LockBit Data Leak Reveals Top Targets: Chinese Orgs Hit Hard
▼ Summary
– LockBit ransomware earned $2.3 million in 5 months, with operators taking a 20% cut and additional fees from affiliates, revealing a less lucrative operation than portrayed.
– Law enforcement actions in 2024-2025, including infrastructure disruption, arrests, and sanctions, have significantly weakened the LockBit ransomware group.
– A leaked LockBit affiliate panel database shows affiliates targeting sectors like manufacturing and finance, with ransom demands typically between $2,000 and $40,000, except for one $2 million payout.
– China was the most heavily targeted country by LockBit from December 2024 to April 2025, followed by the US and Taiwan, with some affiliates specializing in specific regions.
– LockBit affiliates breached Russian government entities, violating the usual off-limits rule for Russian cybercriminals, prompting apologies and free decryptors from LockBitSupp.
The recent LockBit ransomware data breach has exposed startling details about the group’s operations, revealing a pattern of targeted attacks and financial gains far below initial estimates. Security researchers analyzing the leaked information found that while the notorious ransomware-as-a-service (RaaS) operation generated approximately $2.3 million over five months, the actual profits were modest compared to earlier projections.
Contrary to widespread assumptions about LockBit’s dominance in cybercrime, the leaked data paints a picture of a fragmented and less lucrative operation. The group’s administrators took a 20% cut, around $456,000—while affiliates earned between $2,000 and $40,000 per attack, with only one notable exception where a Swiss IT firm paid $2 million.
The leak also highlights LockBit’s shifting fortunes. Once considered a leading ransomware threat, the group has faced multiple setbacks, including infrastructure takedowns, arrests of key affiliates, and sanctions against its alleged leader. Despite these challenges, LockBit continues developing new ransomware variants, including an unreleased LockBit 5.0.
China emerged as the most heavily targeted country, with researchers noting a deliberate focus on its industrial and manufacturing sectors. Unlike other ransomware groups that avoid Chinese targets, LockBit affiliates showed no hesitation in encrypting systems within China, suggesting a strategic shift in their operations. The U.S. and Taiwan were also frequent victims, with one affiliate specializing in Taiwanese networks.
A surprising revelation was the targeting of Russian entities, typically considered off-limits by Russian-speaking cybercriminals. Two government organizations, Moscow’s Department of Bridge Constructions and the Chebarcul Municipality, were encrypted, prompting LockBit’s leadership to publicly deny responsibility and offer free decryption tools, which reportedly failed.
The leaked data also exposed negotiation tactics, showing that most affiliates struggled to convince victims to pay. The majority of ransom demands remained relatively low, reinforcing the notion that LockBit’s profitability has been exaggerated.
As law enforcement pressure mounts and internal leaks expose vulnerabilities, LockBit’s future remains uncertain. However, the group’s persistence in refining its ransomware and expanding its target list indicates that it remains a significant threat in the cybercrime landscape.
For real-time updates on cybersecurity threats and breaches, consider subscribing to specialized alerts to stay informed on evolving risks.
(Source: HelpNet Security)
