In February 2024, the FBI dismantled LockBit’s infrastructure, seized its leak site, and published the faces and names of its operators. In December 2023, they did the same to ALPHV/BlackCat. Both were, at that point, the world’s most prolific ransomware groups. Both were declared defeated by authorities who framed the operations as decisive victories.
Within weeks, former affiliates of both groups had migrated to RansomHub. By mid-2024, RansomHub had become the most active ransomware group in the world.
If you’re a security or risk leader trying to understand why this threat never seems to go away, the answer lies in how ransomware actually works — and it’s not the way most public reporting describes it.
The Three-Tier Structure
Modern ransomware operations are not gangs in the conventional sense. They are franchise operations with three distinct tiers.
The developers build and maintain the ransomware code, the payment infrastructure, the negotiation portals, and the technical backend that makes the whole operation run. This is a small group — sometimes as few as five to fifteen people — with genuine software engineering skill. They typically operate from jurisdictions where extradition to Western countries is either impossible or politically inconvenient.
The affiliates are the people who actually break into organisations, deploy ransomware, and exfiltrate data. They operate on a revenue-sharing model: typically keeping 70-80% of any ransom payment, with the remainder going to the developers for use of the platform. An active ransomware programme might have dozens or hundreds of affiliates operating simultaneously and independently.
The initial access brokers are a separate market entirely. These individuals specialise in breaking into organisations, establishing persistent access, and then selling that access to affiliates on criminal marketplaces. A broker might sell access to a hospital network for $10,000 to an affiliate who then deploys ransomware and collects $2 million.
Why Takedowns Don’t End the Threat
When the FBI seizes LockBit’s infrastructure, they’re removing the developers’ backend — the servers, the leak site, the payment portals. This is genuinely disruptive to the developers and imposes real cost.
It does almost nothing to the affiliates.
An affiliate who has spent three years developing expertise in breaking into corporate networks, evading endpoint detection, and navigating healthcare IT systems doesn’t lose that skill when LockBit is seized. They lose access to one platform. They open their browser, navigate to a criminal forum, and register with RansomHub, BlackSuit, or any of the other active programmes. The onboarding typically takes less than a week.
The initial access brokers, similarly, are unaffected. They sold access before the takedown. They’re selling access now. Their market operates entirely independently of which ransomware platform their customers prefer this week.
What This Means for Your Risk Picture
Understanding this structure changes how you should think about the ransomware threat.
The question is not whether the specific group that attacked your competitor last month is still operating. It’s whether the conditions that made your competitor vulnerable — unpatched VPNs, poor MFA adoption, weak detection capability — are present in your own organisation.
The affiliates are not choosing targets based on brand or ideology. They’re choosing targets based on a simple calculation: how much effort is required to compromise this organisation, relative to the likely payout? Organisations that present a high-friction attack surface — where getting in, moving laterally, and deploying ransomware without triggering detection all require significant effort — are less likely to be targeted.
The practical upshot is that the most effective defensive investments are the boring ones: maintaining a current patch state on externally-facing systems, enforcing MFA on remote access, having a network segmentation strategy that limits lateral movement, and ensuring backups are both current and genuinely offline.
None of that requires predicting which ransomware group will be most active next quarter. All of it remains relevant regardless of what law enforcement achieves.
The One Thing Takedowns Do Achieve
There is something valuable that comes from law enforcement operations against ransomware infrastructure, even if it doesn’t stop the threat.
When LockBit was disrupted, the FBI published internal communications, affiliate agreements, and negotiation histories. This intelligence is genuinely useful — not for predicting the next attack, but for understanding the economics, the tooling, and the operational tradecraft of the people conducting these attacks. It informs defensive product development, threat intelligence, and the kind of red team exercises that test whether your controls would actually catch these techniques.
The FBI’s most significant contribution to ransomware defence may not be the takedowns themselves. It’s the intelligence that comes after.