LockBit Dismantled, BlackCat Stole the Money, and RansomHub Filled the Vacuum — How Ransomware Rewired Itself in 2024

Operation Cronos crippled LockBit's infrastructure in February 2024, ALPHV/BlackCat imploded in a $22 million exit scam weeks later, and RansomHub absorbed the displaced affiliates to become 2024's most prolific ransomware operator. The law enforcement victories didn't shrink the threat — they reshuffled it into something more volatile and harder to track, setting the stage for a fragmented, AI-assisted ecosystem that continues to escalate through mid-2026.

Operation Cronos: The Anatomy of a Major Disruption

On February 19, 2024, a coalition of ten countries led by the UK's National Crime Agency (NCA) and the US FBI executed Operation Cronos against LockBit, the dominant ransomware group since at least 2022. Authorities seized 34 servers across multiple jurisdictions, shut down LockBit's dark web leak site, closed 14,000 rogue accounts, froze 200 cryptocurrency wallets, and obtained over 1,000 decryption keys. Two individuals were arrested in Poland and Ukraine. Russian nationals Artur Sungatov and Ivan Kondratyev (alias "Bassterlord") were indicted in the United States.

The operation's psychological component was as significant as its technical one. Authorities repurposed LockBit's own leak site to expose the group's internal workings, publish affiliate identities, and address personalized messages to members logging into their control panels. The alleged ringleader, Dmitry Yuryevich Khoroshev (alias "LockBitSupp"), was publicly identified and placed under a $10 million US State Department reward. He was subsequently banned from major cybercrime forums, cutting off his recruitment and communication channels.

The disruption was real but not permanent. Within days, LockBitSupp claimed to have restored systems. By mid-2025 the group had rebranded as LockBit 4.0, replacing its AES-256 + RSA-2048 hybrid encryption with ChaCha20-Poly1305, adopting a federated hosting model, and reforming its affiliate program. Check Point Research confirmed active LockBit 4.0 extortion campaigns targeting organizations across Windows, Linux, and ESXi environments in Europe, the Americas, and Asia by September 2025.

BlackCat's Exit Scam: A $22 Million Betrayal

While law enforcement celebrated the LockBit disruption, ALPHV/BlackCat orchestrated one of the most brazen betrayals in ransomware history. In February 2024, a BlackCat affiliate compromised Change Healthcare — a subsidiary of UnitedHealth Group that processes 15 billion healthcare transactions annually and touches one in three US patient records. The initial access vector was a Citrix remote access portal with no multi-factor authentication.

Change Healthcare detected the breach on February 21, 2024, and shut down its systems. UnitedHealth Group CEO Andrew Witty later confirmed the company paid a $22 million ransom in Bitcoin to BlackCat in an attempt to prevent patient data from being published. It didn't work. A disgruntled affiliate publicly accused the BlackCat operators of pocketing the entire payment without sharing the agreed commission — and of still holding 4 terabytes of stolen data. When BlackCat posted a fake law enforcement seizure notice on its leak site in March 2024, researchers including Emsisoft's head of ransomware research Fabian Wosar quickly identified it as fabricated. The DOJ, Europol, and the NCA all denied involvement. BlackCat had exit-scammed its own affiliates and shut down.

The collateral damage was enormous. The attack disrupted claims submission, eligibility verification, payment processing, and pharmacy transactions nationwide. The American Hospital Association described it as "the most significant and consequential incident of its kind against the US healthcare system in history." UnitedHealth Group reported over $870 million in losses in Q1 2024 alone, with total response costs estimated between $2.3 billion and $2.45 billion. Approximately 190 million people — more than half the US population — had data compromised. Adding insult to injury, RansomHub subsequently claimed to also possess the stolen Change Healthcare data and demanded a second ransom from UnitedHealth Group.

RansomHub: The Vacuum Filler

RansomHub launched in February 2024 — the same month as the Change Healthcare attack — and its timing was no coincidence. Researchers at multiple firms assess it as a possible rebrand or derivative of the Knight (Cyclops) ransomware, or that its operators acquired Knight's source code. Its business model was designed explicitly to attract affiliates burned by the LockBit and BlackCat disruptions: affiliates manage ransom payments directly and remit only a 10% commission to the core group, compared to the 20-30% typical of competing platforms.

