By CyberThreat Research Lab
In May 2025, the LockBit ransomware group was itself breached, and its internal SQL database along with thousands of affiliate chat logs were published by a purported hacktivist who claims to be from Prague. The leak offers a firsthand view of how a large ransomware-as-a-service (RaaS) operation infiltrates victims and negotiates extortion. Files show that automotive organizations of all sizes — OEM dealerships, Tier 1 suppliers, parts distributors, and transport operators — have been actively targeted by LockBit. Attackers exploited familiar weaknesses: unpatched VPN appliances, weak credentials, and flat Active Directory networks. The chats even list the exact controls that would have stopped them, giving automotive CISOs a practical blueprint for defense. In this article, we extract the lessons from this incident and turn them into concrete actions for ensuring cybersecurity in the automotive industry.
Inside the LockBit franchise
The leak adds a few hard facts to what was previously guesswork about LockBit’s hierarchy. At the apex sits an operator who signs messages as matrix777. Affiliates pay US$777 for portal access, and then keep 80% of any ransom while forwarding 20% to matrix777 in return for the working decryptor. Chat traffic shows a separate open-source intelligence (OSINT) and data analysis group that values stolen files and drafts pressure tactics. When affiliates need new builds or decryptors, they open tickets on the internal platform — often addressing the infrastructure team in Russian — confirming a dedicated support layer beneath the frontline negotiators.
Figure 1. LockBit ransomware group architecture
LockBit’s victims in the automotive industry
The leaked LockBit database confirms that more than 10 separate automotive-related companies across the supply chain have been in the group’s crosshairs. Targets span the full supply chain: vehicle importers with large dealership networks in Mexico; an electric two-wheeler manufacturer serving the South Asian market; tire and aftermarket parts distributors operating in Europe, the Middle East, and East Asia; and a passenger transport company running regional buses in Brazil. This variety demonstrates that no corner of the industry is immune; attackers will pursue any operation whose disruption could ripple through production, logistics, or retail sales.
LockBit’s focus on automotive firms is rooted in the automotive industry’s deep dependence on IT. Dealership management platforms, supplier enterprise resource planning (ERP) systems, and fleet-tracking servers all connect to one another, so a single ransomware incident can halt vehicle deliveries or parts shipments across multiple regions. The chat logs show affiliates casually discussing these victims and the data already in their possession, confirming that compromises and extortion attempts are not hypothetical. For cybersecurity teams inside automotive manufacturers (OEMs), Tier 1 suppliers, and dealer groups, the message is unambiguous: Sophisticated ransomware gangs have the automotive landscape firmly in their sights.
How LockBit breaks in and takes control of automotive networks
Chat transcripts and build configuration flags outline a repeatable playbook that affiliates follow once they set their sights on an automotive target.
It starts at the edge. One victim was told, “We got into your network through a vulnerability in your FortiVPN,” confirming that an unpatched gateway can be a single-point failure. Weak passwords provide another path: In one breach, the intruder logged in as al[REDACTED]/B[REDACTED]123456 and jeered, “nice pwd.” When neither door is open, a crafted email finishes the job. An affiliate summed up a successful lure: “We got to you through phishing, captured the domain, and then the admin host Vincent… no insiders, just random phishing through the manager.”
After that first step, the attack accelerates. A telling chat reads, “We got into the network through a manager with user priv, and [dumped] NTLM local admin access on all the hosts in the domain.” With the NTLM hashes in hand, the attackers reach Domain Administrator in short order, giving them authority to roam the forest. The leaked build script shows what they do next. Flags such as local_disks and network_shares switch on automated scanning of every accessible drive and share, while kill_processes and kill_defender stop antimalware engines and backup agents that might block encryption.
Backups themselves are a priority target. Affiliates note that “backups do not show in the domain and NAS,” meaning that the repositories were visible inside Active Directory and could be encrypted with production data. Hypervisors follow, as evidenced by separate decryptors offered for Windows and ESXi systems inside the same chats. Throughout the run, the malware logs progress to files like /tmp/lockbit.log or decrypt.llg, artifacts later used as proof that the attackers can indeed unlock what they have just frozen.
Every weakness called out by the intruders — old VPN patches, simple passwords, a flat domain, backups left online — comes straight from their own words or code. That makes the leak more than a curiosity; it is a checklist of gaps that automotive defenders can close before the next affiliate tries the same script.
Figure 2. Typical attack chain for LockBit ransomware affiliates
Turning stolen data into commercial pressure
LockBit affiliates do far more than lock files. They monetize every stolen drawing, parts list, and customer record by threatening reputational and legal fallout. After one stalled negotiation, an operator wrote, “I sold your data, wait for a lawsuit.” In another chat, the same affiliate warned that details of compromise would be sent to customers, predicting a backlash that could “put you on the verge of closing down.”
