The Lockbit Leak

A rare glimpse into the ransomware underworld

By Renee van der Post & Sam Cantineau

On May 7, 2025, something extraordinary surfaced on the dark web. A message appeared on the site of LockBit, one of the world’s most infamous ransomware groups:

Don’t do crime. CRIME IS BAD. xoxo from Prague.

Soon after, a massive data dump followed: an SQL database filled with internal records, including chat logs between LockBit and its victims, and sensitive details about the group’s operations.

For cybersecurity professionals, this leak provides a rare glimpse into the inner workings of a highly organized criminal enterprise. At Defenced, we dove into this data and extracted practical insights that businesses can learn from. In this blog, we’ll guide you through the key findings—and the lessons they offer.

WHO IS LOCKBIT?

LockBit is a notorious ransomware-as-a-service (RaaS) group, meaning it develops the technology but makes it available to ‘partners’: subcontractors who execute the actual attacks in exchange for a percentage of the ransom. Since emerging in 2019, they’ve created thousands of victims and caused billions in damages. The result is a highly organized cyber gang with a clear structure, internal hierarchy, and even a customer service-like chat function where victims can negotiate ransom payments. Until now, LockBit was seen as a well-oiled machine but this data leak shows even the most sophisticated threat actors are not untouchable.

MAKING SENSE OF THE CHAOS: STRUCTURING THE CHATS

The leaked dataset contained thousands of individual messages from chat conversations between victims and LockBit. Raw database fields like clientid, flag, content, and created_at offer little insight on their own, let alone any overview.

To truly understand LockBit’s approach, we cleaned, structured, and translated the data into recognizable chat formats similar to WhatsApp or Signal.

By chronologically grouping messages per conversation, correctly labeling files, and visually distinguishing senders, we were able to reconstruct the negotiation process from start to finish. This yielded not just readable conversations but also valuable insights. It exposed how LockBit approaches victims, negotiates, sets prices, and provides technical instructions.

To make this more tangible for the reader, we included screenshots of these reconstructions. This gives you a literal picture of what it’s like to negotiate with a hacker group. Many conversations were surprisingly polite, even “customer-friendly”.

BEHIND THE SCENES: WHAT THE CHATS REVEAL ABOUT LOCKBIT

They negotiate and offer discounts

In most cases, the victim initiates a counteroffer. Sometimes, the ransom can be significantly lowered. In chat 154, for example, the demand dropped from $120,000 to $40,000. The tone remains strikingly polite.

Think: “Dear customer, what is your budget?”

In chat 36, we see LockBit collaborating with the victim on a test decryption and eventually agreeing to a steep discount.

Chat 36

Since all payments to LockBit are made via Bitcoin, the ransom amounts can be verified on the public blockchain. In this particular case, we see a $10 test payment first. Shortly after, the full $50,000 is transferred to LockBit’s wallet. Immediately afterward, the decryptor (decryption software) is delivered via chat, including instructions.

Tip: Never store sensitive insurance documents on easily accessible shared drives.

In chat 241, LockBit demands an unprecedented $4.5 million. Why? They found, in stolen documents, that the victim had cyber insurance with a maximum coverage of $5 million.

Chat 241

Russian victims are spared

In three chats (130, 168, and 274), victims from Russia received the decryptor for free. Internal frustration became evident: “damn subcontractor hit a RU target.”

This strongly suggests the group’s ties to Russia and an unspoken policy not to attack domestic targets.

LockBit has a clear internal structure

In several chats, such as 158 and 168, it becomes clear there is a hierarchy within LockBit. References to “the boss” are common; the one with access to the actual decryption tools. LockBit operatives appear to follow instructions and seem limited in their ability to grant discounts. LockBit operates like a real business, albeit a criminal one.

Chat 168

Chat 158

HOW MUCH DO VICTIMS ACTUALLY PAY?

Although ransomware groups often demand millions, the final amounts are often much lower. We analyzed 208 chats of which 18 included confirmed payments.

Using a mix of dollar and bitcoin demands and the ability to verify some payments on the blockchain, we gained a clear picture of LockBit’s negotiation strategy.

We verified over $348,000 in payments. The true total is undoubtedly much higher as LockBit is believed to have extorted hundreds of millions globally.

Here's an overview of paid ransoms, including original demands and realized discounts:

Key lessons from the leak

These leaked conversations are not just fascinating, they're also full of valuable insights. At Defenced, we analyzed a large number of chats and distilled five key lessons:

Back-ups are only useful if they actually work

Time and again, we saw that victims had backups—but still paid the ransom. In some cases, the backups were encrypted too, because they were connected to the infected network. In others, restoring the data would have taken too long or was technically too complex, especially under the pressure of operational downtime. Test your backups, keep them offline, and ensure you have an up-to-date recovery plan.

Fast decision-making is crucial

Several chats show victims losing the opportunity for a discount due to internal delays. Ransomware operators often give payment deadlines and when victims miss them, prices go up. In some cases, simply waiting for board approval or legal advice cost victims tens of thousands. Have a plan in place before an incident occurs. Discuss your strategy in advance. Will you negotiate or not? Who decides? How fast?

Trusting criminals isn’t a strategy

LockBit generally delivered on promises: providing decryptors, deleting stolen data, and offering support. But the leak itself proves they don’t always do what they say. Chats that were supposedly deleted reappeared in the dump. Any “reliability” is strategic, not moral.
Don’t mistake professionalism for integrity.

The message is clear:

Basic security must be in place. It’s often the simplest mistakes that are exploited.

Cyber insurance is not a hidden get-out-of-jail-card

Some organizations viewed insurance as a fallback, something to quietly rely on if all else failed. But LockBit reads stolen documents carefully. In one case, they found a cyber insurance policy and used it to justify a higher ransom demand. Don’t leave sensitive documents lying around in shared drives or open shares, especially those accessible to third parties or unsecured endpoints.

Simple mistakes are what get you

In many chats, LockBit subcontractors casually mentioned how they got in: default passwords, outdated software, or exposed RDP ports. These aren’t sophisticated zero-day exploits, they’re basic lapses in IT hygiene. In one case (Chat 213), the victim had to pay extra just to learn what vulnerability had been exploited.

FINAL THOUGHTS: A UNIQUE LOOK WITH A CLEAR MESSAGE

The LockBit leak is extraordinary. Not just because it’s rare for a hacker group to fall victim to data theft themselves, but because it gives an unprecedented look at how professionally organized and profit-driven these groups really are.

LockBit operates like a business, with support, negotiation tactics, and internal guidelines, but completely outside the law.

For us, this leak reinforces one key message: incidents like these are not a matter of if, but when. Only organizations that invest in prevention, awareness, and a well-prepared incident response plan can face these threats with confidence.

Get in touch

Curious about what else we uncovered in the dataset? Or want to know how your organization can better defend against ransomware? Get in contact with Defenced for a personal consultation. Are you a cybersecurity professional looking to use the leaked data for your own research or analysis? Feel free to contact us! We’re happy to share our cleaned and structured dataset with peers who contribute to a safer digital world.

Contact