Ransomware Inc. The Business Model Behind LockBit's Millions

Ransomware isn't what it used to be, it’s gotten a corporate makeover. What began as a work of lone hackers, has evolved into a sophisticated business model known as Ransomware-as-a-Service (RaaS). In this setup, ransomware developers and a network of affiliates collaborate like any legitimate enterprise (minus the part where they extort people). 

Unlike traditional companies, ransomware groups don't publish earning reports or financial disclosures. Their operations are covered in shadows - until something goes wrong. Occasionally, these groups become targets themselves, and when they do, we get a rare glimpse behind the curtain. 

This article explores one such moment. On May 7th 2025, arguably the most notorious ransomware group, LockBit, had its panel defaced, exposing a link to a dump of its internal database. The data revealed that the panel had been in operation since at least December 18th, 2024, based on early test entries in the database. While the leak has drawn attention for its technical and operational revelations, this analysis takes a different approach: it focuses on the economic structure behind LockBit's operations. How LockBit recruits affiliates, manages operations, and generates profit. In doing so, we aim to shed light on the inner workings of the underground economy of cybercrime. 

Inside the LockBit Panel 

The leaked database revealed a sophisticated backend system - basically, a control panel for managing a global extortion operation. It included everything from user accounts and victim profiles to ransomware build information and chat messages exchanged between affiliates and victims. 

Through this panel, affiliates had access to generate customized ransomware payloads for different environments such as Windows, Linux, and ESXi. The system also stored detailed information about LockBit's victims (or "clients" as they are called internally). Each victim had an assigned public key, responsible affiliate, a payment status, and a complete chat history with the affiliate including features like message read receipts.  

One particularly eyebrow-rasing detail: affiliate passwords were stored in plaintext. A surprising move for a group that claims to be all about operational control. But hey, even cybercrime syndicates cut corners on cybersecurity. 

Essentially, we got a preview of a modern CMR (Customer Relationship Management) system - this time not for selling products or services, but rather for extortion. 

A Day in the Life of a LockBit Affiliate

Affiliates are individuals enrolled in the LockBit's affiliate program, think of them as franchises in the ransomware world. After gaining access to the panel, they are granted permissions to build specific versions of the LockBit ransomware. These builds are then deployed to victim systems, either through self-obtained access or via third-party brokers.

When a victim is compromised, they are directed to LockBit's infrastructure, where they land in a private chatroom assigned to the affiliate who infected them. This is where real business begins: negotiation, manipulation and psychological warfare.

While affiliates often present themselves as cold and transactional, the chat logs reveal a more manipulative side. Affiliates frequently use everything, from manufactured urgency to subtle threats, designed to wear victims down and push them towards payment.

When a ransom is agreed upon, the affiliate generates a new Bitcoin wallet (for our case, we will call it a ransom wallet) to receive the payment. Those wallets are created and controlled by the affiliate, and thus not directly stored in the LockBit panel database. They can be found in the negotiation chats.

After receiving the ransom, the affiliate is expected to send 20% of the ransom to a commission wallet (a wallet address that is pre-generated and stored in the panel for each affiliate-victim pair). These commission wallets are under LockBit's control and serve as the group's cut of the ransom payments.

The affiliates' share (80%) is usually moved quickly through additional wallets or cryptomixers (services designed to obscure origin of funds), the commission wallets remain largely untouched. The funds sit dormant, likely waiting for a time when they can be withdrawn without drawing the attention of the law enforcement.

Recruiting New Criminals: The Affiliate Onboarding Funnel

LockBit curates a list of invitations in their panel, each with a specific Bitcoin or Monero wallet and an amount to be paid. The fee for aspiring affiliates ranges from around $700 to $810. After transferring this fee, LockBit creates a new user in the database and sets them the role of newbie. Then, the affiliate officially gets access to the panel and is able to deploy LockBit ransomware and use their infrastructure for ransom negotiations. Startup costs, criminal edition.

The dump contained more than 3,600 invitations, with wallets designed to pay the fee either through Bitcoin or Monero. Because of the difficult traceability of the Monero wallets, we cannot say for sure the total number of panel fee payments. But among the invitations that used Bitcoin, only 12 users actually paid the invitation fee during the operation of the panel.

The Revenue Picture

Every LockBit client has an entry in the panel's table. The group collects data about the victim's website, their expected revenue, whether they are an important client or no or their assigned master public key (the tables in the database also show column for private key, however, it is empty for every victim). Since December 2024, the database contained in total of 246 victims with 208 that actually connected to the dedicated chat and started with the negotations. However, from examining the commission and ransom wallets, only 19 paid the ransom payment. The total amount of ransom extorted was 24.8 BTC ($2,660,484 by June 26th, 2025), from which 20% went to the LockBit operators and 80% to the affiliates.

The following figures describe the timeline with the amount of LockBit's commissions (20% commission part that went to LockBit) and number of successfully attacked victims with ransom being paid.

In total, there were 40 active affiliates registered in the panel. Ten of them registered by paying the invitation fee, while the rest got the job of affiliate by unknown means - they were either probably affiliates even before the panel was created or registered in another way. Of all the affiliates enrolled, 35 of them started with negotiations, but only 10 of them made some profit. In the following plots, we can see those top 10 affiliates and how successful they were (80% of the ransom extorted), as well as how many messages they exchanged with the victims.

Final Thoughts: Crime as Business

LockBit’s panel leak is one of the clearest examples we’ve seen on Ransomware-as-a-Service functioning like a tech startup, except its “value proposition” is fear, pressure and extortion.

The business was powered by a surprisingly systematic affiliate model, built-in infrastructure, and financial incentives. Despite the flood of invitations and flashy promises, the majority of affiliates never got paid. Of the 246 victims listed, just 19 were paid, suggesting most people either lacked the funds or simply refused to play along. If this all sounds like a parody of a VC-backed startup pitch, it kind of is. But the impact is real, and the profits (while smaller than the headlines suggest) are still enough to fund the next wave of extortion innovation.

For readers interested in a more technical breakdown of the LockBit panel and its components, Trellix published an in-depth reverse engineering analysis available here.