{ "id": "f83f226b-e5fd-4fe7-beb5-b5bab5285abf", "created_at": "2026-04-06T00:14:30.018248Z", "updated_at": "2026-04-10T03:29:39.803738Z", "deleted_at": null, "sha1_hash": "9770a2d3cfae5a86c468337475a86462718baf80", "title": "The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1156287, "plain_text": "The LockBit story: Why the ransomware affiliate model can turn\r\ntakedowns into disruptions\r\nBy Thorsten Rosendahl\r\nPublished: 2024-03-15 · Archived: 2026-04-05 14:40:48 UTC\r\nFriday, March 15, 2024 10:00\r\nIn ancient Greek mythos, the mighty Hercules faced a seemingly insurmountable challenge when he encountered\r\nthe Lernaean Hydra. This fearsome serpent had a terrifying ability: For every head that Hercules severed, two\r\nmore would spring forth, creating a never-ending cycle of regrowth and renewal. \r\nMuch like the Hydra, modern ransomware gangs present society with a daunting task. When law enforcement\r\nmanages to take one adversary or low-level member off the streets, the victory is often short-lived. In the hidden\r\ndepths of these criminal organizations, the heads — or leaders — remain shrouded in shadow, orchestrating their\r\noperations often with impunity. \r\nAnd so, as one member falls, two more may rise to take their place, perpetuating an enduring saga of illicit\r\nactivity that are the challenges of our time: the ransomware ecosystem. A landscape where affiliates tend to move\r\nfrom ransomware group to ransomware group, following the money, bringing their skills and tools with them to\r\nconduct new attacks.\r\nIn this blog, we’ll explore the recent law enforcement takedown of LockBit, a group who previously held the title\r\nof the number one most deployed ransomware variant for two years running. Just seven days after the takedown,\r\nLockBit claimed to resume their operations.\r\nThe History of LockBit\r\nhttps://blog.talosintelligence.com/ransomware-affiliate-model/\r\nPage 1 of 7\n\nLockBit emerged around 2019. Since then, it has continually evolved and innovated to update their ransomware\r\nand build their RaaS program.\r\nFor the past two years, LockBit ransomware operations accounted for over 25 percent of the total number of posts\r\nmade to data leak sites. CISA’s assessment is also that LockBit has been the most deployed ransomware variant in\r\nrecent years.\r\nhttps://blog.talosintelligence.com/ransomware-affiliate-model/\r\nPage 2 of 7\n\nAs we wrote in the 2023 Talos Year in Review report, posts made to the group’s data leak site ebbed and flowed\r\nfrom September 2022 to August 2023. Detections of LockBit activity appear to spike in March, partially\r\ncoinciding with LockBit’s deployment against vulnerable instances of the printer management software PaperCut,\r\nwhere it has remained consistently high.\r\n💡\r\nIn 2020, Talos researchers made contact with a self-described LockBit operator. Over several weeks, we\r\nconducted multiple interviews that gave us a rare, first-hand account of a ransomware operator’s cybercriminal\r\nactivities. Confirmed theories included LockBit having a profit-sharing requirement that the affiliate has to meet\r\nfor the first four or five ransoms. This also used to be the case for Maze. Also, keeping your word to the victim is\r\nan important part of LockBit’s business model. Read the interview in full here.\r\nThe Collaboration Trend\r\nFor the past two years, Talos researchers have written about a growing ransomware trend, wherein actors are\r\nincreasingly collaborating with each other and sharing tools and infrastructure (aka the affiliate model).\r\nFor example, Talos recently reported on how the GhostSec and Stormous ransomware groups are jointly\r\nconducting double extortion ransomware attacks on various business verticals in multiple countries. The two\r\ngroups have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various\r\noptions for their affiliates.\r\nWe are seeing more diversified groups employing multiple encryption programs, as well as less sophisticated\r\nactors “standing on the shoulders” of giants by using leaked ransomware code. Some players are exiting the game\r\naltogether, but not before selling their source code to the highest bidder. This is posing significant challenges to\r\nthe security community, especially when it comes to attributing attacks.