LockBit Ransomware [1] [3] [4] [5], a global threat [4], was targeted in Operation Cronos [2] [4], an international investigation involving law enforcement agencies from 10 countries [3], including the NCA and FBI.


Led by Europol [3], this joint effort successfully disrupted the LockBit ransomware gang by compromising their primary platform, seizing their infrastructure [4], and taking down 34 servers in Australia [3], US [3], UK [3], and Europe [3]. The operation also involved freezing over 200 cryptocurrency accounts linked to LockBit and arresting members in Poland and Ukraine. The group’s kingpin [4], LockbitSupp [4], was identified [3] [4], false claims made by the individual were revealed [4], and two alleged LockBit actors were arrested [3]. LockBit [1] [2] [3] [4] [5], which originated in 2019 with ties to Russian-language forums [4], operates a ransomware-as-a-service model with affiliates conducting cyber-attacks [4]. Multiple versions of LockBit have been released, with LockBit 3.0 being the latest [4], featuring encrypted executables and double extortion tactics [4]. Law enforcement agencies partnered with Chainalysis to track LockBit’s cryptocurrency transactions [4], revealing significant financial activity [4]. LockBit targeted schools [3] [4], medical facilities [3], businesses [3], and government entities [3], including high-profile victims like the UK’s Royal Mail and Continental [4]. Decryptors for LockBit have been developed by law enforcement [4], with over 1000 decryption keys obtained [4]. Affiliates of LockBit have been named [2], putting pressure on the group [2], and five associates have been charged [2]. Europol coordinated actions to arrest two LockBit actors in Poland and Ukraine [2]. Despite the success of Operation Cronos, cybersecurity experts believe the individuals behind LockBit may resurface under a new name or toolset [4]. RedSense’s investigation suggests the end of LockBit as we know it [4], with the group’s structure and affiliations evolving over time [4]. Recent attacks exploiting two critical vulnerabilities in ScreenConnect have been detected [1], with the ransomware being deployed to vet offices [1], health clinics [1], and local governments [1], including systems related to 911 systems [1]. The malware being deployed is associated with LockBit [1], indicating the group’s large reach despite recent law enforcement takedowns [1].


The impact of Operation Cronos on the LockBit ransomware gang has been significant, with key members arrested and infrastructure seized. However, the possibility of the group resurfacing under a new guise remains a concern for cybersecurity experts. Continued vigilance and collaboration among law enforcement agencies will be crucial in combating future threats posed by ransomware groups like LockBit.


[1] https://arstechnica.com/security/2024/02/ransomware-associated-with-lockbit-still-spreading-2-days-after-server-takedown/
[2] https://www.informationweek.com/cyber-resilience/international-operation-hits-major-ransomware-player-lockbit-
[3] https://ia.acs.org.au/article/2024/police-decimate-lockbit-ransom-gang-.html
[4] https://www.infosecurity-magazine.com/news/operation-cronos-who-are-lockbit/
[5] https://arcticwolf.com/resources/blog/operation-cronos-the-takedown-of-lockbit-ransomware-group/