Dissent@DataBreaches.Net
//
The LockBit ransomware group, a major player in the Ransomware-as-a-Service (RaaS) sector, has suffered a significant data breach. On May 7, 2025, the group's dark web affiliate panels were defaced, revealing a link to a MySQL database dump containing sensitive operational information. This exposed data includes Bitcoin addresses, private communications with victim organizations, user credentials, and other details related to LockBit's illicit activities. The defacement message, "Don't do crime CRIME IS BAD xoxo from Prague," accompanied the data leak, suggesting a possible motive of disrupting or discrediting the ransomware operation.
The exposed data from LockBit's affiliate panel is extensive, including nearly 60,000 unique Bitcoin wallet addresses and over 4,400 victim negotiation messages spanning from December 2024 through April 2025. Security researchers have confirmed the authenticity of the leaked data, highlighting the severity of the breach. The LockBit operator, known as "LockBitSupp," acknowledged the breach but claimed that no private keys were compromised. Despite previous setbacks, such as the "Operation Cronos" law enforcement action in February 2024, LockBit had managed to rebuild its operations, making this recent breach a significant blow to their infrastructure.
Analysis of the leaked information has uncovered a list of 20 critical Common Vulnerabilities and Exposures (CVEs) frequently exploited by LockBit in their attacks. These vulnerabilities span multiple vendors and technologies, including Citrix, PaperCut, Microsoft, VMware, Apache, F5 Networks, SonicWall, Fortinet, Ivanti, Fortra, and Potix. Additionally, the leaked negotiations revealed LockBit’s preference for Monero (XMR) cryptocurrency, offering discounts to victims who paid ransoms using this privacy-focused digital currency. Ransom demands typically ranged from $4,000 to $150,000, depending on the scale of the attack.
Recommended read:
References :
- DataBreaches.Net: CoinPedia reports: “Don’t do crime. CRIME IS BAD. xoxo from Prague.” That’s the message left behind after hackers gave LockBit – a ransomware gang known for extorting millions. Yes, they just got a brutal taste of their own medicine.
- Metacurity: All of the ransomware gang's admin panels now state. "Don't do crime CRIME IS BAD xoxo from Prague," with a link to download a "paneldb_dump.zip." LockBit ransomware gang hacked, victim negotiations exposed
- Searchlight Cyber: Searchlight’s threat intelligence team shares their early observations from the LockBit data leak On May 7 2025 it was reported that the dark web affiliate panel of the Ransomware-as-a-Service (RaaS) group LockBit has been hijacked.
- www.bitdegree.org: LockBit Hacked: 60,000 Bitcoin Addresses and 4,400 Ransom Chats Go Public
- BleepingComputer: The LockBit ransomware gang has suffered a data breach after its dark web affiliate panels were defaced and replaced with a message linking to a MySQL database dump.
- hackread.com: LockBit’s dark web domains were hacked, exposing internal data, affiliate tools, and over 60,000 Bitcoin wallets in a…
- Davey Winder: 60,000 Bitcoin Wallets Leaked As LockBit Ransomware Hackers Get Hacked
- www.it-daily.net: LockBit hacker group was hacked
- socradar.io: LockBit Hacked: 60,000 Bitcoin Addresses Leaked
- securityaffairs.com: The LockBit ransomware site was breached, database dump was leaked online
- slcyber.io: Early Analysis of the LockBit Data Leak
- hackread.com: LockBit’s Dark Web Domains Hacked, Internal Data and Wallets Leaked
- The DefendOps Diaries: LockBit Ransomware Gang Hacked: Internal Operations Exposed
- www.scworld.com: Data breach exposes LockBit ransomware gang
- www.itpro.com: LockBit ransomware group falls victim to hackers itself
- Help Net Security: LockBit Hacked: What does the leaked data show?
- Talkback Resources: Valuable information leaked from LockBit ransomware operation's administration panel, revealing details on affiliates, ransom negotiations, and potential infighting within the cybercriminal community.
- ComputerWeekly.com: reports analysis of the LockBit 3.0 data leak
- Tech Monitor: Ransomware group LockBit faces breach, affiliate data exposed
- Graham Cluley: LockBit ransomware gang breached, secrets exposed
- cybersecuritynews.com: The affiliate panel of the infamous LockBit Ransomware-as-a-Service (RaaS) group has been hacked and defaced, showing a link to a MySQL database dump ostensibly containing leaked data relating to the group’s operations.
- bsky.app: LockBit Ransomware Gang Breached, Secrets Exposed
- OODAloop: LockBit ransomware group was hacked, exposing internal operations data, potentially affecting future operations.
@cyble.com
//
The ransomware landscape continues to experience significant turbulence as groups target each other's infrastructure and tactics shift. Notably, a group known as DragonForce has been actively hacking its rivals, with RansomHub, a major Ransomware-as-a-Service (RaaS) platform and one of the most active groups, being their latest target. DragonForce has previously targeted Mamona and BlackLock. This takeover of RansomHub could lead to a significant shift in the RaaS model, potentially leading to affiliates developing their own brands and further fragmenting the threat landscape.
