After LockBit: The Ransomware Landscape in 2026

The biggest ransomware takedown in history. And ransomware got worse

Operation Cronos was a flex. The NCA. The FBI. Eleven countries working in concert. Full control of LockBit's leak site, replaced with a mocking FBI-branded page. Dmitry Khoroshev named in indictments. Affiliate rosters published. Free decryptors released.

And two years later, ransomware victim counts are up. Payouts are up. The groups are more fragmented, more professional, and harder to disrupt than LockBit was.

This post covers what actually happened when LockBit went down. Why the takedown worked exactly as intended. And why the threat landscape that replaced LockBit is strictly worse than the one law enforcement disrupted.

The 2024 takedown

February 19, 2024. The UK's National Crime Agency, the FBI, and partners from ten countries executed Operation Cronos against LockBit. The most prolific ransomware operation in the world. In the previous three years, LockBit had claimed over 2,000 victims, extracted an estimated $120 million in ransom payments, and operated as the dominant ransomware-as-a-service affiliate platform for everyone from nation-state-adjacent groups down to teenage criminals.

Operation Cronos was surgical. Law enforcement took control of LockBit's data leak site, replaced the branding with the NCA logo. And over the following days published LockBit's own internal infrastructure: affiliate lists, decryption tools for free recovery, and embarrassing OPSEC details about the operators. The FBI published indictments. Russian national Dmitry Khoroshev was identified as LockBit's administrator. Multiple affiliates were arrested in the US, Poland, Ukraine, and France.

It was, by any measure, the most successful law enforcement action against a ransomware operation in history.

And two years later, ransomware is worse than it was before the takedown.

What the LockBit takedown accomplished

The positives are real and shouldn't be minimized:

• The LockBit brand is dead. Operators no longer use the name. Affiliates who try to claim LockBit affiliation are dismissed as impostors.
• Infrastructure was destroyed. Servers, domains, and payment wallets were seized. Rebuilding that infrastructure took months of operator effort.
• Decryption keys were recovered. Approximately 7,000 victims received free decryption tools via NCA and FBI channels. Many recovered without paying.
• Affiliate disruption. Identifying and arresting affiliates made the RaaS economics less attractive. Potential new affiliates now calculate visible arrest risk differently.
• OPSEC exposure. Law enforcement demonstrated capability to track ransomware operations at levels operators hadn't prepared for. The psychological impact on the threat-actor community was substantial.

For a brief window in 2024, the ransomware ecosystem looked disrupted. The major groups. LockBit, ALPHV/BlackCat, Cl0p. Were all either taken down, exit-scammed, or in serious operational disarray. Victim counts dropped month-over-month for the first time in years.

That window closed fast.

What the 2026 landscape looks like

Per BlackFog, Coveware, and Chainalysis tracking:

• 1,174 publicly disclosed ransomware attacks in 2025 (49% year-over-year increase)
• Healthcare: 22% of all attacks (up from 18% pre-takedown)
• Average ransom payment: $2.73M (up from $1.5M pre-takedown)
• Ransom payment rate: 37% of victims pay (roughly flat pre/post-takedown)
• Data exfiltration alongside encryption: 95%+ of cases (standardized post-2024)

The takedown killed the LockBit brand but didn't kill the ecosystem. The affiliate pool scattered to other operations. The criminal infrastructure adapted. The attack tradecraft matured. Two years later, the top five active ransomware groups are all organizations that either didn't exist or were fringe players in early 2024.

Who's running the ransomware show in 2026

Anubis

Emerged mid-2024. Claimed responsibility for Signature Healthcare / Brockton Hospital attack April 6, 2026. Focuses heavily on healthcare and municipal government. Mid-tier RaaS operation. High-volume, not elite tradecraft. Affiliate-friendly payment splits (80/20 in favor of affiliates) have attracted substantial affiliate recruitment.

Tactics: phishing + VPN exploitation + living-off-the-land tools. Uses Cobalt Strike and commodity remote-access trojans. Encryption uses ChaCha20 + RSA.

Distinctive feature: active data leak site with responsive "customer service" chat for victims negotiating ransom amounts.

Lynx

Emerged mid-2024 as a direct successor to INC Ransom. Claimed ACN Healthcare April 10, 2026. Known for aggressive double-extortion: if ransom isn't paid on schedule, partial data gets released in stages to pressure payment.

Tactics: phishing, watering hole attacks, and increasing use of AI-generated social engineering. Deploys encryption via PsExec and remote WMI.

Distinctive feature: targets mid-market organizations that lack mature incident response capabilities. Rarely goes after Fortune 500.

