LockBit’s New Challenge: Unruly Affiliates

Recent analysis of data leaked from the LockBit ransomware group’s administrator panel indicates a troubling trend: the group’s affiliates have increasingly targeted organizations in China. This development suggests a shift in strategy for LockBit, which had previously focused on different demographics.

In an unusual twist, a hacker defaced LockBit’s leak site in May, leaving a stark message against crime, and subsequently leaked a significant database documenting admin activities from December 2024 to April 2025. According to cybersecurity firm Trellix, this data appears authentic, although incomplete, and reflects the group’s ongoing efforts to adapt following substantial law enforcement crackdowns.

The leaked information reveals that LockBit affiliates attacked 156 organizations during the specified timeframe, with the majority of the targets situated in China. This dataset, approximately 7.5 megabytes in size, includes valuable communications among affiliates and Bitcoin wallet addresses, highlighting the group’s operational methods.

Trellix’s analysis points to LockBit’s apparent willingness to operate within Chinese borders despite potential political ramifications, a strategic deviation that may indicate the group’s desperation to remain influential amidst mounting pressure from global law enforcement.

John Fokker, Trellix’s head of threat intelligence, noted that deciphering the motivations behind these attacks remains challenging. However, he indicated that LockBit’s aggressive pivot towards Chinese targets could be an attempt to regain relevance in the competitive ransomware landscape.

The events of 2024 were particularly harsh for LockBit, marked by significant disruptions from law enforcement, including the seizure of 35 servers linked to the group. These operations have led to a fragmentation of their affiliate networks, stirring distrust among criminals and challenging their business model.

The rise in attacks against Chinese entities may be attributed to an influx of less experienced affiliates, emboldened by the narratives that come with lower-risk operations. This trend emphasizes the risks associated with engaging inexperienced actors, who may breach traditional operational norms, such as avoiding certain geographic targets.

Moreover, the leaked data indicates a willingness from LockBit affiliates to launch attacks even against Russian government agencies, a behavior significantly frowned upon within the cybercrime community. In these instances, LockBit attempted to mitigate backlash by issuing decryptors, though effectiveness was reportedly lacking.

As the cybersecurity landscape evolves, Russian authorities have begun enhancing their legislative stance on cybercrime in response to increasing threats. Discussions are ongoing about the implications of these legislative changes for ransomware operations like LockBit. With various adversary tactics prevalent in ransomware attacks—such as initial access, persistence, and privilege escalation—the ongoing transformation of LockBit represents not just a challenge for its affiliates, but also signals a broader shift in the global ransomware threat landscape.