LockBit 4.0 Leak Exposes Disorganization in Ransomware-as-a-Service (RaaS) Operations
Summary
Hide â˛
Show âŧ
In May 2025, LockBit's 4.0 affiliate panel was compromised, revealing extensive disorganization and chaos within the ransomware-as-a-service (RaaS) ecosystem. The leak exposed thousands of chat messages, ransomware builds, and internal data, showing that affiliates often operate without oversight, ignore platform rules, and exhibit inconsistent professionalism. This disorganization complicates incident response and makes the ransomware threat more unpredictable and harder to defend against. The leak underscores the need for robust cybersecurity measures, including network segmentation, multifactor authentication, and regular incident response drills. The future of RaaS is expected to become even more chaotic, with fewer brand-name groups and more heterogeneous actors operating in short bursts.
Timeline
-
13.08.2025 17:00 đ° 1 articles
LockBit 4.0 Affiliate Panel Compromised, Exposing Disorganization
On May 7, 2025, LockBit's 4.0 affiliate panel was compromised, revealing extensive disorganization within the RaaS ecosystem. The leak exposed thousands of chat messages, ransomware builds, and internal data, showing that affiliates often operate without oversight, ignore platform rules, and exhibit inconsistent professionalism. This disorganization complicates incident response and makes the ransomware threat more unpredictable.
Show sources
- What the LockBit 4.0 Leak Reveals About RaaS Groups â www.darkreading.com â 13.08.2025 17:00
Information Snippets
-
LockBit's 4.0 affiliate panel was compromised on May 7, 2025, revealing over 4,000 chat messages, thousands of ransomware builds, and internal data.
First reported: 13.08.2025 17:00đ° 1 source, 1 articleShow sources
- What the LockBit 4.0 Leak Reveals About RaaS Groups â www.darkreading.com â 13.08.2025 17:00
-
The leak exposed significant disorganization within the LockBit RaaS ecosystem, with affiliates often ignoring platform rules and operating without oversight.
First reported: 13.08.2025 17:00đ° 1 source, 1 articleShow sources
- What the LockBit 4.0 Leak Reveals About RaaS Groups â www.darkreading.com â 13.08.2025 17:00
-
Affiliates exhibited inconsistent professionalism, with some negotiating payments carefully while others vanished after receiving ransom payments.
First reported: 13.08.2025 17:00đ° 1 source, 1 articleShow sources
- What the LockBit 4.0 Leak Reveals About RaaS Groups â www.darkreading.com â 13.08.2025 17:00
-
The leak revealed that affiliates sometimes targeted prohibited entities, including Russian state organizations, leading to internal conflicts and suspensions.
First reported: 13.08.2025 17:00đ° 1 source, 1 articleShow sources
- What the LockBit 4.0 Leak Reveals About RaaS Groups â www.darkreading.com â 13.08.2025 17:00
-
Only 19 out of 159 Bitcoin wallets tied to extortion attempts received funds, indicating that many affiliates negotiated outside the LockBit platform to avoid fees.
First reported: 13.08.2025 17:00đ° 1 source, 1 articleShow sources
- What the LockBit 4.0 Leak Reveals About RaaS Groups â www.darkreading.com â 13.08.2025 17:00
-
The disorganization within RaaS groups makes them harder to defend against, as their behavior is unpredictable and inconsistent.
First reported: 13.08.2025 17:00đ° 1 source, 1 articleShow sources
- What the LockBit 4.0 Leak Reveals About RaaS Groups â www.darkreading.com â 13.08.2025 17:00
-
The future of RaaS is expected to become more chaotic, with fewer brand-name groups and more heterogeneous actors operating in short bursts.
First reported: 13.08.2025 17:00đ° 1 source, 1 articleShow sources
- What the LockBit 4.0 Leak Reveals About RaaS Groups â www.darkreading.com â 13.08.2025 17:00
Similar Happenings
AI-Driven Ransomware Strain PromptLock Discovered
A new ransomware strain named PromptLock has been identified by ESET researchers. This strain leverages AI to generate malicious scripts in real-time, making it more difficult to detect and defend against. PromptLock is currently in development and has not been observed in active attacks. It can exfiltrate files, encrypt data, and is being upgraded to destroy files. The ransomware uses the gpt-oss:20b model from OpenAI via the Ollama API and is written in Go, targeting Windows, Linux, and macOS systems. The Bitcoin address associated with PromptLock appears to belong to Satoshi Nakamoto. PromptLock uses Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption. The ransomware can generate custom ransom notes based on the type of infected machine and uses the SPECK 128-bit encryption algorithm to lock files. PromptLock is assessed to be a proof-of-concept (PoC) rather than a fully operational malware deployed in the wild.
PipeMagic RansomExx Malware Exploits Windows Vulnerability
A security flaw in Microsoft Windows, CVE-2025-29824, has been exploited by threat actors to deploy the PipeMagic malware as part of Play ransomware attacks. The vulnerability, a privilege escalation flaw in the Windows Common Log File System (CLFS), was patched in April 2025. PipeMagic, first documented in 2022, acts as a backdoor providing remote access and executing commands on compromised hosts. The malware has been observed in attacks targeting industrial companies in Southeast Asia, Saudi Arabia, and Brazil. It uses various techniques, including fake OpenAI ChatGPT apps and DLL hijacking, to deliver the malware. PipeMagic is a modular malware that uses a domain hosted on Microsoft Azure to stage additional components. The threat actor behind these attacks, tracked as Storm-2460, has been active across multiple sectors and geographies, including IT, financial, and real estate in the U.S., Europe, South America, and the Middle East. The PipeMagic backdoor has been updated to improve persistence and lateral movement within targeted networks. It uses a modified version of the GitHub ChatGPT Desktop Application project to disguise its malicious code and communicates with its C2 server over TCP. The backdoor has been observed targeting the Brazilian manufacturing sector and was the only one among the 121 vulnerabilities patched by Microsoft in April 2025 that was actively exploited in the wild.
ERMAC V3.0 Banking Trojan Source Code Leak Exposes Malware Infrastructure
The source code for ERMAC V3.0, an Android banking trojan, has been leaked, revealing the full infrastructure behind the malware. ERMAC V3.0 targets over 700 banking, shopping, and cryptocurrency applications, expanding its data theft capabilities. The leak includes the backend, frontend, exfiltration server, and Android builder panel, providing insights into the malware's operations and vulnerabilities. The leak exposes critical weaknesses, such as hardcoded secrets, default credentials, and open account registration, which can be used to track, detect, and disrupt active operations. ERMAC V3.0 is attributed to the threat actor DukeEugene and is an evolution of Cerberus and BlackRock. The source code was discovered in an open directory by Hunt.io researchers in March 2024. The leak weakens the malware operation by eroding customer trust and improving threat detection solutions, but may lead to modified variants of ERMAC that are more difficult to detect.