Highlights of Our CISO Dinner
Upgrading struggling vulnerability management programs to Threat Exposure Management, with Host, CISO Al Lindseth formerly from Plains All American Pipeline and PWC - 6 minute podcast
Running short on time but still want to stay in the know? Well, we’ve got you covered! We’ve condensed all the key takeaways into a handy audio summary.
LockBit (aka ABCD Ransomware), one of the most destructive ransomware groups in history, was dismantled in early 2024 through a landmark international law enforcement operation. Since 2019, LockBit has terrorized thousands of organizations worldwide, businesses, healthcare, education, governments, using a ransomware-as-a-service (RaaS) model. Over its lifespan, LockBit extorted tens of millions of dollars, estimated over $90 million to $120 million in ransom payments, affecting approximately 3,000 to 3,500 victims globally, making it one of the most prolific ransomware syndicates in recent memory.
In February 2024, Operation Cronos, a coordinated global law enforcement effort, effectively disrupted the group’s infrastructure, servers, cryptocurrency accounts, and affiliate networks. However, LockBit’s story remains ongoing, with data leaks and potential resurgent threats observed into 2025.
To understand the impact of the takedown, it’s essential to first grasp how the LockBit criminal enterprise functioned. As a RaaS provider, LockBit’s core group of developers created and maintained the ransomware and its supporting infrastructure. This included a web-based administrative panel for affiliates to manage their campaigns, a data leak site on the dark web for double extortion, and bespoke tools like StealBit for data exfiltration. Affiliates, the individual hackers who leased this service, were responsible for gaining initial access to victim networks and deploying the ransomware. LockBit operated on a profit-sharing model, typically taking a cut of the ransom payments.
The LockBit ransomware itself was highly adaptable. Over its lifecycle, it evolved through several versions (LockBit 2.0, 3.0, and LockBit Green), each with enhanced features like faster encryption, anti-analysis techniques, and the ability to evade security software. The group’s success was largely attributed to its professionalized operation, continuous innovation, and aggressive recruitment of new affiliates.
Its key tactics included:
LockBit was written primarily in C and C++, with newer variants like LockBit-NG-Dev in .NET, highlighting its constant evolution.
The group promised victims data deletion after ransom payment, but leaks in 2025 exposed that data was often never deleted, even when ransoms were paid.
In February 2024, the UK’s National Crime Agency (NCA), FBI, Europol, and other partners launched Operation Cronos, seizing LockBit’s infrastructure.
Key facts from the takedown:
LockBit’s dark web leak site was hijacked by authorities and used to publish victim assistance resources.
Authorities also named Dmitry Khoroshev (aka LockBitSupp) as the group’s leader, placing a $10 million bounty on his capture. Several affiliates were indicted, including Rostislav Panev, accused of being a key LockBit developer.
The takedown was a relief for thousands of victims. Organizations gained access to decryptors, and attacks tied to LockBit dropped sharply.
Still, the damage was massive:
The broader message of Operation Cronos was clear: international cooperation works. By pooling intelligence and resources, agencies proved that even the biggest cybercrime syndicates can be dismantled.
While Operation Cronos crippled LockBit, experts warn that it may not be the end.
These leaks revealed not only LockBit’s massive scale but also its internal weaknesses, including disputes with affiliates, poor operational discipline, and reliance on outdated or vulnerable infrastructure.
The LockBit case highlights both the threat of ransomware and the value of preparedness. Key takeaways for businesses include:
The shutdown of LockBit marks one of the biggest victories in the fight against ransomware. With 34 servers seized, 200+ crypto wallets frozen, and 1,000+ decryption keys released, the operation showed that even the most prolific cybercrime syndicates can be dismantled.
But the emergence of LockBit 5.0 and leaks exposing tens of thousands of Bitcoin wallets and victim negotiations remind us that ransomware is an evolving threat.
The fall of LockBit is a milestone, but not the end. Businesses must remain vigilant, adopt strong defenses, and prepare for the next wave of cyber threats.
→ https://hivepro.com/blog/lockbit-takedown-and-resurgence/
→ https://www.trendmicro.com/en_in/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version.html
→ https://flashpoint.io/blog/new-ransomware-as-a-service-raas-groups-to-watch-in-2025/
→ https://socradar.io/lockbit-5-0-ransomware-cartel-what-you-need-to-know/
→ https://arcticwolf.com/resources/blog/operation-cronos-the-takedown-of-lockbit-ransomware-group/
