Analyzing the LockBit Ransomware Negotiation Web Viewer

By /

Listen to this Post

Featured Image
Dominic White, Ethical Hacking Director at Orange Cyberdefense, developed a web viewer for the LockBit ransomware negotiations, enabling analysis of victim-criminal interactions, Bitcoin transactions, and victim website associations. The tool highlights why organizations should not pay ransoms, but ethical concerns remain about exposing victim identities.

You Should Know: How the Web Viewer Was Built

Technical Steps & Commands

1. Data Extraction & Conversion

  • Acquired the leaked LockBit database (SQL format).
  • Converted MySQL dump to SQLite for lightweight processing: 
    sed 's/ENGINE=InnoDB//g' lockbit_dump.sql | sqlite3 lockbit.db

2. SQLite Database Setup

  • Used sql.js (WebAssembly SQLite) for browser-based queries: 
    const SQL = await initSqlJs(); 
const db = new SQL.Database(); 
db.run("CREATE TABLE chats (id INT, message TEXT, victim_id INT)");

3. Bitcoin Transaction Lookup

  • Integrated blockchain APIs (e.g., Blockchair) to track ransom payments: 
    curl "https://api.blockchair.com/bitcoin/dashboards/address/CRIMINAL_BTC_ADDRESS"

4. Victim Website Correlation

  • Extracted URLs from crypter configs using SQLite JSON functions: 
    SELECT victim_id, json_extract(config, '$.url') FROM victims;

5. Frontend Implementation

  • Deployed a React-based viewer with search functionality: 
    const results = db.exec("SELECT  FROM chats WHERE message LIKE '%ransom%'");

Ethical Considerations

  • Redaction Script (Python): 
    import re 
text = re.sub(r'(Victim:\s)([A-Za-z0-9]+)', r'\1[bash]', text)
  • Access Control (NGINX): 
    location /viewer { 
allow 192.168.1.0/24;  Internal defenders only 
deny all; 
}

What Undercode Say

This tool is a double-edged sword:

✅ Helps defenders analyze ransomware tactics.

❌ Risks exposing victims to further attacks.

Linux & Windows Commands for Ransomware Analysis

  • Analyze Bitcoin Transactions (Linux): 
    chainalysis-cli --address 1AbCd... --output json
  • Extract SQL Data (Windows): 
    Get-Content lockbit.sql | Select-String -Pattern "ransom"
  • Monitor Dark Web Leaks (Linux): 
    curl -s "https://darkfeed.io/api/lockbit" | jq '.entries[] | .title'

Prediction

Ransomware gangs will increase encryption speeds and automate negotiations using AI, making tools like this essential for defense.

Expected Output:

A secure, redacted version of the viewer shared only with vetted cybersecurity professionals.

For further research:

References:

Reported By: Dominicwhite Im – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: