The LockBit and AlphV Aftermath

The Power Struggle

The back-to-back collapse of LockBit and AlphV at the end of 2024 left a void in the ransomware ecosystem. These weren’t just high-volume operators. They shaped the market through their affiliate structures, negotiation strategies, and technical infrastructure. That order has now crumbled, creating a window of opportunity for others.

Last year, the number of active ransomware groups stood at 79. This year, it jumped to 95, with 52 new groups emerging in just twelve months. But the rise in quantity didn’t come with a rise in quality. Instead of offering affiliates robust support, many newcomers promise quick wins and fast deployment. Several are copying LockBit’s infrastructure and playbook. The group may be gone, but its shadow still looms large.

Affiliate Distribution and Migration

The collapse of major groups like LockBit and AlphV didn’t just leave a numerical gap—it disrupted the very structure of the ransomware ecosystem. The most significant shift has taken place in how affiliates relate to operator groups.

Previously, an affiliate had to prove technical skill to gain access to a top-tier group. In return, the group would provide tools, infrastructure, and hands-on support. The operator managed ransom negotiations and handled payments, giving the affiliate a predefined cut.

There was a sense of loyalty in this model—almost a corporate structure. LockBit, in particular, ran its operation like a company.

Evolution of the RaaS Model: From Organized Services to Open Chaos

What once resembled a corporate structure is now a chaotic market. The Ransomware-as-a-Service (RaaS) model—once centralized and selective—has unraveled into an open bazaar. Pre-packaged kits are now available for purchase, allowing even low-skill actors to launch attacks with minimal effort.

minim aute

Quis magna laborum excepteur magna reprehenderit aute. Ipsum veniam deserunt qui in magna eu id. Consequat pariatur nostrud deserunt dolor do.

esse ex

Officia ex aute occaecat officia ex proident do. Dolor eiusmod dolor ea aute.

irure in

Occaecat esse sit mollit minim laboris. Sunt incididunt proident elit reprehenderit ullamco.

The result?

More attacks

Less impact

A loss of seriousness

RaaS is no longer just a threat—it’s a business.

Some groups have begun offering additional services alongside ransomware kits, including:

  • Penetration testing reports
  • Credential and stealer data
  • Open port and DNS vulnerability scans

No More Affiliate Loyalty: Everyone Works with Everyone

Affiliates are no longer tied to one operator. Today, they work with multiple groups simultaneously, leading to new dynamics:

  • The same victim company is disclosed by different groups at different times.
  • The data is identical, the threat language unchanged—only the group name varies.

Negotiation Breakdown: Loss of Leverage

Ransomware’s strength has always come from more than just encryption—it came from psychological pressure at the negotiation table. But with LockBit and AlphV gone, that leverage has eroded.

New groups are loud in their threats, but weak in strategy. From the first message, there’s panic. Data is leaked within days, and negotiations often don’t even start. This approach reduces impact—and with it, the victim’s motivation to pay.

Legal ambiguity, shifting insurance policies, a disengaged media, and the growing “don’t pay, disclose instead” mindset are all weakening ransomware’s strongest weapon: the threat of public exposure.

The old era was professional, structured, and methodical. The new one is fast, cheap, and chaotic. The volume of threats is rising—but their credibility is fading. In the future, the real shift in ransomware may not be in how strong the threat is—but in how seriously victims take it.

Which ransomware groups have risen to fill the void? Meet the current top players.

PREVIOUS
NEXT