Regulatory and legal angles are used just as aggressively. “Expect lawsuits from the victims,” one message states, adding that the team is already collecting contact lists for regulators, journalists, and competitors. When negotiating with larger brands, the attackers study public filings and cyber insurance disclosures, and then set six-figure demands that match the coverage that they believe exists. A brief “20% discount” might appear early in talks, but it vanishes once the affiliate confirms how much regulatory exposure or customer data liability the victim faces.
The chats even show victims trying to redirect the threat toward rivals. One plea offered the IP address of a competing mainland firm, to which the attacker replied, “What China company?” The response underscores the group’s mercenary stance: Data is currency, and any firm in the supply chain can be targeted next. For automotive businesses, the lesson is clear: A ransomware event is not only about decryption keys, but also about preventing intellectual property from landing in a competitor’s inbox and stopping class action suits from customers whose records have been sold.
Ransom economics and negotiation patterns
LockBit’s pricing is not guesswork. The chats reveal dedicated OSINT and data analysis staff who review open financial filings, cyber insurance clauses, and even LinkedIn profiles to size up a victim’s ability to pay. Affiliates boast that “our OSINT team is collecting contacts of regulators, journalists, and competitors,” while another message notes that “a team of lawyers is studying your financial documentation.” Those specialists feed their findings to negotiators, who adjust opening demands and discount ceilings accordingly. Large enterprises that carry ransomware coverage or face high regulatory fines see little room for bargaining, whereas small shops that show cash limits up front can secure sharper reductions, provided that they respond fast. Table 1 captures the tiers and tactics observed in automotive cases.
| Victim profile | Opening demand | Typical “floor” | Negotiation tricks seen in logs |
|---|---|---|---|
| Small dealer/ workshop | 0.2 – 1 BTC | ~3,000 – 5,000 USD | Rapid 50% discount if CFO answers same day |
| Regional supplier | 50,000 – 132,000 USDT | 15,000 – 50,000 USDT | “Discount clock” banners |
| Global OEM/Tier 1 supplier | 2M+ USD | Negotiations capped at 10% – 20% off | Affiliates quoting cyber insurance wording verbatim |
Table 1. Tiers and tactics observed in LockBit automotive cases
(Note: BTC = bitcoin, USD = US dollar, USDT = Tether.)
Practical steps to block or limit LockBit attacks or similar incidents
The LockBit ransomware group poses a serious threat to the automotive industry, where interconnected systems and distributed operations — from manufacturing plants to dealership networks — can amplify the impact of a breach. Given the group’s tactics and the high-value environments that it targets, automotive organizations need to be especially vigilant. The following practical steps are designed to help OEMs, suppliers, and dealership networks block or limit a LockBit or similar attack by securing vulnerable entry points, containing lateral movement, and safeguarding business continuity. Together, these actions support a stronger, more resilient cybersecurity posture across the entire automotive ecosystem.
- Secure the edge first. Most LockBit breaches started at an internet-facing service that was running outdated code. Keep a rolling watch on vulnerability advisories for VPN gateways, web portals, and firewall firmware, and patch as soon as fixes appear. Wherever possible, move administration pages onto a management network that staff reach only through an internal VPN or jump server.
- Stop weak credentials from opening doors. One affiliate laughed after logging in with the password “B[REDACTED]123456.” Enforce strong, unique passwords on every account and add multifactor authentication (MFA) to remote-access paths such as VPN, RDP, and remote-support software. Deploy an Active Directory password filter that blocks any password already found in public breach lists.
- Segment the domain. A flat Windows forest lets an attacker turn one compromised user into total control. Separate manufacturing, dealership, and corporate zones into tiered trusts, and use firewalls between workstation networks and domain controllers to slow lateral movement.
- Protect backups as if they were production. Chat logs show attackers encrypting domain-joined backup shares before touching user data. Keep at least one copy on immutable cloud storage or offline tape, rotate backup server credentials, and alert on any unexpected backup job failure.
- Harden VMware hosts. The leak confirms a Linux payload designed for ESXi, able to lock many virtual machines at once. Enable ESXi lockdown mode, require MFA on vCenter, apply security patches promptly, and place hypervisor management interfaces on an isolated network segment.
- Hunt for LockBit artifacts. The ransomware writes progress files such as /tmp/lockbit.log and llg. Add detection rules that flag any file whose name starts with “lockbit” in system temp folders, and treat these findings as evidence of an active breach.
- Rehearse the worst-case scenario. Victims without a plan negotiated under pressure and faced longer outages. Run tabletop exercises that simulate a factory virtualization lockout or a dealership customer relationship management (CRM) encryption event. Include steps to isolate domain controllers, verify offline backups, and decide when and how to engage with attackers.
Click here to view selected affiliate chat logs that shed light on LockBit’s attack path, business behavior, group features, and ransomware features.