Researchers infiltrated the online infrastructure associated with BlackLock ransomware and uncovered configuration files, credentials, and a history of executed commands. This also resulted in clear web IP addresses being revealed, which were hidden behind Tor infrastructure. BlackLock, which emerged in January 2025 and was previously known as El_Dorado, had listed 46 victims prior to the incident. Coincidently (or maybe using the same exploit) BlackLock’s leak site was also defaced.
Hunters International, a RaaS group that some believe evolved from Hive, appears to be rebranding and shifting operations, moving away from an unprofitable and risky ransomware business and focusing solely on exfiltrating data and extorting victims. The decision appears to come in the wake of international law enforcement operations. Hunters appears to be shifting its operations, dropping the encryption part of the equation and focusing purely on data exfiltration and extortion, launching under the name “World Leaks”.
Recommended read:
References :
- bsky.app: There's a ransomware group named DragonForce going around hacking its rivals. After Mamona and BlackLock, the group has now hacked RansomHub—a major RaaS platform and one of the most active groups today.
- cyble.com: Ransomware Attack Levels Remain High as Major Change Looms
- Searchlight Cyber: BlackLock Ransomware Exposed and DragonForce Makes Moves
- BlackFog: BlackFog Report Reveals Record Number of Ransomware Attacks from January to March
- www.tripwire.com: Ransomware reaches a record high, but payouts are dwindling
@zdnet.com
//
Federal cybersecurity agencies, including the FBI and CISA, have issued an urgent advisory regarding the escalating threat of Medusa ransomware. Since its emergence in 2021, Medusa has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. The group's activities have accelerated in recent months, prompting immediate action recommendations for organizations. Medusa operates as a Ransomware-as-a-Service (RaaS) model, now recruiting affiliates from criminal forums to launch attacks, encrypt data, and extort victims worldwide.
Medusa actors leverage common ransomware tactics, including phishing campaigns and exploiting unpatched software vulnerabilities. They employ a double extortion strategy by encrypting victim data and threatening to publicly release it if the ransom is not paid. To mitigate the risk, CISA and the FBI recommend organizations update systems regularly to close known vulnerabilities, implement network segmentation to restrict lateral movement, and enable multi-factor authentication for all services. They also urge organizations to report incidents promptly to aid in tracking and combating the growing threat.
Recommended read:
References :
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
- securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
- DataBreaches.Net: #StopRansomware: Medusa Ransomware
- Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
- securityaffairs.com: SecurityAffairs article: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
- www.cybersecuritydive.com: Medusa ransomware slams critical infrastructure organizations
- www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
- www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
- : FBI and CISA Warn of Medusa Ransomware Impacting Critical Infrastructure
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- The DefendOps Diaries: Explore the impact of Medusa ransomware on critical infrastructure and learn strategies to enhance cybersecurity defenses.
- www.scworld.com: Medusa ransomware, a ransomware-as-a-service group, has increased attacks targeting critical infrastructure, potentially preparing for geopolitical conflicts. Recent attacks indicate a 150% increase in this activity.
- Tenable Blog: Tenable article: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
- SOC Prime Blog: SOC Prime blog: Medusa Ransomware Attacks Covered in AA25-071A Detection
- be4sec: Medusa Ransomware is Targeting Critical Infrastructure
- be4sec: This advisory summarizes the key activities of prominent ransomware groups in January 2025, highlighting a significant increase in Medusa attacks.
- aboutdfir.com: Medusa ransomware group has been actively targeting critical infrastructure organizations, employing a double extortion tactic.
- www.techradar.com: US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
- cyble.com: The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a well-timed advisory on the Medusa ransomware group last week, as Cyble has detected an acceleration in the group’s activities in recent months.
- Email Security - Blog: Medusa Ransomware: Multi-Industry Threat on the Rise
- techxplore.com: Cybersecurity officials warn against potentially costly Medusa ransomware attacks
- Security | TechRepublic: Medusa Ransomware Strikes 300+ Targets: FBI & CISA Urge Immediate Action to #StopRansomware
- eSecurity Planet: Medusa Ransomware Warning: CISA and FBI Issue Urgent Advisory
- Blue Team Con: CISA and the FBI warn about Medusa ransomware, urging organizations to update security, enable MFA, and report incidents to mitigate the growing threat.
- thecyberexpress.com: Medusa Ransomware Surge: 60 Victims in 3 Months—Are You Next?
- www.zdnet.com: How to guard against a vicious Medusa ransomware attack - before it's too late
- www.cysecurity.news: The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware.
- Sam Bent: Cybercriminal Group Medusa Targets Critical Infrastructure Sectors A sophisticated cybercriminal group known as Medusa has been targeting many critical infrastructure sectors in the United States.
