LockBit takedown reshapes ransomware threat landscape

The Counter Threat Unit of Secureworks, a Sophos Company, has reported on the significant changes in the ransomware landscape following efforts to counter the activities of LockBit, a major ransomware scheme.

LockBit was highly prominent in the ransomware ecosystem, with its activities accounting for 25% of victim listings on ransomware leak sites in 2023. This was more than double the number of listings attributed to the next most prominent group, BlackCat/ALPHV, which accounted for 12% of total listings.

Tim Mitchell, Senior Researcher at the Counter Threat Unit, noted that coordinated efforts by Secureworks alongside law enforcement agencies led to the seizure of the LockBit leak site on 19 February 2024. He stated, "When we coordinated our research alongside law enforcement's seizure of the LockBit leak site on February 19, 2024, we knew it was a significant moment in time in the fight against cybercriminals. It was the first step in a steady march of operations against ransomware, its enablers and cybercrime more broadly. And the most obvious result is the mark it's left on the landscape, with affiliates scattering to new schemes or turning to independent operations."

This strategic law enforcement activity aims not only at leak sites but also targets individuals involved in these operations and the money laundering associated with ransomware. Mitchell emphasised that the disruption has added complexity and costs to such schemes, elaborating, "With these disruptions to the status quo it has added friction and increased the cost for the cybercriminals, which ultimately makes such operations more challenging to successfully execute. The more collaboration we see across the industry and with law enforcement will lead to making it harder for cybercriminals to succeed."

Despite these measures, the number of victims listed on ransomware leak sites has continued to grow, with the Counter Threat Unit noting a deviation from typical seasonal trends. December 2024 saw 542 victims listed by 53 active groups—an increase of 61% compared year over year. In January 2025, this number rose to 605 victims listed by 48 active groups—an 80% increase compared to the previous year. For context, the highest previous listing was 335 victims in January 2024. This increase suggests growing fragmentation within the ransomware landscape, with more schemes emerging.

Mitchell explained the implications of these numbers, saying, "And it's important to remember that a victim is named on a leak site when they haven't paid a ransom, so an increase in victim numbers could mean that the number of victims paying is actually decreasing. But that's not to say the threat has gone away. Far from it. Although the impact of such attacks on individual victims might be reduced, experiencing a ransomware incident is still a very bad day in the office."

Urging organisations to bolster their defences, Mitchell advised, "Organisations should be prioritising the basics including regularly patching internet-facing devices, implementing phishing-resistant multi-factor authentication (MFA) as part of a conditional access policy, and monitoring the network and endpoints for malicious activity. Organisations should also have an incident response plan in place, battle-tested regularly to ensure they're prepared to respond a cyberattack with speed and precision."