The growth numbers are stark. RansomHub claimed 531 new victims in 2024, representing 9.8% of all tracked ransomware cases globally and making it the single most dominant group of the year. Its attack volume jumped 66% in the second half of 2024. By September 2024 alone, RansomHub listed 66 victims in a single month and accounted for 16% of all Q3 ransomware attacks. Targets spanned water and wastewater systems, government facilities, healthcare, critical manufacturing, financial services, transportation, and communications infrastructure. High-profile victims included Frontier Communications, British auction house Christie's, and Halliburton.

RansomHub's dominance proved short-lived. On March 31, 2025, its onion site went dark and its client portal went offline the following day. Rapid7 confirmed a complete cessation of operations by early April 2025, with affiliates migrating to DragonForce and LockBit. DragonForce subsequently claimed to have taken over RansomHub's infrastructure.

The Fragmentation Phase and the New Consolidation

The serial collapses of LockBit, BlackCat, and RansomHub created a chaotic affiliate market. The number of publicly disclosed ransomware groups grew from 79 in April 2023 to 96 by April 2025, with 52 new groups appearing in a single year. By 2025, a record 124 distinct named groups had been observed in the wild. Smaller groups are harder to disrupt: they rebrand quickly, attribution becomes difficult, and no single takedown achieves outsized impact.

Two groups moved decisively into the power vacuum. Qilin (also tracked as Agenda), operating since 2022 with cross-platform builds in Golang and Rust targeting Windows, Linux, and VMware ESXi, recorded a 408% increase in attacks through 2025 and became the leading ransomware group by June 2025. Affiliates earn 80-85% of ransom proceeds. Notable affiliates include FIN12 and Scattered Spider (Octo Tempest). Following RansomHub's April 2025 shutdown, significant numbers of its affiliates migrated to Qilin. The group even introduced an in-house "journalist" service for its leak site blog posts — widely assessed to be LLM-generated — and a "Call Lawyer" affiliate support function.

DragonForce, active since August 2023 and sharing lineage with LockBit Green through leaked Conti v3 source code, rebranded in March 2025 as a "cartel." Its model allows affiliates to operate under their own brand names while leveraging DragonForce's infrastructure, tooling, and support. The group offers affiliates 80% of proceeds and has listed over 200 victims across retail, airlines, insurance, and managed service providers. It has partnered with Scattered Spider and actively targets rival groups' infrastructure to assert dominance.

By Q1 2026, Check Point Research noted a consolidation trend reversing the fragmentation: the top 10 groups began accounting for a larger share of tracked victims, with Qilin, Akira, and LockBit 4.0/5.0 absorbing displaced affiliates at scale. Total global ransomware incidents are projected to exceed 12,000 in 2026 at current rates.

Takeaways for Defenders

• Enforce MFA on every remote access portal, without exception. The Change Healthcare breach began with a Citrix endpoint lacking MFA. This single control failure cost UnitedHealth Group over $2 billion and compromised 190 million patient records.
• Do not assume a group's shutdown removes its threat. LockBit rebuilt twice after major disruptions. Affiliates from BlackCat and RansomHub transitioned to new platforms within weeks. Threat intelligence subscriptions need to track affiliate migration, not just named groups.
• Segment and test backup integrity continuously. RansomHub and Qilin both target ESXi hosts specifically to destroy virtualized backups. Air-gapped, tested recovery procedures remain the single most effective ransomware mitigation.
• Watch for the cartel model. DragonForce's affiliate branding system means attacks attributed to previously unknown brands may share infrastructure, tooling, and tactics with well-documented operators. Treat unfamiliar ransomware names as potentially cartel-affiliated until proven otherwise.
• Third-party concentration risk is now a board-level issue. Change Healthcare's role in processing one-third of US patient records turned a single ransomware infection into a national healthcare crisis. Supply chain mapping and vendor resilience requirements are no longer optional for critical infrastructure sectors.