- The Hacker News: Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
- www.cybersecuritydive.com: Medusa ransomware using malicious driver as EDR killer
do son@Daily CyberSecurity
//
The Medusa ransomware operation has significantly impacted critical infrastructure sectors, affecting over 300 organizations in the United States by February 2025. According to CISA, these attacks have targeted essential services across various industries, including medical, education, legal, insurance, technology, and manufacturing. This widespread impact highlights the vulnerability of critical infrastructure and the potential for severe disruptions. The healthcare sector has been a primary target, with ransom demands ranging from $100,000 to $15 million, potentially disrupting patient care and compromising sensitive data.
Educational institutions have also been significantly affected, with 21 attacks reported in February 2025 alone. These attacks disrupt academic activities and compromise personal information of students and staff. In response, CISA, in partnership with the FBI and MS-ISAC, released a joint Cybersecurity Advisory providing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with known Medusa ransomware activity. The advisory encourages organizations to ensure operating systems and software are up to date, segment networks to restrict lateral movement, and filter network traffic to prevent unauthorized access.
Recommended read:
References :
- Industrial Cyber: Recent findings from Symantec indicate a significant rise in Medusa ransomware activity, which is reportedly being operated as...
- securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
- : Symantec found that Medusa has listed almost 400 victims on its data leaks site since early 2023, demanding ransom payments as high as $15m
- Broadcom Software Blogs: Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023.
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- The DefendOps Diaries: Medusa Ransomware: A Growing Threat to Critical Infrastructure
- RedPacket Security: CISA: CISA and Partners Release Cybersecurity Advisory on Medusa Ransomware
- gbhackers.com: Medusa Ransomware Hits 300+ Critical Infrastructure Organizations Worldwide
- securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
- www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
- securityaffairs.com: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
- Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
- www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
- CyberInsider: FBI: Medusa Ransomware Has Breached 300 Critical Infrastructure Organizations
- www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released - with at least one organisation hit with a "triple-extortion" threat. Read more in my article on the Tripwire State of Security blog.
- Resources-2: On March 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Medusa ransomware [1]. Medusa ransomware emerged as Ransomware-as-a-Service in June 2021 and gained infamy by compromising over 300 victims from critical infrastructure sectors, including healthcare, insurance, technology, manufacturing, legal, and technology.
- : CISA, FBI Warn of Medusa Ransomware Impacting Critical Infrastructure
- www.cybersecuritydive.com: The ransomware-as-a-service gang tallied more than 300 victims in industries such as healthcare, manufacturing and technology.
- The Register - Security: Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand
- DataBreaches.Net: #StopRansomware: Medusa Ransomware
- hackread.com: FBI and CISA Urge Enabling 2FA to Counter Medusa Ransomware
- Talkback Resources: #StopRansomware: Medusa Ransomware | CISA [net] [mal]
- Tenable Blog: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
- SOC Prime Blog: Medusa Ransomware Detection: The FBI, CISA & Partners Warn of Increasing Attacks by Ransomware Developers and Affiliates Against Critical Infrastructure
- www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
@www.reliaquest.com
//
ReliaQuest researchers are warning that the BlackLock ransomware group is poised to become the most prolific ransomware-as-a-service (RaaS) operation in 2025. BlackLock, also known as El Dorado, first emerged in early 2024 and quickly ascended the ranks of ransomware groups. By the fourth quarter of 2024, it was already the seventh most prolific group based on data leaks, experiencing a massive 1,425% increase in activity compared to the previous quarter.
BlackLock's success is attributed to its active presence and strong reputation within the RAMP forum, a Russian-language platform for ransomware activities. The group is also known for its aggressive recruitment of traffers, initial access brokers, and affiliates. They employ double extortion tactics, encrypting data and exfiltrating sensitive information, threatening to publish it if a ransom is not paid. Their custom-built ransomware targets Windows, VMWare ESXi, and Linux environments.
Recommended read:
References :
- AAKL: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
- Christoffer S.: ReliaQuest Inside the World’s Fastest Rising Ransomware Operator - BlackLock Somewhat of a deep dive into a relatively new RaaS (BlackLock), a very active group both on RAMP and with adding new victims to their leaksite.
- www.helpnetsecurity.com: BlackLock ransomware onslaught: What to expect and how to fight it
- www.reliaquest.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock
- Help Net Security: In-depth analysis of the BlackLock ransomware group and their operational methods.
- www.infosecurity-magazine.com: ReliaQuest: Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock More: Infosecurity-Magazine: BlackLock On Track to Be 2025’s Most Prolific Ransomware Group
- cyberpress.org: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
- gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
- Cyber Security News: BlackLock Ransomware Evolves: Threatens Windows, VMware ESXi, and Linux Systems
- gbhackers.com: BlackLock Ransomware Targets Windows, VMware ESXi, & Linux Environments
|
|
FlagThis - #ransomware-as-a-service