LockBit data dump reveals a treasure trove of intel on the notorious hacker group
An analysis of May's SQL database dump shows how much LockBit was really making


China and the US were hardest-hit by the LockBit ransomware group between December 2024 and April this year, research shows, with affiliates targeting 156 organizations in all.
Trellix Advanced Research Center has released its analysis of the LockBit SQL database dump it observed in May, noting that China was probably the greatest focus because of its large industrial base and manufacturing sector.
"Unlike BlackBasta and Conti RaaS groups that occasionally probe Chinese targets without encrypting them, LockBit appears willing to operate within Chinese borders and disregard potential political consequences, marking an interesting divergence in their approach," the researchers said.
Meanwhile, affiliates such as BaleyBeach, umarbishop47, and btcdrugdealer were active in the US, where attacks appeared to be more spread out among affiliates, suggesting a more opportunistic approach rather than specialized targeting.
Taiwan was the third most-targeted country, followed by Brazil and Turkey. One group, Swan, had a broad geographic reach, targeting multiple European countries including Austria, Czech Republic, and Switzerland.
This, researchers pointed out, indicates sophistication in the group's ability to navigate different regulatory environments.
"The victimology data reveals some unexpected targeting patterns. It's particularly surprising to see such a concentrated effort on Chinese and Taiwanese organizations," the researchers said.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"Unlike other ransomware groups that might shy away from such politically sensitive targets, LockBit appears to have operated with a different calculus."
LockBit affiliates are diversifying targets
Manufacturing was the most frequently targeted sector, followed by consumer services, the finance sector, and government services.
After analyzing LockBit negotiation chats, Trellix researchers discovered 18 confirmed payments to cryptocurrency wallets believed to be under the control of LockBit affiliates, netting them around $2,337,000.
"The data paints a picture of varying strategies, with initial ransom demands ranging from modest to exorbitant. What’s clear is that substantial discounts were the norm, often between 10% and 80%, highlighting the haggling that goes on behind the scenes of these cyber extortion attempts," researchers said.
"Affiliate success within LockBit varied significantly, indicating differences in skill and potentially specialization in specific familiar industries and/or countries."
The LockBit owner appears to have been charging affiliates 20% of ransom payments, adding up to around $456,000 over the period.
It made a lot less from auto-registration invitations, though - around $10,000 to $11,000.
"The assertion made by LockBit on the RAMP underground forum, which claimed monthly earnings of $100,000 from auto-registration, is thus considered to be significantly exaggerated," the researchers said.
LockBit is still causing havoc
LockBit was once one of the most prolific and successful ransomware-as-a-service groups, but was disrupted early last year by international law enforcement bodies.
Since then, a number of group members and affiliates have been arrested.
The group's exaggerated claims of earnings, researchers said, shows how cyber criminals are inclined to hype up their successes and downplay their failures.
"What this leak truly shows is the complex and ultimately less glamorous reality of their illicit ransomware activities," they said.
"While profitable, it’s far from the perfectly orchestrated, massively lucrative operation they’d like the world to believe it is."
MORE FROM ITPRO
- Building ransomware resilience to avoid paying out
- CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
- UK government officials consider banning ransomware payments

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
An executive suggested laid off staff use AI for counseling – I think that's ludicrous
Opinion In the immediate aftermath of Microsoft layoffs, promoting AI careers advice feels supremely cold
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years