ANALYSIS

After LockBit: The Ransomware Market Never Shrinks

March 2026  ·  10 min read

Privacy Insight Solutions OSINT & Executive Privacy Analysts

In February 2026, ransomware groups posted 680 victims across 54 active operations. That number did not come after a period of unchecked criminal activity. It came after three years of the most sustained law enforcement pressure the ransomware ecosystem has ever faced — including the seizure of LockBit's infrastructure, the collapse of ALPHV/BlackCat, the takedown of RansomHub, and Europol operations that dismantled over 1,025 servers in a single action.

The market did not shrink. It reorganised. Understanding why — and what it is becoming — matters to every organisation operating in Europe today. For a comprehensive view of how organisations’ digital footprints are exposed and exploited, see our Corporate Digital Footprint hub.

The Exits: What Law Enforcement Disrupted

Between January 2023 and April 2025, three of the most dominant ransomware operations were taken down or collapsed from within:

  • Hive (January 2023) — Dismantled by the FBI after a months-long infiltration that allowed authorities to provide decryption keys to over 300 active victims. One of the first major RaaS takedowns to demonstrate that penetrating infrastructure, rather than just seizing it, was operationally possible.
  • LockBit (February 2024) — Operation Cronos seized LockBit's infrastructure, exposing affiliate data, decryption keys, and internal communications. A further breach in May 2025 dumped chat logs and Bitcoin wallet addresses publicly, undermining the group's credibility. By late 2025, Trend Micro assessed the comeback as failing — the group had been banned from underground forums and was attempting a declared alliance with Qilin and DragonForce that analysts largely read as brand management rather than genuine operational integration.
  • ALPHV/BlackCat (March 2024) — Imploded after pocketing an estimated $22 million in ransom paid by Change Healthcare and disappearing without paying affiliates their cut. The exit scam defrauded the group's own affiliate network and accelerated the migration of experienced operators to competing platforms.
  • RansomHub (April 2025) — Rose rapidly to absorb the LockBit and ALPHV affiliate base, claiming over 600 global victims within its first year. Then collapsed in an exit scam of its own, scattering its affiliate network again.

Each disruption was significant. None reduced capacity. They redistributed it.

The Cartel Analogy

The dynamics of the ransomware market closely mirror those of drug trafficking networks after major enforcement actions. When the Medellín Cartel was dismantled, cocaine supply did not drop — the Cali Cartel absorbed the capacity. When Cali fell, smaller regional networks filled the gap, creating a more fragmented but ultimately more resilient market.

Ransomware follows the same logic. Affiliates — the operators who actually deploy ransomware against targets — are freelancers, not employees. They carry their skills, access, and victim relationships between platforms. When a platform collapses, they migrate to the next offering the best terms and the most reliable infrastructure.

Law enforcement disrupts brand value and infrastructure. It does not destroy operational capability. The capability walks out the door and signs up somewhere else within weeks.

The Affiliate Migration Chain

The post-LockBit period produced one of the clearest documented examples of affiliate migration in ransomware history:

  • LockBit disrupted (February 2024) → affiliates migrate primarily to RansomHub
  • ALPHV/BlackCat exit scam (March 2024) → defrauded affiliates join RansomHub and other platforms
  • RansomHub exit scam (April 2025) → affiliates migrate primarily to Qilin
  • Qilin: 578% growth in 2025, absorbing the bulk of displaced RansomHub operators

By the January–November 2025 reporting period, Qilin held 13.07% of total ransomware claims — the single most active group globally. Akira held 10.85%, INC Ransom 5.45%, Play 4.92%, and SafePay 4.60%. The top five groups combined accounted for only 39% of total victims. The remaining 61% was distributed across dozens of smaller operations. In February 2026 alone: 54 groups, 680 victims. The market did not consolidate after LockBit. It atomised.

Diagram showing affiliate migration from LockBit to RansomHub to Qilin after successive takedowns
Affiliate migration chain: LockBit → RansomHub → Qilin. Each takedown redistributed capacity rather than destroying it.

Two Models Diverging

Alongside the market fragmentation, a structural shift has been underway. The ransomware ecosystem is splitting into two increasingly distinct operating models.

Model 1: RaaS — Encryption-Based

The traditional model. Malware encrypts the victim's systems. The victim pays to restore operations. Recovery via backups is painful but possible. Groups like Qilin, Akira, Play, and DragonForce operate this model. Qilin has been noted for aggressive affiliate recruiting via dark web forums, offering up to 80% revenue share to attract experienced operators. DragonForce rebranded as a "ransomware cartel" in mid-2025, reusing LockBit and Conti source code with similar affiliate economics.

Model 2: Pure Data Extortion — No Encryption

The newer and in some respects more dangerous model. No files are encrypted. No ransomware is deployed. Attackers exfiltrate data through cloud storage misconfigurations, stolen credentials, and API keys — then threaten publication unless paid. ShinyHunters has operated this model exclusively. They have never encrypted a single victim's file. The data itself is the weapon.

The distinction is critical for defenders. Organisations cannot recover from data extortion by restoring from backups. The data is already out. And under GDPR, the notification obligation to regulators exists regardless of whether the ransom is paid. Payment removes the publication threat but does not remove the regulatory exposure. The two pressures are entirely independent.

Clop has operated the same model at scale, most visibly in the MOVEit zero-day campaign of 2023–2024 — stealing data from hundreds of organisations without deploying any encryption at all.

The European Lever: GDPR as the Fifth Extortion Dimension

European organisations face a compounding pressure that US targets do not. GDPR establishes a 72-hour mandatory notification window when personal data is breached. Maximum fines reach €20 million or 4% of global annual turnover, whichever is higher. UK GDPR maintains equivalent provisions post-Brexit.

Extortion groups have identified this as a distinct lever. The calculus for a targeted organisation is explicit: a ransom demand of €500,000 sits against a potential fine that could reach tens of millions, plus reputational damage, customer notification costs, and class action exposure. Non-payment and subsequent data publication makes regulatory scrutiny near-certain. Payment removes publication — but not regulatory liability.

Two recent cases illustrate the pattern:

The Wynn Resorts case (February 2026) followed the same pattern, with ShinyHunters publicly claiming responsibility to The Register after the company refused payment.

The Grey Market Layer

The headline groups attract the coverage. They represent a minority of the actual threat landscape.

In February 2026, 54 distinct groups were actively claiming victims. Many operate without established reputations, without sustained media coverage, and without the affiliate infrastructure of the major brands. They nonetheless represent real operational capability:

  • Everest — Russian-speaking group active since 2020. Under Armour (72.7M records, November 2025) is their most visible recent operation. Consistently underreported relative to their actual activity level.
  • The Gentlemen — Emerged autumn 2025. Over 30 organisations targeted in 17 countries. Advanced evasion techniques. Near-zero mainstream security press coverage.
  • SafePay — Holds 4.60% market share in 2025 data, placing it in the global top 5. Almost absent from standard reporting.
  • Lynx — Believed to be a rebrand or spin-off of INC Ransom. 80/20 affiliate split, targeting manufacturing, business services, and technology sectors.
  • Medusa — Ramped up significantly in 2025, using social media pressure as part of the extortion model. Ransom demands up to $15 million.

The infrastructure supporting these groups continues to be disrupted by law enforcement. On March 3–4, 2026, Europol coordinated the takedown of LeakBase — 142,000 registered users, trading stolen databases and credential logs. Tycoon 2FA — responsible for 62% of all Microsoft-blocked phishing — was dismantled in a coordinated public-private action. Each represents genuine operational disruption. Each will be replaced. The replacements emerge within months. The pattern is now sufficiently established that the replacement cycle can be assumed rather than predicted.

The Next Evolution: SLSH and the Multi-Vector Model

In August 2025, three groups — Scattered Spider, LAPSUS$, and ShinyHunters — announced the formation of Scattered Lapsus$ Hunters (SLSH). By September 2025, they announced the formal cessation of independent operations to focus on this unified effort.

Analysts are divided on the nature of the merger. LevelBlue characterises SLSH as a "federated cybercriminal brand" rather than a structural integration at the individual-operator level. The distinction matters for attribution but less so for assessing capability. Whether SLSH is a true merger or a calculated brand play, the declared capability set is documented:

  • ShinyHunters contributes: cloud storage and API exploitation, data theft infrastructure, BreachForums distribution network
  • Scattered Spider contributes: social engineering at scale, SIM swapping, helpdesk fraud, cloud platform access
  • LAPSUS$ contributes: enterprise network infiltration, insider recruitment, corporate credential theft

In November 2025, SLSH publicly announced ShinySp1d3ran in-development RaaS platform adding file encryption to the existing model. ZeroFox's analysis documented Windows Event Viewer evasion, data destruction to prevent recovery, and self-contained network propagation. A Linux and ESXi version is in development. SLSH has conducted at least 51 documented attacks since forming, with 50% targeting transportation and technology sectors.

Note on attribution: The Odido breach was claimed and operated under the ShinyHunters brand specifically — not under the SLSH collective. ShinyHunters remains active as an independently-branded operation even while participating in SLSH. Individual incident attribution requires care.

What makes SLSH structurally significant is not the encryption capability alone — encryption-based ransomware is not new. It is the combination. Where LockBit at its peak operated a single extortion lever (encrypt systems, demand payment), SLSH's model stacks five simultaneously:

  1. Data theft and publication threat
  2. System encryption via ShinySp1d3r
  3. Social engineering of employees and helpdesks
  4. Direct victim and stakeholder contact (triple extortion)
  5. GDPR notification threat against European targets
Diagram of SLSH's five simultaneous extortion levers: data theft, encryption, social engineering, triple extortion, and GDPR threat
SLSH's multi-vector model stacks five extortion levers simultaneously. LockBit operated one.

LockBit at peak market share held approximately 25–30% of total ransomware victims. The top five groups in 2025 combined hold 39% — and the market is more fragmented than ever. Whether SLSH achieves the consolidation implied by its capability set remains an open question. ShinySp1d3r is still in development and the collective is less than a year old. But the trajectory is toward a threat model more capable and harder to defend against than anything that preceded it. The vacuum LockBit left may yet be filled — just not in the way anyone expected.

What This Means for Organisations

Takedowns redistribute capacity, they do not destroy it. Law enforcement actions are necessary and valuable. But they cannot be treated as permanent solutions. Each disruption produces a successor, typically within months and often with improved capability. Security posture must be calibrated against the current landscape, not last year's.

Data extortion is categorically different from ransomware. Backup strategies, incident response playbooks, and cyber insurance products designed around encryption-based attacks do not address the data theft model. When data has been exfiltrated, the ransom decision is divorced from operational recovery. GDPR obligations are triggered regardless of payment. Boards and legal counsel need to understand this distinction before an incident occurs, not during one.

European companies face compounding pressure. GDPR creates a structural incentive to target EU and UK organisations — the regulatory leverage multiplies the effective cost of non-payment beyond what equivalents face in other jurisdictions. This is not incidental. It is a market feature that groups have learned to exploit systematically.

Sources

Related Service

Corporate Exposure Auditfrom €5,000

Consented executive exposure audits, corporate leak surface mapping, third-party vendor review, and quarterly security posture reporting.

Request a Proposal Talk to an Analyst

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.