Life after LockBit: A fragmented landscape and wayward affiliates will still cause chaos for enterprises

LockBit website interface showing NCA, FBI, and law enforcement agency insignia after a joint police action seized LockBit's dark web site.
(Image credit: National Crime Agency)

Tuesday 20 February saw the National Crime Agency (NCA) share details of a joint law enforcement operation targeting the world’s largest ransomware operator, LockBit.

Although research revealed LockBit accounted for a shrinking proportion of global ransomware attacks, it remained the single biggest ransomware operator in 2023, according to analysis from ZeroFox, and was responsible for 30% of the total volume of attacks last year.

This latest development has led to speculation about what the global threat landscape could look like after the market's dominant player was put out of action.

Speaking to ITPro at CPX 2024 in Vienna, Sergey Shykevich, manager of Check Point’s Threat Intelligence Group, said enterprises can expect to see a more fragmented space as a result, with LockBit’s affiliates scrambling to find new ransomware to work with.

“LockBit operates as a ransomware-as-a-service (vendor) and so there are many affiliates who are now looking for other rentals and I’m sure not all of them will go to the same group.”

Shykevich said he expects these affiliates to find their feet relatively easily and begin deploying a variety of alternative ransomware strains – and the reason for this is that the financial incentives are too strong for threat actors to remain inactive for long.

“There is no empty space in this business, there’s too much money … every other week there is  new ransomware, some of them are here to die quickly, within a few weeks or months and others are like LockBit”.

A more fragmented threat landscape will not have a particularly strong effect on the level of risk businesses face, however. Shykevich said he doesn’t see businesses being markedly less safe as a result of LockBit’s fall.


On the possibility of LockBit returning, despite Shykevich citing LockBit’s remarkable ability to adapt its technology as a key factor in its success, this time he thinks the challenge will be too much for the notorious RaaS provider.

“In some cases someone hacked his infrastructure, someone else got his keys, each time he was able to bypass those obstacles. I personally think now, though, the obstacle is too high”.

The future of ransomware after LockBit

2023 was a record year for ransomware, with payments surpassing the $1 billion mark according to research from Chainalysis. 

Shykevich said he thinks 2023 will represent a zenith for ransomware activity, but did exercise caution; noting that many analysts said the same in previous year and that he doesn’t expect a major drop in extortion activity. 

“I think 2023 was the top year for ransomware but I must say in 2022 everyone said the same, that it was a very good year with mega events, everything, but I don’t expect a real [significant] decline.”

There are trends Shykevich thinks will persist through 2024, however. Firstly, he believes it will become harder for organizations to conceal cyber incidents of this nature.

“I think the big change will be that organizations will find it impossible to hide if it has been attacked by ransomware”, he predicted.

“This is a combination of more aggressive tactics by threat actors that are extorting more publicly and regulations.”

Another shift Shykevich highlighted was further growth in the number of Linux environments that are the targets of ransomware attacks, which could inflict significant damage in critical areas of organizations.

Shykevich explained that protections on Linux environments are frequently neglected by organizations, lacking robust security products such as endpoint solutions, and thus making them easier targets for threat actors.

In addition, these Linux environments often perform critical operations for companies. Shykevich gave the example of a manufacturing company, where compromising a single Linux system could lead to a total shutdown. .

“In manufacturing, most of your production is based on Linux not on Windows, and if you attack Linux, [just] one server in some cases, and you can disrupt a company of more than a hundred people.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.