LockBit Ransomware Group Exposed: Storing Passwords in Plaintext

By /

Listen to this Post

Featured Image
One of the most notorious and sophisticated Ransomware-as-a-Service (RaaS) groups, LockBit, has had its internal database leaked. This dump is a goldmine for cybersecurity researchers, revealing:
– BTC addresses
– Victim chat logs
– Ransomware build information
– Plaintext passwords

Despite priding themselves on encryption, the group failed to follow basic security practices—storing passwords in plaintext.

You Should Know: How to Securely Store Passwords

1. Hashing vs. Encryption

  • Encryption is reversible (with a key).
  • Hashing is one-way—ideal for password storage.

Linux Command to Hash a Password (SHA-512):

echo "password123" | openssl passwd -6 -stdin

2. Using bcrypt (Stronger Hashing)

import bcrypt

Hashing a password 
password = b"super_secret_password" 
hashed = bcrypt.hashpw(password, bcrypt.gensalt()) 
print(hashed.decode())

Verifying a password 
if bcrypt.checkpw(password, hashed): 
print("Password matches!")

3. Secure Password Storage in Databases

  • Never store plaintext passwords.
  • Use salted hashes to prevent rainbow table attacks.

Example (MySQL):

CREATE TABLE users ( 
id INT AUTO_INCREMENT PRIMARY KEY, 
username VARCHAR(50) NOT NULL, 
password_hash CHAR(60) NOT NULL, -- bcrypt hash 
salt VARCHAR(29) NOT NULL 
);

4. Windows Security Best Practices

  • Enable LSA Protection (Prevents credential theft): 
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f
  • Disable WDigest (Prevents plaintext password caching): 
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 0 /f

5. Detecting Plaintext Passwords in Logs

grep -r "password=" /var/log/

What Undercode Say

LockBit’s failure highlights a common flaw in cybercriminal operations—overconfidence in their own security. Even advanced threat actors make basic mistakes.

Key Takeaways:

✅ Always hash passwords (bcrypt, Argon2, PBKDF2).

✅ Use multi-factor authentication (MFA) to reduce breach impact.

✅ Audit logs for accidental plaintext exposures.

✅ Monitor database access to detect leaks early.

Linux Command to Audit Passwords in Files:

find / -type f -exec grep -l "password=" {} \; 2>/dev/null

Windows Command to Check Stored Credentials:

cmdkey /list

Prediction

As ransomware groups evolve, more internal leaks will expose their operational weaknesses. Expect increased law enforcement takedowns due to poor operational security (OpSec).

Expected Output:

  • Hashed passwords (bcrypt, SHA-512).
  • Secured databases (salted hashes).
  • Disabled plaintext credential caching (Windows).
  • Detection of plaintext passwords in logs.

Stay secure. 🔒

References:

Reported By: James O – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: