LockBit Is Dead, Long Live LockBit: How Ransomware Gangs Rebrand and Why It Doesn't Matter

On February 19, 2024, the UK's National Crime Agency seized LockBit's dark web infrastructure, with the full scope of the operation publicly revealed the following day. They "trolled" the most prolific ransomware gang in the world by repurposing its own leak site. Within five days, LockBit was back online. By September 2025, Check Point confirmed LockBit 5.0 was already extorting new victims across three continents. The cycle of disruption and resurrection tells us something important about the ransomware ecosystem — and it's not a reassuring story.

LockBit's story is the clearest illustration of why ransomware isn't a problem you can arrest your way out of. Even the most sophisticated, internationally coordinated law enforcement operation in ransomware history couldn't permanently destroy a group whose leader remains in Russia, whose affiliates span the globe, and whose source code has been leaked and forked into multiple independent operations. Understanding this cycle isn't defeatism — it's realism that should inform how we allocate defensive resources.

The Rise of LockBit: How One Gang Dominated Ransomware

LockBit emerged around 2019 and rapidly became the dominant ransomware-as-a-service operation on the planet. The U.S. Department of Justice estimates LockBit attacked more than 2,500 organizations worldwide, including 1,800 in the United States, extracting at least $500 million in ransom payments globally — though total victim losses including recovery costs ran far higher. The FBI's 2024 Internet Crime Report identified LockBit as the most reported ransomware variant targeting U.S. critical infrastructure, and the NCA assessed it as responsible for approximately 25% of ransomware attacks in the year preceding the takedown — a dominance so complete that rivals weren't even close.

What set LockBit apart was its operational model. The group ran itself like a tech company. It had hiring managers, interview processes, a human resources function, and even a bug bounty program that paid hackers to find vulnerabilities in its own ransomware code. Its affiliate payment model was unique: rather than the operator collecting the ransom and distributing a cut, LockBit let affiliates collect payments directly and took a 20% commission. This reversed the typical power dynamic and attracted top-tier affiliates, including members of notorious groups like FIN7 and Evil Corp.

"They were targeting schools, hospitals, emergency services, critical infrastructure, among other private sector companies." — Brett Leatherman, Deputy Assistant Director of FBI's Cyber Operations (Axios, January 2025)

The group also had something no other RaaS provider matched: brand recognition. Affiliates got LockBit-branded tattoos. The name carried weight in the criminal underground. And as Trend Micro's Bob McArdle observed, that brand was ultimately its greatest vulnerability.

Operation Cronos: The Takedown That Made Headlines

On February 19, 2024, the NCA, in coordination with Europol, the FBI, and law enforcement agencies from ten countries, executed Operation Cronos — with the NCA publicly revealing the full scope of the operation on February 20. The operation didn't just take LockBit offline — it weaponized its own infrastructure against it. Law enforcement seized LockBit's primary administration environment and its dark web leak site, along with 34 affiliate servers across Europe, the UK, and the US, froze over 200 cryptocurrency accounts, and arrested two alleged members in Poland and Ukraine. They obtained 30,000 Bitcoin addresses used for managing ransom profits, containing approximately 2,200 BTC ($112 million).

But the stroke of genius was what they did with LockBit's leak site. Instead of simply shutting it down, law enforcement agencies repurposed it into a name-and-shame site targeting LockBit itself. They posted press releases, decryption keys, backend leaks, and crucially — personalized messages to affiliates who logged into their control panels, informing them that law enforcement had taken control and "might be in touch."

"The thing that set LockBit apart from any other ransomware vendor out there was their brand. Other ransomware had faster encryption or nicer user interfaces for the criminals. But what LockBit had was that they had essentially been market leader with the most recognizable brand. When you attack the brand, they don't have anything else left over." — Bob McArdle, Director of Forward-Looking Threat Research, Trend Micro (Axios, January 2025)

In May 2024, the NCA unmasked LockBit's leader, LockBitSupp, naming him as Russian national Dmitry Khoroshev and targeting him with asset freezes, travel bans, and a U.S. indictment with 26 counts of fraud, computer damage, and extortion. Rewards of up to $10 million were offered by the U.S. Department of State for information leading to his arrest. Khoroshev remains at large.

The Comeback: LockBit Refuses to Die

Five days after the infrastructure seizure (four days after the public announcement), LockBit had a new site up and running, posting new victims and issuing a lengthy, defiant statement blaming the breach on its own "personal negligence and irresponsibility" — specifically, failing to patch a critical PHP buffer overflow vulnerability (CVE-2023-3824). The irony of a ransomware gang that exploits unpatched software being taken down by an unpatched vulnerability was lost on no one.

LockBitSupp's response attempted to minimize the damage: law enforcement only obtained a handful of decryptors, arrested the wrong people, and failed to take down all servers. The group vowed to upgrade its infrastructure security, manually release decryptors, and continue its affiliate program. To rebuild trust, LockBit required new affiliates to invest approximately one bitcoin (at least $61,000 at the time) for control panel access — a vetting mechanism designed to keep out law enforcement infiltrators.

The immediate aftermath saw LockBit's attack volume drop 85% between February and April 2024 against U.S. companies, according to Leatherman's January 2025 interview with Axios. But the reprieve was temporary. In December 2024, LockBit announced version 4.0 — which officially launched in February 2025 but failed to gain meaningful affiliate traction, largely ignored by a criminal ecosystem that had shifted its loyalty to RansomHub and other competitors. Meanwhile, law enforcement continued pressing: in early 2025, LockBit developer Rostislav Panev was extradited to the United States, another tangible outcome of Operation Cronos. Then, in May 2025, an unknown actor breached LockBit's own infrastructure and defaced its dark web panels, dumping a backend database that exposed Bitcoin wallet addresses, internal chat logs with victims, affiliate details, and thousands of ransom negotiation transcripts. It was a second major disruption within 15 months, and it further eroded LockBitSupp's credibility. Despite it all, LockBitSupp posted defiantly on the RAMP dark web forum: "We always rise up after being hacked."

LockBit 5.0: Bigger, Faster, Cross-Platform

By September 2025, the comeback was fully operational. Check Point Research confirmed that LockBit had resumed active operations, identifying a dozen organizations targeted in September alone, with half infected by the new LockBit 5.0 variant (also tracked internally as "ChuongDong"). Trend Micro independently analyzed the new binaries and confirmed the technical upgrades.

LockBit 5.0 introduces significant technical upgrades designed to make the operation more effective and harder to disrupt:

1. Multi-platform support: New builds target Windows, Linux, and VMware ESXi environments, covering virtually all enterprise infrastructure.
2. Enhanced evasion: Improved anti-analysis mechanisms designed to obstruct forensic investigation and malware reverse engineering.
3. Faster encryption: Optimized routines that compress the window defenders have to detect and respond to active encryption.
4. Randomized file extensions: Instead of the predictable .lockbit extension, 5.0 uses randomized 16-character extensions to evade detection rules keyed on known indicators.
5. Updated affiliate infrastructure: An improved management interface with individualized credentials and a new affiliate registration system requiring a $500 Bitcoin deposit.

Victims receive ransom notes identifying the variant as LockBit 5.0 with personalized negotiation links and a 30-day deadline before stolen data is published. The attacks span Europe, the Americas, and Asia, demonstrating that the group's operational reach has been fully restored.

The Rebrand Cycle: Conti, Hive, ALPHV, and the Pattern

LockBit's resurrection follows a pattern the cybersecurity industry has watched repeat for years. When law enforcement dismantles a ransomware group's infrastructure, the people behind it don't stop being criminals. They rebrand, restructure, and continue.

Conti disbanded in 2022 after internal leaks exposed its operations. Its members didn't retire — they scattered into Black Basta, BlackByte, Karakurt, and Royal (later rebranded as BlackSuit). The Hive ransomware operation, taken down by the FBI in January 2023, saw its code and infrastructure acquired by Hunters International, which Bitdefender analysis confirmed shared over 60% code overlap with Hive's ransomware. ALPHV/BlackCat suffered a law enforcement disruption in December 2023, briefly "unseized" its own leak site, conducted the devastating Change Healthcare attack in February 2024 that disrupted pharmacy operations nationwide, and then pulled an exit scam on its own affiliates — reportedly pocketing roughly $22 million in ransom proceeds rather than sharing the cut. The affiliate who actually carried out the Change Healthcare intrusion reportedly migrated to RansomHub and extorted the same victim a second time before key ALPHV figures dispersed into other operations.

The common thread is that infrastructure is replaceable. Servers can be rebuilt. Code can be rewritten or forked. The human expertise — the developers, the negotiators, the affiliate managers — persists as long as the individuals remain free. And when those individuals operate from countries with no extradition treaties, freedom is the default state.

Why Takedowns Still Matter (Even When Gangs Come Back)

It's tempting to look at LockBit's resurrection and conclude that law enforcement operations are pointless. That's the wrong conclusion. Takedowns create real, measurable impact — even when they're temporary.

During the forced downtime after Operation Cronos, potential victims were spared. The 85% decline in LockBit attacks over two months represents hundreds of organizations that weren't encrypted. The reputational damage sowed distrust throughout the criminal ecosystem. Trend Micro observed a Snatch RaaS operator warning on their Telegram channel that they were all at risk, and members of the cybercriminal underground openly questioned whether LockBitSupp had collaborated with law enforcement. That paranoia is a force multiplier — it increases operational costs, reduces trust between operators, and makes recruiting affiliates harder.

