Xoxo to Prague

Welcome to this week’s edition of the Threat Source newsletter. 

I haven’t been to Prague in a while, which is a pity. It’s a wonderful city — great people, amazing food. I’ve visited customers there, held team meetings at the local office (shoutout to Petr!) and spent some memorable summer days off. But none of those are why I’m sending my greetings this time. 

Last week, anyone trying to access LockBit’s dark web affiliate panels was greeted by a defaced page with the message: 

“Don’t do crime CRIME IS BAD xoxo from Prague” 

Alongside the message was a download link for a compressed archive called “paneldb_dump.zip” —  a 7.5MB file that extracts to a 26MB clear-text SQL dump containing 20 tables. The breach exposed a rare, unfiltered look into LockBit’s operations. 

While most articles focused on the nearly 60,000 Bitcoin addresses or the credentials for 75 admins and affiliates (all with plaintext passwords), I have to admit that I was mesmerized by the “chats” table. 4,423 messages distributed across 208 victims, spanning from Dec. 2024 to April 2025, these chats reveal the raw tactics, ransom demands and negotiation strategies of both affiliates and victims. Sometimes there was just a single unanswered message; in other cases, over 300 messages included “technical support” for unrecoverable files, and even requests for refunds.  

Ransom demands varied widely, from just a few thousand dollars to as much as $2 million in one notable case. There were also several instances of confusion — some mistakenly thought the demand was “100,000 bitcoins” when it was actually “100,000 dollars in bitcoin.” Additionally, there was a case involving a hosting company breach, where it was the company’s customers who ultimately suffered the consequences. The chat exposed that LockBit encrypted all the data with the same key; even though not all victims were willing or able to pay the ransom, LockBit insisted the hoster pay the full amount, making it difficult to collect the asked ransom. 

Negotiations were often pressured by tight deadlines, but European bank holidays on Good Friday, Easter Monday and May 1st further complicated the situation. Multiple times there were situations where the ransom demand increased after a specific deadline. I even found messages from victims asking for more time so they could gather funds in smaller amounts to avoid detection under local anti-money laundering laws. 

In another chat, a victim tried to negotiate by pleading inability to pay a $100k ransom, only to be told, “Seven directors at 14k can’t chime in?” This clearly shows that the “Analytics Department” of LockBit did their homework. 

The level of “trust” placed in affiliates was also striking. Messages included:

Interestingly, that last service was offered for an extra fee. Let me share some of their $10,000 “tips” for free:

With these $10,000 tips, I personally think it would be better to get advice before an incident from Talos Incident Response. They can also provide guidance and proactive support as part of the Talos IR Retainer.

The LockBit leak is a rare window into the mechanics of cybercrime and the human stories behind the headlines. And, for now, xoxo to Prague.

The one big thing 

Cisco Talos has observed a growing trend of attack kill chains being split into two stages — initial compromise and subsequent exploitation — executed by separate threat actors. In response to these evolving threats, we have refined the definitions of initial access brokers (IABs) to include subcategories such as financially-motivated initial access (FIA), state-sponsored initial access (SIA), and opportunistic initial access (OIA).   

Why do I care? 

This trend complicates traditional threat modeling and actor profiling, as it requires understanding the intricate relationships and interactions between various groups. For example, hunting and containment strategies that may defend against one type of IAB may not be suitable for another. 

So now what? 

We have identified several methods for analyzing compartmentalized attacks and propose an extended Diamond Model, which adds a “Relationship Layer” to enrich the context of the relationships between the four features. Familiarize yourself with the new taxonomy we propose, and incorporate this new methodology for modeling and tracking compartmentalized threats into your toolkit. 

Top security headlines of the week 

Operation Moonlander  
A criminal proxy network that has been around for more than 20 years and was built on thousands of infected IOT and end-of-life (EoL) devices was dismantled in an international operation. (U.S. Attorney’s Office) 

Supply Chain Compromise  
A deprecated node.js package with more than 40k downloads per week, ‘rand-user-agent’ has been compromised with a malicious payload dubbed “RATatouille”. This is a clear case of a supply chain attack. (Aikido) 

Ascension Health Data Breach Impacts Over 430,000 
Healthcare provider Ascension has disclosed a data breach affecting over 430,000 patients.  (Bleeping Computer) 

Germany Shuts Down eXch Over $1.9B Laundering 
German authorities have shut down the cryptocurrency mixer eXch due to its alleged involvement in laundering approximately $1.9 billion in illicit funds, seizing a large amount of cryptocurrency and data. (BKA, German language)

Can’t get enough Talos? 

Talos Takes
Follow the motive: Rethinking defense against Initial Access Groups. Listen here.

Talos in the news
Initial Access Brokers Target Brazil Execs via NF-e Spam and Legit RMM Trials (The Hacker News) 

Why MFA is getting easier to bypass and what to do about it (Ars Tecnnica)

Upcoming events where you can find Talos 

• Cisco Connect UK & Ireland (May 20) London, UK  
• BotConf (May 20 – 23) Angers, France  
• Cisco Live U.S. (June 8 – 12) San Diego, CA

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: e00aa8146cf1202d8ba4fffbcf86da3c6d8148a80bb6503d89b0db2aa9cc0997 
MD5: eae884415e5fd403e4f1bf46f90df0be 
VirusTotal: https://www.virustotal.com/gui/file/e00aa8146cf1202d8ba4fffbcf86da3c6d8148a80bb6503d89b0db2aa9cc0997  
Typical Filename: paneldb_dump.zip 

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 
MD5: 7bdbd180c081fa63ca94f9c22c457376 
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Typical Filename: c0dwjdi6a.dll 
Claimed Product: N/A 
Detection Name: Trojan.GenericKD.33515991 

Cisco Talos Blog – ​Read More