\r\nIn the case of LockBit, this was also a group that operated as a RaaS model. They recruited affiliates by offering\r\nthem shares of profits and encouraging them to conduct ransomware attacks using LockBit’s tools and\r\ninfrastructure. These affiliates were often unconnected, and as a result, there were many variations in the attacks\r\nthat used LockBit ransomware.\r\nNotably, the LockBit ransomware group posted on a Russian-speaking dark web forum in December 2023\r\noffering to recruit ALPHV (BlackCat) and NoEscape ransomware affiliates and any of the ALPHV developers,\r\nafter the Federal Bureau of Investigation (FBI)’s announcement of a disruption campaign against the ALPHV\r\nransomware operation.\r\nOperation Cronos\r\nThe NCA, working closely with the FBI and supported by international partners from nine other countries,\r\ncovertly investigated LockBit as part of a dedicated taskforce called Operation Cronos. \r\nOn Feb. 20, 2024, after infiltrating the group’s network, the NCA took control of LockBit’s primary\r\nadministration environment. This environment enabled affiliates to build and carry out ransomware attacks, as\r\nhttps://blog.talosintelligence.com/ransomware-affiliate-model/\r\nPage 3 of 7\n\nwell as host the group’s public-facing leak site on the dark web, which was used to threaten the publication of data\r\nstolen from victims. \r\nThe technical infiltration and disruption were only the beginning of a series of actions against LockBit and their\r\naffiliates. In wider actions coordinated by Europol, at least three LockBit affiliates were arrested in Poland and\r\nUkraine, and more than 200 cryptocurrency accounts linked to the group have been frozen.\r\nThe Return\r\nSeven days after the operation, messages and leak information was published on a new LockBit page. Here are\r\nscreenshots of their leak site taken daily from Feb. 27 – March 4, with a huge increase of cards on March 3.\r\nhttps://blog.talosintelligence.com/ransomware-affiliate-model/\r\nPage 4 of 7\n\nThe site lists both pre- and post-takedown victims, suggesting LockBit may not have lost access to their entire\r\ndataset or infrastructure. \r\nOf particular interest is the fbi.gov card in the lower right corner that links to a lengthy writeup (in English and\r\nRussian), stating what LockBit thinks happened during the operation. They talk about lessons learned,\r\nspeculations and discredit the law enforcement agencies. Talos believes the operation was carried out by the NCA,\r\nnot the FBI, as LockBit stated.\r\nA recurring theme\r\nWhile LockBit is currently dominating the headlines, we’ve seen similar stories before following takedown\r\nattempts. For example, the commodity trojan Trickbot had its infrastructure dismantled in February 2022.\r\nHowever, Talos telemetry picked up Trickbot activity throughout 2023, as covered in our Year in Review.\r\nStill open for business\r\nTalos has intelligence that Lockbit is still accepting affiliates into their program. \r\nDoes this mean that law enforcement operations are pointless? Far from it. Takedown attempts such as Operation\r\nCronos severely disrupt their operations, and forces ransomware operators to change their attacks. The operation\r\nagainst LockBit doesn’t appear to have inflicted the final blow against the ransomware group, but it has wounded\r\nthem. \r\nWe also know that law enforcement was able to obtain troves of intelligence through their operation. That\r\nintelligence will only serve to be useful in further disruptions, undermining Lockbit's growth. Therefore, if you put\r\nLockbit into a market perspective, they appear to be quite exposed. \r\nCrucially, as with the case of LockBit, decryption tools can be released so that victims of ransomware can gain\r\naccess to their systems again. In January Talos obtained executable code capable of decrypting files affected by\r\nhttps://blog.talosintelligence.com/ransomware-affiliate-model/\r\nPage 5 of 7\n\nthe Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the\r\nthreat actor.\r\nTherefore, it’s important not to view this operation as a “one and done” effort. Sustained, targeted approaches\r\nfrom law enforcement and the defender community can and do have a significant impact. For example, following\r\nthe FBI’s actions against BlackCat/ALPHV, the group reportedly denied an affiliate a $22 million ransomware\r\npayment before subsequently going out of business in early March, as Brian Krebs wrote about on his\r\nwebsite a few days ago.