LockBit Leak Shows Affiliates Use Pressure Tactics, Rarely Get Paid

LockBit, one of the most prolific ransomware gangs operating today, was breached last week revealing its inner operations with clarity. The leaked files, made briefly accessible through an onion site on the Tor network, gave researchers and security professionals a rare look into how LockBit runs its ransomware-as-a-service (RaaS) operation.

The breach believed to originate from someone with access to LockBit’s infrastructure, exposed chat logs, ransomware build records, configuration files, Bitcoin wallet addresses, and affiliate identifiers. While ransomware groups are usually in control of the spotlight, this time, they’ve become the subject of analysis themselves.

Rhys Downing, a Security Operations Center analyst at Ontinue, led the in-depth review of the leaked data. His work details the operational methods of LockBit’s affiliate program, including how attackers build payloads, estimate ransom demands, and conduct negotiations.

Downing’s analysis also reveals the structured nature of LockBit’s ecosystem and breaks down the group’s infrastructure, revealing just how organized this criminal network has become.

One of the most important pieces of the leaked data is a table known internally as “builds,” which logs every ransomware payload created by LockBit affiliates. Each record includes details like affiliate ID, public and private encryption keys, targeted company references, and declared ransom demands.

These estimates were manually entered by the attackers themselves before launching the payloads, revealing insights into their pricing strategies and target selection. Some ransom demands were exaggerated, entries like “303kkk” ($303 million) appear to be test data, but others showed a more calculated approach. For example, one affiliate logged four builds with a combined declared value of over $168 million.

Despite hundreds of ransomware builds and aggressive ransom demands, only 7 out of 246 victims were recorded as having made a payment. And interestingly, none showed confirmation of receiving a decryption tool. Whether this happened because the data is incomplete or someone left it out on purpose remains unclear.

The numbers make one thing clear most victims don’t pay, and even fewer see anything in return. This aligns with the recent PowerSchool data breach, where the education tech company paid an undisclosed ransom to cybercriminals to prevent further fallout, only for the attackers to return with more demands, this time targeting teachers and students.

As for LockBit, the leaked database showed that the field marking paid commissions to affiliates was greater than zero in just 2.8% of cases. But even this isn’t definitive proof of ransom payment.

According to the Ontinue Threat Report, more than 4,000 chat transcripts between LockBit affiliates and victims were also leaked. These messages show a mix of calculated pressure, emotional manipulation, and outright threats. In several cases, affiliates dismissed pleas for mercy and doubled ransom prices without warning.

One affiliate responded to a company claiming it was a small firm: “Your size is irrelevant. Your data is valuable.”

Another conversation contained a message promoting LockBit’s affiliate program in a bizarre recruitment pitch: “Want a Lamborghini, a Ferrari and lots of ti**y girls? Sign up and start your pentester billionaire journey in 5 minutes with us.”

These conversations show that LockBit’s affiliates act more like pushy sales reps than hackers/cybercriminals. The tactics vary from psychological pressure to warnings against involving law enforcement or insurance providers.

What is notable in the data is the level of organization. LockBit uses modular payload builders, affiliate dashboards, and a strong backend infrastructure. Affiliates can tweak build configurations to control everything from which files to encrypt to whether the decryptor deletes itself after use.

They even ran a bug bounty program on one of their onion sites, offering rewards for vulnerabilities found in their infrastructure.

The breach also reconnected with a past law enforcement action. Operation Cronos, a campaign led by the UK’s National Crime Agency and others, previously exposed usernames linked to LockBit’s operations. Many of those usernames were confirmed in this new leak, matching IDs found in the payload data.

Notable users included:

• Ashlin with the highest number of generated payloads

• Rich, Melville, and Merrick as other high-volume operators

This connection further confirms that the gang’s main team and high-level affiliates have remained consistent even after past takedown efforts.

Simply put, the data breach analysis from Ontinue clarifies a few things such as the LockBit runs like a franchise. They provide the malware, affiliates carry out the attacks, and everyone takes a cut of the ransom.

This leak shows that many affiliates treat their attacks like sales calls, logging expected returns, managing negotiations, and following structured steps to pressure victims. But just like a failed attempt to sell something, most of these attempts seem to fall flat.

According to Saeed Abbasi, Manager of Vulnerability Research at Qualys, the breach is a valuable source of intelligence for defenders. “By understanding which systems LockBit targeted and how affiliates customized payloads, security teams can better prioritize patching, harden overlooked systems, and improve basic access controls,” he said.

LockBit’s use of Tor remains a key defence on their end, making their sites difficult to take down. However, the leak suggests that no system, even one run by cybercriminals, is truly secure.

The LockBit breach has pulled back the curtain on a ransomware operation that has affected businesses worldwide. It confirms what security experts have suspected for years, ransomware groups function like businesses, complete with affiliate onboarding, infrastructure management, and financial planning.