TridentLocker

Targets federal and defense contractors. Claimed Sedgwick Government Solutions (US federal contractor) in 2026 with 3.4GB of sensitive data stolen. Favors supply chain access to propagate.

Tactics: persistent access via VPN and remote access tool compromise. Stays in networks for months before executing ransom phase, maximizing data exfiltration.

Distinctive feature: uniquely focused on government and defense contractor targets. Believed to have either nation-state overlap or nation-state tolerance.

Qilin (Agenda)

Active since 2022, but accelerated aggressively post-LockBit takedown. Hit Synnovis (UK healthcare pathology lab) in 2024 and has maintained high operational tempo. Cross-platform: encrypts Windows, Linux, and VMware ESXi.

Tactics: VMware ESXi targeting is distinctive. A single ESXi host compromise encrypts every VM running on it. Deploys Rust-based encryptors for performance.

Distinctive feature: targets virtualization infrastructure, which magnifies impact beyond per-endpoint encryption.

Akira

Active since 2023, maintained momentum through the LockBit takedown. Per FBI estimates, collected ~$42M in ransoms in 2023-2024. Continued high tempo in 2025-2026.

Tactics: Cisco ASA VPN exploitation (CVE-2024-20353, CVE-2024-20359 exploitation), credential theft, lateral movement via SMB.

Distinctive feature: retro-styled leak site designed to maximize media attention.

SpaceBears, PEAR, TheGentlemen, ShadowByt3$

The long tail. Smaller operations emerging weekly, each claiming 5-20 victims before either growing into a major group, getting taken down, or rebranding. Most disappear within 12-18 months. Some consolidate into larger operations.

What changed about the attacks themselves

Post-LockBit-takedown ransomware has matured in specific ways:

1. Data exfiltration is now mandatory

Pre-2023: some ransomware groups encrypted without exfiltrating.

Post-takedown: 95%+ of attacks include data theft alongside encryption.

The reason is economic. Even if the victim has good backups and doesn't need decryption, threat of data leak drives ransom payment. "Pure encryption" attacks have lower payment rates because victims with backups say no. Double extortion has higher payment rates because even victims with backups can't restore their reputation or regulatory posture after a leak.

2. Affiliate tradecraft is more consistent

LockBit operated as a relatively open RaaS where affiliate skill varied widely. Post-takedown, the top operations have tightened vetting. Affiliates typically need:

• Demonstrated prior access to at least one significant network
• Operational security practices that don't embarrass the brand
• Communication through vetted channels in Russian or specific Telegram groups
• Payment through curated cryptocurrency laundering pipelines

This has raised the floor on attack quality. A 2022 ransomware affiliate might compromise a victim through a single phishing email and encrypt sloppily. A 2026 affiliate will spend weeks in the network, exfiltrate precisely, and encrypt with domain-wide synchronized timing.

3. Negotiation is more sophisticated

Ransomware groups now have dedicated negotiators. The conversations are businesslike. Initial ransom demands are typically 2-3x higher than what the group expects to receive, anticipating negotiation. Discounts are offered for fast payment, additional services (decryptor testing, deletion proof) are included.

Coveware's data shows the median final ransom is now 34% of the initial demand. Down from about 50% pre-2024, meaning groups are demanding higher openings but settling for similar final numbers.

4. ESXi and cloud-native targeting

Major 2025-2026 shift toward targeting:

• VMware ESXi hosts directly (one compromise = all VMs encrypted)
• Hyper-V hosts
• Cloud backup services (Veeam, Rubrik, Cohesity administrative interfaces. Compromise these and the backups become hostages too)
• Kubernetes clusters
• Azure and AWS administrative infrastructure

This targets the recovery infrastructure as well as the production systems, making "restore from backup" a more complicated option.

5. Insurance-driven economics

Cyber insurance premiums are shaping attack selection. Groups increasingly profile potential victims for:

• Insurance coverage level (can they afford to pay the ransom?)
• Policy exclusions (war, state actors) that might prevent payout
• Insurance broker relationships that determine negotiation posture

Several ransomware negotiations in 2025-2026 have been shaped by the insurance carrier's limits. Insurance coverage has become almost public information to threat actors, who've been observed explicitly asking about it in negotiations.

Why takedowns don't stop the ecosystem

The structural reasons ransomware persists despite enforcement pressure:

Jurisdictional safe havens

Russia, Belarus. And several other post-Soviet states continue to tolerate or actively shield ransomware operators targeting Western organizations. Most operator arrests happen when individuals travel outside these safe zones. Russian law enforcement cooperation remains minimal.

