Will the Lockbit Ransomware Group’s Data Breach Finally Finish It Off?

The LockBit ransomware gang was riding high into 2024, but a raid by international law enforcement battered it and dethroned it from the top of the ransomware-as-a-service mountain. The group has hung in as a threat actor in spite of arrests of key figures, but operating at a much lower ebb. A new data breach of its internal information at least has the potential to put an end to the group, though its decryptors remain beyond reach.

It is not clear who was behind the data breach, but it may have been the same (also unknown) party that hacked the Everest ransomware group last month. In both cases the hackers took over one of the group’s dark web sites and left a very similar message: “Don’t do crime CRIME IS BAD xoxo from Prague.”

Data breach could be work of hacktivists, or rival ransomware operators

LockBit ransomware has certainly not gone away as a threat; the data breach shows that the group communicated with victims over 4,000 times just between December 2024 and April 2025, and that it still has around 75 affiliates. But it is definitely not pulling in the numbers it used to, when its escapades could pull in millions of dollars from a single incident. These days it averages more like $20,000 per caper, and the messages show it has been willing to go as low as $4,000 for a ransom payment.

At minimum, the LockBit ransomware gang is on the ropes and clearly shifting focus to smaller and more poorly-defended targets for smaller dollar amounts. The data breach perpetrator thus might be a rival looking to finish them off by destroying any remaining trust among affiliates, or some sort of hacktivist exploiting the group’s weakened state. Either way, they have not shown interest in taking public credit as of yet.

The reason the group may well survive is that the data breach did not contain its decryptors or information that might help victims recover. It did contain a lot of intelligence pointing to identities of participants and affiliates, and information about its tactics, such as the affiliate panel SQL database and internal conversations about how to target victim backup systems.

LockBit ransomware gang now heavily focusing on Asia Pacific

The data breach also includes many Bitcoin payment addresses used by the group, along with a collection of passwords in plaintext. The internal data points to some other tidbits of intelligence about the LockBit ransomware gang’s activity, such as the fact that it is now most interested in Asia Pacific region targets and is going after them at about three times the rate it targets North American companies.

LockBit ransomware is definitely down, but not quite out, and it would likely take the release of its decryptors and the arrest of leader “Lockbitsupp” (thought to be in Russia) to put a final end to it. The group has managed to survive since early 2020, and the best information this data breach provides is that a sophisticated bunch of threat actors is now going after smaller fish.