\r\nAzim Khodjibaev from Talos’ threat interdiction and intelligence organization team discusses the ebs and flows of\r\nransomware groups after a takedown in the episode of Talos Takes below. This episode was recorded in 2022 after\r\na separate law enforcement operation to disrupt LockBit.\r\nThe lucrative affiliate model\r\nOne of the major issues when tackling ransomware crime is the nature of the affiliate program, with actors often\r\nworking for multiple RaaS outfits at a time. In underground forums, we are seeing increased advertisements by\r\nRaaS groups showcasing their affiliate programs and offering profit shares. They can offer large profits, as threat\r\nactors can conduct multiple campaigns using the encryption programs that are offered or distributed. \r\nIn the case of the GhostSec group, they have a business model that offers affilates three different options: a paid\r\nversion, a free version and a version that allows actors who don’t want to become a member ransomware gang but\r\nwould like to publish victim data on their leak site.\r\nWe are also seeing multiple groups working together, sharing their malicious tooling with each other, then falling\r\nout, and then building trust back up with each other, adding to the difficulty in attributing attacks. Here are Talos’\r\nNick Biasini and Matt Olney talking about the impact of leaked ransomware code, where Matt describes the\r\nsituation as “The Real Housewives of Eastern Europe:”\r\nEtt fel inträffade.\r\nDet går inte att köra\r\nJavaScript.\r\nFundamentally, ransomware continues to be hugely profitable and widespread. In the last quarter, the Talos\r\nIncident Response team responded to ransomware incidents involving Play, Cactus, BlackSuit and NoEscape\r\nransomware for the first time, and there was a 17% rise in ransomware incidents in this quarter.\r\nIn the end, Operation Cronos may have disrupted LockBit’s operations temporarily with valuable assets gained, a\r\nweaker market position for the group, and a few affiliates are now sitting in jail. However, the Hyrdra’s roots run\r\ndeeper, and this is why we may continue to see LockBit activity throughout the course of the year.\r\nWhere to go from here\r\nhttps://blog.talosintelligence.com/ransomware-affiliate-model/\r\nPage 6 of 7\n\nLike Hercules who outwitted the Hydra with a blend of strength and strategy, our law enforcement’s relentless\r\nefforts are essential and commendable. It’s going to take persistent, strategic efforts to significantly damage RaaS\r\noperations and weaken the regenerative power of these gangs. Arrests at the top will be a key part of this. In the\r\ncase of LockBit, it appears as though the leaders of the group have evaded arrest on this occasion.  \r\nAt the very same time the people of Lerna (or us, the private defenders), need to pay attention to the entire threat\r\nlandscape. We can’t rely on just Hercules to take them down. Just like we can’t be sure there is just a single\r\nHydra.\r\nRead more about the recent ransomware operations Talos Incident Responders engaged in.\r\nSource: https://blog.talosintelligence.com/ransomware-affiliate-model/\r\nhttps://blog.talosintelligence.com/ransomware-affiliate-model/\r\nPage 7 of 7\n\nThe Return Seven days after the operation, messages and leak information was published on a new LockBit page. Here are\nscreenshots of their leak site taken daily from Feb. 27-March 4, with a huge increase of cards on March 3.\n Page 4 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.talosintelligence.com/ransomware-affiliate-model/" ], "report_names": [ "ransomware-affiliate-model" ], "threat_actors": [ { "id": "8bd26575-9221-47d1-9d8b-5c18354dc1bd", "created_at": "2022-10-25T16:07:24.335Z", "updated_at": "2026-04-10T02:00:04.94173Z", "deleted_at": null, "main_name": "Tortilla", "aliases": [], "source_name": "ETDA:Tortilla", "tools": [ "Babuk", "Babuk Locker", "Babyk", "CHINACHOPPER", "China Chopper", "SinoChopper", "Vasa Locker" ], "source_id": "ETDA", "reports": null }, { "id": "93b7776d-9b37-496d-94a5-30bc36fd8800", "created_at": "2023-11-07T02:00:07.10019Z", "updated_at": "2026-04-10T02:00:03.407781Z", "deleted_at": null, "main_name": "GhostSec", "aliases": [ "Ghost Security" ], "source_name": "MISPGALAXY:GhostSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434470, "ts_updated_at": 1775791779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9770a2d3cfae5a86c468337475a86462718baf80.pdf", "text": "https://archive.orkl.eu/9770a2d3cfae5a86c468337475a86462718baf80.txt", "img": "https://archive.orkl.eu/9770a2d3cfae5a86c468337475a86462718baf80.jpg" } }