"It's not just about the disruption, it's also about the deterrence. Our goal was to make LockBit, the variant itself in the technical ecosystem, radioactive." — Brett Leatherman, Deputy Assistant Director of FBI's Cyber Operations (Axios, January 2025)

The cumulative effect matters. Blockchain analysis from Chainalysis shows that total ransomware payments fell 35% in 2024 compared to 2023's record $1.25 billion, dropping to approximately $814 million — even as the number of reported ransomware incidents hit an all-time high. LockBit-specific payments declined roughly 79% in the second half of 2024. Meanwhile, the number of active ransomware groups nearly doubled, with 56 new data leak sites appearing in 2024 alone — likely a direct consequence of major groups fragmenting after takedowns. Fragmentation dilutes operational capability, forces groups to rebuild trust, and increases the chances that law enforcement can identify and disrupt individual actors.

The real lesson is that takedowns should be viewed as one tool in a comprehensive strategy, not a silver bullet. They buy time, create cost, and generate intelligence. But they must be paired with defensive investment, improved organizational resilience, and sustained pressure on the financial infrastructure that makes ransomware profitable.

Key Takeaways

1. Ransomware gangs survive takedowns: LockBit was back online within five days of the most sophisticated international law enforcement operation in ransomware history. Infrastructure is replaceable. Human expertise persists. Plan your defense accordingly.
2. LockBit 5.0 is real and active: The group has fully reconstituted its operations with upgraded cross-platform capabilities, faster encryption, and improved evasion. Organizations should update detection rules and threat models to account for the new variant's randomized file extensions and updated TTPs.
3. The rebrand cycle is the norm: Conti became Black Basta. Hive became Hunters International. ALPHV's members scattered to new operations. When a ransomware group is disrupted, assume the operators will resurface under a new name within months.
4. Takedowns still create value: The 85% decline in LockBit attacks post-Cronos spared hundreds of potential victims. Reputational damage and paranoia increase operational costs across the entire criminal ecosystem. Disruption is worth pursuing even when it's temporary.
5. Defense can't wait for law enforcement: Your organization's security posture needs to withstand ransomware attacks regardless of which group or variant is trending. Offline backups, network segmentation, phishing-resistant MFA, and rapid patch management remain the fundamentals that determine whether a ransomware attack is a catastrophe or a contained incident.

LockBit's story is ultimately a story about resilience — on both sides. Law enforcement demonstrated that even the most powerful ransomware operations can be infiltrated, humiliated, and disrupted. LockBit demonstrated that criminal enterprises operating from safe havens can absorb enormous damage and keep going. The organizations caught between these two forces need to stop hoping for a permanent solution and start building permanent defenses.

Sources

1. U.S. Department of Justice, "U.S. Charges Russian National with Developing and Operating LockBit Ransomware," May 7, 2024.
2. U.S. Department of the Treasury, "United States Sanctions Senior Leader of the LockBit Ransomware Group," May 7, 2024.
3. National Crime Agency, "The NCA Announces the Disruption of LockBit with Operation Cronos," February 20, 2024.
4. FBI, "Brett Leatherman's Remarks at Press Conference Announcing the Disruption of the LockBit Ransomware Group," February 20, 2024.
5. Sam Sabin, "How a gang's takedown revealed their playbook behind ransomware attacks," Axios, January 10, 2025.
6. Europol, "Law Enforcement Disrupt World's Biggest Ransomware Operation," February 20, 2024.
7. Brian Krebs, "U.S. Charges Russian Man as Boss of LockBit Ransomware Group," Krebs on Security, May 7, 2024.
8. Brian Krebs, "BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare," Krebs on Security, March 5, 2024.
9. Check Point Research, "LockBit 5.0: Ransomware Gang Returns in Force," October 23, 2025.
10. Check Point Research, "The State of Ransomware — Q3 2025," November 13, 2025.
11. Trend Micro, "New LockBit 5.0 Targets Windows, Linux, ESXi," September 25, 2025.
12. Trend Micro, "Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption," April 3, 2024.
13. TRM Labs, "LockBit Leak Provides Insight into Ransomware-as-a-Service Enterprise," May 2025.
14. Chainalysis, "Ransomware 2024: Payments Decline as Victims Refuse to Pay," February 5, 2025.
15. Infosecurity Magazine, "LockBit Ransomware Developer Extradited to US," March 2025.
16. Bitdefender, "Hive Ransomware's Offspring: Hunters International Takes the Stage," November 2023.
17. The Hacker News, "Conti Ransomware Operation Shut Down After Splitting into Smaller Groups," May 25, 2022.
18. CISA, "Understanding Ransomware Threat Actors: LockBit," June 2023 (updated 2024).