April 29, 2025. The attack may have been carried out by the same people who carried out a very similar defacement of another ransomware group called Everest a month ago.

LockBit operators confirm attack

In a short statement on the LockBit blog, the operators of the "Ransomware-as-a-Service" program confirm the attack. In a qTox conversation circulating on X, "LockBitSupp" also admits the leak. However, the source code of the ransomware and the stolen data of the victims were not affected, only chats and Bitcoin addresses were captured by the attackers. They are working on reconstruction.

It is unclear how the attackers got into the system. However, the server that was taken over was running an outdated PHP version (PHP 8.1.2-1ubuntu2.19) at the end of April 2025, which had several security vulnerabilities. A gap in the scripting language had already been the gateway for the criminals in "Operation Cronos", an international law enforcement operation against LockBit.

(cku)