RaaS decouples operators from infrastructure

LockBit's takedown killed an infrastructure. The affiliates kept working. They brought their skills, victim pipelines, and tradecraft to other RaaS platforms. The human capital is harder to disrupt than the technical infrastructure.

Cryptocurrency laundering improved

Post-Bitfinex tracking improvements, operators moved toward:

• USDT on Tron (lower fees, higher volume, easier laundering)
• Cross-chain bridges for obfuscation
• Privacy coins (Monero) for final withdrawal
• Non-KYC exchanges in sanctioned jurisdictions

Chainalysis tracks this in detail. The laundering is harder but not stopped. Tracing typically succeeds in 60-70% of cases, but recoveries are rare.

Insurance pays the ransom

Ransom payment rates remain ~37% largely because cyber insurance policies cover ransom. Insurance carriers are increasingly resistant, requiring approval before payment. But still routinely authorize payments to restore operations.

Targets are increasingly compelled

Healthcare can't afford extended downtime. Municipal governments can't operate without core IT. Manufacturing loses millions per day of production. The operational pressure to pay remains high.

What CISOs should take from this

Assume ransomware is still the primary threat

The takedown narrative was great for public morale in 2024. Operationally, ransomware is worse now. Your threat model should assume ransomware is the single most likely incident your organization will face in 2026. And should be planned accordingly.

Assume data exfiltration before encryption

If ransomware hits your network, assume the attackers had weeks of access before the encryption phase and exfiltrated your most sensitive data. Plan notification, regulatory response, and customer communication accordingly.

Test your backups and your recovery

Not "backups exist." Can you restore production operations from backup within an RTO that makes paying the ransom unnecessary? The answer is usually "not really". Which is why so many organizations pay. Fix this before it matters.

Harden your hypervisor and backup infrastructure

ESXi and backup administrative interfaces are Tier-0 assets. Access to them should require hardware-key 2FA, be logged aggressively, and be monitored for anomalous activity. Many organizations still have weaker controls on their backup infrastructure than their production systems.

Tabletop the scenario

Ransomware response decisions. Isolate this, pay that, notify when. Are bad decisions to make for the first time during an incident. Run the tabletop every year. Include legal, communications, finance, clinical (for healthcare), and board representation.

Review your cyber insurance

Current policies have increasingly complex exclusions. Understand what's covered, what's not, what the deductibles are. And what the pre-approval process looks like for ransom payments.

Monitor for initial access

Most ransomware attacks have weeks of initial-access-broker activity before the encryption phase. Detection during that window is the difference between a near-miss and a catastrophe. Tools that help: EDR, network anomaly detection, identity monitoring, monitoring for commodity remote access tools (AnyDesk, TeamViewer, Atera, Screenconnect) being installed outside of normal change-management.

What Valtik does in this space

Valtik's incident response engagements include ransomware-specific tabletop exercises, hypervisor security reviews, backup infrastructure audits. And post-incident investigations. If you want to understand what your organization's ransomware posture looks like. As opposed to what the policy documents say. Our adversarial simulation engagements run through the full attack chain as a 2026 RaaS affiliate would, stopping before the destructive phase.

For healthcare providers, municipal organizations, and manufacturers. The three highest-targeted verticals in 2026. Ransomware tabletop exercises are the single highest-ROI security investment available. Reach out via https://valtikstudios.com.

Sources

1. [Operation Cronos LockBit Takedown. NCA](https://www.nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group)
2. [LockBit Indictment. US DOJ](https://www.justice.gov/opa/pr/us-charges-russian-national-administrator-lockbit-ransomware-operation)
3. [The State of Ransomware January 2026. BlackFog](https://www.blackfog.com/the-state-of-ransomware-january-2026/)
4. [Chainalysis 2025 Crypto Crime Report](https://www.chainalysis.com/)
5. [Coveware Ransomware Marketplace Report 2025](https://www.coveware.com/blog)
6. [Healthcare Ransomware Surge. ComplianceHub.Wiki](https://compliancehub.wiki/healthcare-ransomware-surge-49-percent-2026/)
7. [Signature Healthcare / Brockton. HIPAA Journal](https://www.hipaajournal.com/signature-healthcare-brockton-hospital-cyberattack/)
8. [Qilin VMware ESXi Targeting. Trend Micro](https://www.trendmicro.com/)
9. [Akira Ransomware Analysis. FBI](https://www.fbi.gov/)
10. [Sophos State of Ransomware 2025](https://www.sophos.com/en-us/content/state-of-ransomware)