Orion Leaks: LockBit’s Shadow in Ransomware Ecosystem

An in-depth look at the infrastructure connections of emerging group Orion Leaks and its possible connection to former RaaS giant LockBit.

In recent months, following Operation Cronos , conducted by international agencies to dismantle LockBit’s infrastructure and leadership, the ransomware ecosystem has undergone significant fragmentation. This operation compromised central servers, leak sites, and automated distribution tools, leaving an operational vacuum that has favored the emergence of new names in the data leak landscape. In this context, Orion Leaks emerges, which, according to initial analyses, may be linked to a group attracting attention for the way it handles stolen data. Are we looking at an independent group or a shadowy entity exploiting LockBit’s infrastructure and historical datasets?

At first glance, Orion behaves like a typical double extortion group, publishing leaks and pressuring victims. However, a closer look reveals an interesting pattern:

• No proprietary encryptor: There is no evidence of any newly developed encryption tools.
• Already known victims: Many companies claimed by Orion had already been hit by LockBit.
• Data Repackaging: Orion appears to reuse existing datasets rather than making new intrusions.

This behavior falls into the category of so-called “Scavenger Groups” , actors who seek to monetize already exfiltrated data by exploiting the victims’ residual fear and media confusion.

Orion has 13 fatalities on its DLS to date.

Disclaimer: This report includes screenshots and/or text from publicly available sources. The information provided is for threat intelligence and cybersecurity risk awareness purposes only. Red Hot Cyber condemns any unauthorized access, improper dissemination, or misuse of this data. It is currently not possible to independently verify the authenticity of the information reported, as the organization involved has not yet released an official statement on its website. Therefore, this article should be considered for informational and intelligence purposes only.

The umbilical cord: infrastructural evidence

The most significant indicator linking Orion to LockBit concerns the infrastructure used. The download links point directly to a historic LockBit file server , indicating direct access to legacy backends rather than cloned servers.

IoC: hxxp://lockbit24pegjquuwbmwjlvyivmyaujf33kvlepcxyncnugm3zw73myd[.]onion

This detail suggests two main scenarios:

1. Rebranded Affiliate: Orion may be operated by former high-level LockBit affiliates who, while rebranding to avoid law enforcement attention or to distance themselves from the now-tarnished reputation of the parent brand (LockBitSupp), still retain access to the original backend keys and storage servers.
2. Operational Subgroup: It is not uncommon for large RaaS cartels to create “dummy” subgroups to manage parallel negotiations or to put pressure on victims who have refused the initial payment, simulating a new leak without carrying out new intrusions.

Operational implications

Data repackaging carries specific risks:

• The data remains on the original LockBit servers. If Orion is simply redirecting to the LockBit file server lockbit24…, it means the data hasn’t moved.
• The threat is primarily reputational , without new encryption.
• Victims may perceive a new impairment when in reality it is an echo of previous incidents.
• Persistence is server-side: LockBit’s storage infrastructure, despite takedown attempts, keeps nodes active and accessible to third parties (or former partners).

For Incident Response teams, Orion’s emergence requires:

• LockBit victim database verification.
• Analysis to distinguish new attacks from reused data.
• Prepare to handle ransom demands based on pre-existing information.

MITRE ATT&CK: TTP Mapping

While Orion shows no evidence of new intrusions, its activities can be mapped onto MITRE ATT&CK techniques related to impact and extortion:

• TA0040 – Impact
  • T1657 – Data Manipulation for Extortion
  • T1486 – Data Encrypted for Impact (historical, LockBit)
• TA0010 – Exfiltration
  • T1041 – Exfiltration Over C2 Channel (historical)
• TA0002 / TA0001
  • No evidence of new TTPs in the initial access or execution phases

Conclusion

Infrastructure evidence links Orion directly to LockBit servers, debunking the perception of a new, emerging threat. Currently, Orion appears more like a spin-off or laundering group within the LockBit ecosystem , rather than an independent ransomware actor.

For Incident Response teams, understanding this difference is essential to respond proportionately and protect affected organizations, distinguishing between new attacks and simple reuse of historical data. Monitoring Orion will continue to provide valuable insights for security and threat intelligence professionals.

RHC will continue to monitor the situation and will publish further updates if significant information emerges.
We invite anyone who knows relevant details to contact us via the encrypted whistleblower email , ensuring the possibility of remaining anonymous .

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Raffaela Crisci

Member of the Dark Lab group. Computer Engineer graduated with honors from the University of Sannio, with specialization in Cyber Security. Expert in Cyber Threat Intelligence with experience in a leading multinational company. Strong discipline and organizational skills developed through sports