Following Operation Cronos on Feb 19, 2024, the UK’s National Crime Agency targeted the LockBit ransomware group, leading to significant disruptions in their operations [1].


Trend Micro’s analysis of LockBit-NG-Dev revealed a transition to a NET core, highlighting the necessity for new security detection techniques [2]. Post-Operation Cronos [1] [2] [3], nearly 80% of victim claims on LockBit’s new leak site were determined to be fraudulent, with many victims being duplicates from previous attacks or victims of other ransomware groups [1]. LockBit is suspected of manipulating the site to give the appearance of continued operation. The exposure of LockBit’s back-end information compromised affiliate identities and victim data [2], potentially eroding trust within the cybercriminal network [2]. The takedown also impacted LockBit’s affiliates [1], resulting in a decrease in actual infections and reports of disrupted infrastructure on cybercrime forums [1]. LockBit administrators were in the process of developing a new ransomware build, LockBit-NG-Dev [1] [2] [3], prior to the takedown, but development efforts are likely paused as the group focuses on restoring its infrastructure [1]. Reactions within the cybercrime community varied, indicating significant shifts in the ransomware-as-a-service industry post-Operation Cronos [2]. Trend Micro’s cybersecurity platform continues to safeguard organizations globally from evolving cyber threats.


The actions taken against LockBit following Operation Cronos have had a substantial impact on the group’s operations, affiliates [1] [2] [3], and victims [1] [2]. Moving forward, it is crucial for organizations to remain vigilant and implement robust security measures to protect against ransomware attacks. The aftermath of Operation Cronos suggests potential changes in the cybercrime landscape, underscoring the importance of proactive cybersecurity strategies in the face of evolving threats.