{
  "name": "Unfiltered look into LockBit\u2019s operations",
  "slug": "unfiltered-look-into-lockbits-operations",
  "description": "A breach of LockBit's dark web affiliate panels exposed a rare glimpse into their operations. The leaked data included Bitcoin addresses, admin credentials, and a chat log revealing negotiation tactics and ransom demands. Ransom amounts varied widely, with some victims confused about the demands. The breach exposed LockBit's research into victims' finances and their willingness to provide additional services for a fee. The incident highlights the complexities of cybercrime negotiations and the human stories behind the headlines. Additionally, Cisco Talos observed a trend of attack kill chains being split into two stages, executed by separate threat actors, leading to refined definitions of initial access brokers.",
  "published": "2025-05-15T20:59:21+00:00",
  "created_at": "2025-05-15T20:59:21+00:00",
  "modified_at": "2025-05-21T18:42:48+00:00",
  "created_at_opencti": "2025-05-15T20:59:21+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-15",
    "affiliate panels",
    "dark web",
    "data breach",
    "initial access brokers",
    "lockbit",
    "negotiation tactics",
    "ransomware"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "e00aa8146cf1202d8ba4fffbcf86da3c6d8148a80bb6503d89b0db2aa9cc0997"
      },
      {
        "id": "",
        "name": "a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91"
      },
      {
        "id": "",
        "name": "9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:c41ccc9bf868641a",
        "name": "LockBit",
        "slug": "lockbit"
      }
    ],
    "intrusion_sets": [
      {
        "id": "c090a8e5-3b6b-4f4c-b382-414d2658c36b",
        "name": "LockBit",
        "slug": "lockbit"
      }
    ],
    "attack_patterns": [
      {
        "id": "b8028086-a7c6-4d5e-a851-162cb2c77094",
        "name": "T1594"
      },
      {
        "id": "2969e5a7-1049-4df8-b1ba-8a0675de6b94",
        "name": "T1589"
      },
      {
        "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2",
        "name": "T1567"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "5dee2969-7083-430e-9083-73bab54c3a18",
        "name": "T1590"
      },
      {
        "id": "fc699aef-8931-4a79-8f79-9651be9abd50",
        "name": "T1021"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "6d618903-d9f6-4747-aec2-7630f43c1908",
        "name": "T1496"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      }
    ]
  },
  "external_refs": [
    "https://blog.talosintelligence.com/xoxo-to-prague/",
    "https://otx.alienvault.com/pulse/682671c9405674c9b44141b2"
  ]
}