In mid-2025, the state of ransomware was shaped by the fall of the once-dominant presence LockBit, and the ransomware chaos that has emerged in its vacuum. “Low-effort” ransomware groups have stepped in to fill the gap in the cybercrime ecosystem.
In this episode of Leaky Weekly, our cybercrime current events podcast, Tammy Harper, Senior Threat Intelligence Researcher at Flare, joins host and security researcher Nick Ascoli to discuss the ripple effects Operation Cronos which contributed to the unraveling of LockBit’s reputation, and what this shakeup caused in the ransomware world.
Tune in for the podcast below at Spotify, at Apple Podcasts, check out the video episode on YouTube, and/or keep reading this article for the highlights.
LockBit’s Fall from Grace Was Both Strategic and Symbolic
Once the dominant force in ransomware, LockBit’s demise came not from a single blow, but from a calculated attack on its most critical asset: its reputation. Operation Cronos, a coordinated law enforcement takedown of LockBit infrastructure, was devastating. But the deeper damage came from what was discovered after the raid—data that should’ve been deleted per ransom agreements was still live on their servers.
“It’s all built on trust,” Tammy noted. “When that trust eroded, so did their affiliate base and their brand.”
At its peak, LockBit claimed over 100 active affiliates and published dozens of victims per week. Today? Just one or two posts a month—many of them likely crossposts or low-value hits.
The Affiliate Exodus and the Rise of RansomHub
The affiliate-based model that powered LockBit became its undoing once the illusion of reliability shattered. Sanctions against groups like Evil Corp and the risk of legal exposure also discouraged victims from paying.
To staunch the bleeding, LockBit slashed affiliate program pricing and engaged in fire-sale negotiations—sometimes demanding just tens of thousands of dollars instead of six-figure payouts. Still, it wasn’t enough.
As LockBit crumbled, RansomHub emerged as the successor, absorbing affiliates not only from LockBit but also ALPHV (BlackCat), which collapsed around the same time. RansomHub’s flexibility, payment splits, and operational continuity made it a temporary safe haven.
Cross-Posting Is No Longer the Exception—It’s the Norm
2024 saw the explosion of a new tactic in the ransomware world: cross-posting, in which the same victim is listed by multiple ransomware groups.
There are three key reasons for this:
- Shared access from stealer logs: When threat actors rely on automated Telegram feeds or stealer log marketplaces, the same set of compromised credentials can end up in multiple hands.
- Affiliate hopping: An affiliate may start an extortion attempt with one ransomware group, fail to secure payment, and switch to another with more favorable terms or a stronger brand presence—posting the same victim again.
- Outright scams: The emergence of “repackaging” ransomware groups—like JD Locker, Babu 2.0, and Satan Locker—brought a new twist: posting old victims, recycling public data, and impersonating legitimate threat groups in hopes of scamming desperate companies.
“It’s ransomware without the ransomware,” Nick joked. “Just data and extortion—often stolen from someone who already stole it.”
The Underground Is Being Drowned in Noise
What used to be a relatively stable ecosystem of threat groups with internal codes of conduct has morphed into something unrecognizable.
Legacy groups like Conti, LockBit, and even early ALPHV operations had structure, leadership, and (twisted as it may be) ethics—such as rules around what data could be leaked or how affiliates were vetted. Now? Chaos reigns.
“It’s like the old guard is retiring,” Tammy said. “And what’s filling the vacuum is a mess of low-effort, attention-hungry noise.”
Groups with no operational rigor are posting everything and anything—exaggerating claims, recycling data, and shifting branding almost weekly. While a few emerging groups like DragonForce and Qilin maintain internal discipline, most of the scene is being overwhelmed by opportunists.
A Ransomware Market in Decline—Or Just in Flux?
The ransomware landscape in 2025 is unpredictable. Law enforcement is getting more aggressive. Sanctions are working—at least partially. And while double and triple extortion still exist, the over-saturation of data leaks and scam groups has created a credibility crisis.
Yet the underlying business model remains attractive. The emergence of AI-driven tools and better access to initial intrusion vectors (partly due to Telegram stealer markets and IABs) ensures that ransomware will continue to evolve.
Still, one thing’s clear: the next wave of ransomware won’t look like LockBit or Conti. It’ll be noisier, more chaotic—and possibly, even harder to defend against.
Leaky Weekly and Flare Academy
For a deeper dive into these trends, listen to the full episode at YouTube, Spotify, or Apple Podcasts.
Brought to you by Flare, the world’s easiest to use and most comprehensive cybercrime database that integrates into your security program in 30 minutes. Check out what’s on the dark web (and more) about your organization.
Flare now offers Flare Academy training, which is our (free!) training series led by experts that cover critical topics such as threat intelligence, operational security, and advanced investigation techniques. You can also earn CPE credits toward your cybersecurity certifications. Sign up for
Senior Threat Intelligence Researcher Tammy Harper’s Academy training, CRYPTOS: Hunting Adversaries in the Crypto Underground on Tuesday July 15, 2025 at 11:00-1:00 PM ET. Join the Flare Academy Community Discord to keep up with upcoming training, check out previous training resources, chat with cybersecurity professionals (including Nick and Tammy!), and more.
