On February 19, 2024, visitors to LockBit's dark web leak site were greeted with an unexpected message: "This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, 'Operation Cronos'."
The takedown of LockBit, the most prolific ransomware operation in the world, was the culmination of months of investigation by law enforcement agencies from 10 countries. It was a significant moment in the long-running battle between ransomware operators and the governments trying to stop them.
LockBit's Scale
By the time of Operation Cronos, LockBit had been the dominant ransomware-as-a-service (RaaS) operation for over two years. Since its emergence in 2019 and its rise to prominence with LockBit 2.0 in 2021, the group had been responsible for an estimated 2,000+ attacks against organizations worldwide.
LockBit operated a RaaS model where core developers maintained the ransomware payload, infrastructure, and negotiation platforms, while affiliates carried out the actual attacks in exchange for a percentage of the ransom (typically 75-80% to the affiliate, with the rest going to the core team). This model allowed LockBit to scale rapidly, as they could recruit dozens of skilled attackers without managing the operational complexity of each intrusion themselves.
The group's victims included hospitals, schools, financial institutions, manufacturing companies, and government agencies. In June 2023, the U.S. Department of Justice estimated that LockBit had extracted over $91 million in ransom payments from U.S. victims alone.
The Takedown
Operation Cronos involved law enforcement agencies from the United States (FBI, DOJ), United Kingdom (NCA), France, Germany, the Netherlands, Australia, Canada, Japan, Sweden, and Switzerland, coordinated by Europol and Eurojust.
The operation achieved several concrete results:
Infrastructure seizure. Law enforcement took control of 34 servers in multiple countries, including LockBit's main leak site, affiliate panel, and data exfiltration infrastructure. They also seized 200 cryptocurrency wallets associated with the operation.
Arrests. Two individuals were arrested in Poland and Ukraine on the day of the takedown. Additionally, three international arrest warrants and five indictments were issued, including two sealed indictments by the U.S. DOJ against Russian nationals.
Decryption keys obtained. Law enforcement recovered over 1,000 decryption keys from the seized servers and began contacting victims to offer free decryption assistance. The NCA and FBI collaborated with Japanese police to develop a decryption tool that was made freely available.
Affiliate identification. Critically, law enforcement gained access to LockBit's affiliate panel and obtained data on 194 affiliates who had registered accounts. While most affiliates used pseudonyms, the operational data, including cryptocurrency transaction records, communication logs, and attack records, provides investigative leads.
The Identity Reveal
In a theatrical flourish, law enforcement used LockBit's own leak site format to "dox" the operation's alleged leader. The NCA published a countdown timer on the seized leak site, mimicking LockBit's own tactic of counting down to data publication. When the timer expired on February 24, they revealed the identity of "LockBitSupp," the operation's primary administrator, as Dmitry Yuryevich Khoroshev, a 31-year-old Russian national.
The U.S. Treasury's Office of Foreign Assets Control (OFAC) simultaneously issued sanctions against Khoroshev, and the State Department offered a $10 million reward for information leading to his arrest. The DOJ unsealed an indictment charging him with 26 counts related to the LockBit operation.
Did It Work?
The answer is complicated. In the immediate aftermath, LockBit's operations were significantly disrupted. The group lost their infrastructure, their leak site, their affiliate panel, and a significant amount of cryptocurrency. The exposure of affiliate data created distrust within the RaaS ecosystem, as affiliates had to wonder whether their identities had been compromised.
However, within days of the takedown, LockBitSupp claimed to have restored operations and launched a new leak site. By early March, the new site was listing victims again, though at a reduced volume compared to pre-takedown levels.
This is the inherent limitation of infrastructure-focused takedowns against ransomware groups whose operators are based in countries that do not cooperate with Western law enforcement (primarily Russia). You can seize servers and disrupt operations, but as long as the core developers remain free, they can rebuild.
What Operation Cronos did accomplish was significant in other ways. The decryption keys helped victims recover data without paying ransoms. The affiliate exposure undermined trust in the LockBit brand, making it harder to recruit competent attackers. The sanctions and indictments, while unlikely to result in arrests as long as the operators stay in Russia, restrict their ability to use the international financial system and travel.
The Bigger Picture
Operation Cronos was part of a broader trend of increasingly aggressive law enforcement action against ransomware. In 2023-2024, authorities also disrupted the Hive, BlackCat/ALPHV, and Qakbot operations. The cumulative effect of these actions has been to raise the cost and risk of operating ransomware infrastructure, even if no single takedown permanently eliminates the threat.
For organizations defending against ransomware, the takedown provided a brief reprieve but not a lasting solution. LockBit affiliates simply moved to other RaaS platforms or continued operating independently. The underlying attack vectors, phishing, exploitation of unpatched vulnerabilities, and credential abuse, remain unchanged.
The operational security data obtained during Operation Cronos will feed investigations for years. The affiliate records, cryptocurrency transaction data, and communication logs represent a treasure trove of intelligence that law enforcement will use to identify and prosecute individual attackers.
How Safeguard.sh Helps
While Safeguard.sh is not a ransomware prevention tool per se, our vulnerability management and SBOM monitoring capabilities address the fundamental attack vectors that ransomware affiliates exploit. By continuously tracking vulnerabilities in your software inventory and enforcing patch compliance through policy gates, Safeguard.sh helps close the gaps that ransomware operators use for initial access. When the next ransomware group exploits a newly disclosed CVE for mass compromise, organizations using Safeguard.sh will already know whether they are exposed and have the data needed to prioritize remediation.