Ransomwarecritical

LockBit Takedown: Operation Cronos Disrupts the World's Most Prolific Ransomware Gang

A coordinated law enforcement operation involving 10 countries seized LockBit's infrastructure, arrested members, and published the gang's own admin panel data — including the identities of affiliates — online for the world to see.

LockBit / Operation Cronos·2024·2 min read

Background

LockBit was the world's most prolific ransomware-as-a-service (RaaS) operation, responsible for approximately 25% of all ransomware attacks from 2022 to 2024. LockBit offered its ransomware code to affiliates who kept 80% of ransoms. Its targets included Boeing, the UK Royal Mail, a Canadian children's hospital, and thousands of businesses.

The Attack

On February 19, 2024, Operation Cronos — coordinated by the UK National Crime Agency, FBI, Europol, and agencies from Australia, France, Germany, Japan, and other nations — seized LockBit's infrastructure. Law enforcement took over LockBit's dark web leak site and replaced it with their own messaging. They obtained decryption keys and created a free decryption tool. The NCA published LockBit's own admin panel dashboard — displaying affiliate usernames and victim lists — mocking the gang using their own branding. Dmitry Khoroshev (LockBitSupp), identified as the lead developer, was sanctioned and indicted.

Response

Decryption keys were released for approximately 7,000 victims. LockBit attempted to relaunch within days but its credibility with affiliates was destroyed. The operation demonstrated that law enforcement had spent months inside LockBit's infrastructure — reading their communications — before acting. Khoroshev remains at large in Russia.

Outcome

Operation Cronos was the most successful ransomware disruption operation to date, though LockBit's attempts to continue showed the difficulty of permanently eliminating RaaS infrastructure. The release of affiliate identities had a chilling effect on ransomware recruitment. Free decryption keys helped thousands of victims recover without paying.

Key Takeaways

  1. Law enforcement infiltration of ransomware infrastructure can yield decryption keys for victims who have already paid or refused to pay
  2. Ransomware-as-a-service affiliates are vulnerable to exposure when their operator's infrastructure is seized
  3. Even disrupted ransomware groups attempt to relaunch — disruption is not elimination
  4. Free decryption tools from law enforcement operations should always be checked before paying a ransom
LockBitOperation Cronoslaw enforcementRaaSdecryption keys

More in Ransomware

2017critical

WannaCry Global Ransomware Attack

2 min readRansomware
2019critical

Norsk Hydro: Ransomware Shuts Down Aluminium Plants Across 3 Continents

2 min readRansomware
2016high

Hollywood Presbyterian: Hospital Pays $17,000 to Get Patient Records Back

2 min readRansomware