How LockBit’s legacy is changing the ransomware market

by Black Hat Middle East and Africa
on
How LockBit’s legacy is changing the ransomware market

When authorities seized LockBit websites and administrator servers as part of Operation Cronos in February 2024, it marked a major disruption of what officials described as one of the world's most active ransomware groups. The operation targeted infrastructure used to attack and extort victims across the globe, while subsequent investigations identified Dmitry Yuryevich Khoroshev as the alleged developer and administrator behind the LockBit platform. 

Three months later, the US Treasury sanctioned Khoroshev, stating that LockBit had targeted more than 2,500 victims in at least 120 countries, received at least $500 million in ransom payments, and caused billions of dollars in wider losses through business disruption and recovery costs.

But despite that disruption, ransomware activity isn’t slowing down. 

According to research from Check Point, ransomware groups listed 2,122 victims on public data leak sites during the first quarter of 2026 – making it the second-highest first-quarter total on record. Notably, the top 10 ransomware groups accounted for 71.1% of all victims, which indicates that activity is increasingly concentrated among a relatively small number of operators. 

That concentration may be producing an unexpected side effect: the emergence of a new generation of ransomware founders.

The LockBit talent pool

In 2025 the cybersecurity community gained a clear view of how LockBit operated, through the leak of its administration panel.

Analysis by Trellix found that the leaked database contained affiliate-panel records, victim organisations, negotiation chats, cryptocurrency wallets and ransomware build configurations. The data gave us visibility into how the group managed its ransomware-as-a-service (RaaS) operation and interacted with affiliates. 

Separately, court documents (highlighted by Flashpoint) show that LockBit's business model relied heavily on affiliates. According to the indictment, Khoroshev allegedly developed and maintained the malware and control infrastructure while affiliates carried out attacks and typically retained 80% of ransom payments, with the remaining 20% going to LockBit's operators.

Taking down infrastructure is one thing – but dispersing a network of experienced affiliates is something else. 

Enter: Hyflock and The Gentlemen

According to threat intelligence firm Flare, two new ransomware-as-a-service programmes emerged in May 2026 and quickly attracted attention on cybercrime forums: Hyflock and The Gentlemen. 

Hyflock began recruiting affiliates on 14 May, while The Gentlemen launched its own recruitment effort on 15 May before securing an official partnership with BreachForums a day later.

What made both launches noteworthy was the pedigree being advertised.

Operators behind the programmes publicly claimed previous experience with LockBit and Qilin. Flare stresses that those claims can’t be independently verified. But researchers noted that the technical detail and operational maturity displayed in recruitment materials suggested a level of experience that would be difficult to fabricate.

Whether the claims are genuine or not, the messaging reflects a wider trend: ransomware operators today see experience and reputation as recruitment tools.

The significance of Qilin

The reference to Qilin is particularly interesting.

Check Point identified Qilin as the most active ransomware group in Q1 2026, recording 338 publicly disclosed victims during the quarter. 

The group's growth has been rapid. Data compiled by Comparitech shows that Qilin claimed 701 victims during 2025, of which 118 were independently confirmed by researchers. The group has targeted organisations across manufacturing, healthcare, government, finance and retail sectors, demonstrating a broad operational footprint. 

And Industrial Cyber reported that Qilin surpassed activity levels previously associated with major rivals, helping cement its position as one of the dominant ransomware brands currently operating. 

With that as a backdrop, any claimed connection to Qilin carries weight within the ransomware ecosystem.

A battle for affiliates

For us, the most revealing aspect of the new programmes is how they’re attempting to attract talent. 

According to Flare, The Gentlemen advertises a 90% affiliate revenue share, supports Windows, Linux, NAS, BSD and ESXi environments, and includes a ‘silent mode’ designed to avoid some file-renaming detection techniques. 

Hyflock has adopted a different strategy: its operators advertise a platform that combines ransomware tooling with integrated services, including: 

  • Access purchasing
  • Automated negotiation rooms
  • AI-assisted victim analysis 
  • Red-team support for affiliates conducting attacks

The group also claims its encryptor operates at roughly twice the speed of LockBit 3.0 (although Flare notes there is currently no independent benchmark validating that assertion). 

So these groups aren’t simply selling malware. They’re competing on features, support and economics. 

The business model survives 

For organisations across the Middle East and Africa, and for cybersecurity practitioners everywhere, the most important takeaway is what the emergence of groups like Hyflock or The Gentlemen says about the evolution of the ransomware economy. 

Operation Cronos disrupted LockBit's infrastructure, and the administration panel leak exposed internal operations. But the latest data suggests the ecosystem continues to adapt.

As ransomware activity becomes more concentrated among a smaller number of operators, the market is also producing new entrants that appear eager to inherit the expertise, reputation and affiliate networks that made previous groups successful.

The names have changed – but the business model is firming up.

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.


Follow us


Topics

Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles