Operation Cronos and the Takedown of LockBit: A Cybersecurity Milestone

Running short on time but still want to stay in the know? Well, we’ve got you covered! We’ve condensed all the key takeaways into a handy audio summary.

Introduction

LockBit (aka ABCD Ransomware), one of the most destructive ransomware groups in history, was dismantled in early 2024 through a landmark international law enforcement operation. Since 2019, LockBit has terrorized thousands of organizations worldwide, businesses, healthcare, education, governments, using a ransomware-as-a-service (RaaS) model. Over its lifespan, LockBit extorted tens of millions of dollars, estimated over $90 million to $120 million in ransom payments, affecting approximately 3,000 to 3,500 victims globally, making it one of the most prolific ransomware syndicates in recent memory. 

In February 2024, Operation Cronos, a coordinated global law enforcement effort, effectively disrupted the group’s infrastructure, servers, cryptocurrency accounts, and affiliate networks. However, LockBit’s story remains ongoing, with data leaks and potential resurgent threats observed into 2025.

How LockBit Operated

To understand the impact of the takedown, it’s essential to first grasp how the LockBit criminal enterprise functioned. As a RaaS provider, LockBit’s core group of developers created and maintained the ransomware and its supporting infrastructure. This included a web-based administrative panel for affiliates to manage their campaigns, a data leak site on the dark web for double extortion, and bespoke tools like StealBit for data exfiltration. Affiliates, the individual hackers who leased this service, were responsible for gaining initial access to victim networks and deploying the ransomware. LockBit operated on a profit-sharing model, typically taking a cut of the ransom payments.

The LockBit ransomware itself was highly adaptable. Over its lifecycle, it evolved through several versions (LockBit 2.0, 3.0, and LockBit Green), each with enhanced features like faster encryption, anti-analysis techniques, and the ability to evade security software. The group’s success was largely attributed to its professionalized operation, continuous innovation, and aggressive recruitment of new affiliates.

Its key tactics included:

• Exploited entry points: RDP, VPNs, phishing, brute-force attacks, and vulnerabilities like CVE-2024-1709 (ConnectWise Authentication Bypass).
• Privilege escalation: Tools like Mimikatz and PowerShell Empire.
• Network spread: Advanced Port Scanner and automation for lateral movement.
• Data theft: Its StealBit tool automated exfiltration.
• VMware focus: LockBit’s Linux-ESXi Locker targeted VMware hypervisors to cripple enterprise servers.

LockBit was written primarily in C and C++, with newer variants like LockBit-NG-Dev in .NET, highlighting its constant evolution.

The group promised victims data deletion after ransom payment, but leaks in 2025 exposed that data was often never deleted, even when ransoms were paid.

A Coordinated Infiltration and Dismantling

In February 2024, the UK’s National Crime Agency (NCA), FBI, Europol, and other partners launched Operation Cronos, seizing LockBit’s infrastructure.

Key facts from the takedown:

• 34 servers seized across multiple countries.
• 200+ cryptocurrency accounts frozen, disrupting ransom payment channels.
• Over 1,000 decryption keys obtained, giving victims a chance to recover data.
• 14,000 rogue accounts closed, including affiliate and victim-access portals.

LockBit’s dark web leak site was hijacked by authorities and used to publish victim assistance resources.

Authorities also named Dmitry Khoroshev (aka LockBitSupp) as the group’s leader, placing a $10 million bounty on his capture. Several affiliates were indicted, including Rostislav Panev, accused of being a key LockBit developer.

Impacts on Victims and Businesses

The takedown was a relief for thousands of victims. Organizations gained access to decryptors, and attacks tied to LockBit dropped sharply.

Still, the damage was massive:

• LockBit targeted healthcare and education disproportionately, disrupting hospitals and universities.
• Top target countries included the United States, India, and Brazil.
• LockBit had already made billions in damages worldwide before Operation Cronos.
• Many victims discovered that their stolen data was still leaked or sold, despite ransom payments.

The broader message of Operation Cronos was clear: international cooperation works. By pooling intelligence and resources, agencies proved that even the biggest cybercrime syndicates can be dismantled.

The Future: Can LockBit Bounce Back?

While Operation Cronos crippled LockBit, experts warn that it may not be the end.

• Resurgence risks: LockBit affiliates may regroup or rebrand, as groups like Conti and REvil did.
  
• Variants and copycats: Following the takedown, LockBit 5.0 reportedly emerged, building on LockBit-NG-Dev. Other gangs may copy LockBit’s successful RaaS model.
  
• May 2025 breach: Hackers defaced LockBit’s affiliate panels and leaked critical data, including:
  → Details of 75+ affiliates and admins, plus custom ransomware builds and encryption keys.
  → 4,400+ negotiation messages between LockBit and victims.
  → 59,000+ Bitcoin addresses used in ransom payments.

These leaks revealed not only LockBit’s massive scale but also its internal weaknesses, including disputes with affiliates, poor operational discipline, and reliance on outdated or vulnerable infrastructure.

Lessons Learned for Organizations

The LockBit case highlights both the threat of ransomware and the value of preparedness. Key takeaways for businesses include:

• Backup & segmentation:
  Maintain offline backups and segmented networks to limit ransomware damage.
  
• Patch management:
  LockBit’s own servers were breached partly through unpatched vulnerabilities.
  
• Incident response:
  Have a tested plan for rapid detection, isolation, and reporting of attacks.
  
• Global cooperation:
  Report ransomware incidents,  the intelligence fuels operations like Cronos and supports international disruption efforts.
  
• Threat Exposure Management (TEM):
  Continuously identify, prioritize, and fix exploitable vulnerabilities through attack surface monitoring, risk-based assessments, and adversary simulations to reduce ransomware risk.

Conclusion

The shutdown of LockBit marks one of the biggest victories in the fight against ransomware. With 34 servers seized, 200+ crypto wallets frozen, and 1,000+ decryption keys released, the operation showed that even the most prolific cybercrime syndicates can be dismantled.

But the emergence of LockBit 5.0 and leaks exposing tens of thousands of Bitcoin wallets and victim negotiations remind us that ransomware is an evolving threat.

The fall of LockBit is a milestone, but not the end. Businesses must remain vigilant, adopt strong defenses, and prepare for the next wave of cyber threats.

References:

→ https://hivepro.com/blog/lockbit-takedown-and-resurgence/
→ https://www.trendmicro.com/en_in/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html
→ https://flashpoint.io/blog/new-ransomware-as-a-service-raas-groups-to-watch-in-2025/
→ https://socradar.io/lockbit-5-0-ransomware-cartel-what-you-need-to-know/
→ https://arcticwolf.com/resources/blog/operation-cronos-the-takedown-of-lockbit-ransomware-group/