On February 19, 2024, the UK National Crime Agency, the FBI, Europol, and partner agencies across 11 countries announced Operation Cronos — a coordinated takedown of LockBit, the most prolific ransomware operation of the prior three years. The NCA replaced LockBit's dark web leak site with a seizure banner, released a free decryptor for victims affected by certain LockBit 3.0 builds, and published a drip feed of operational details designed to humiliate the affiliates and the core operators. Seven days later, LockBit's administrator "LockBitSupp" stood up a new leak site on a fresh .onion address and resumed posting victims, claiming the takedown had exploited a PHP CVE and promising continuity. The episode is a case study in modern ransomware disruption: effective in the short term, mixed in durability, and rich with lessons about what operational disruption of a criminal supply chain actually buys defenders.
What did Operation Cronos actually seize?
Operation Cronos seized 34 servers across the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom, plus more than 200 cryptocurrency wallets and the domains used for LockBit's leak site and affiliate panel. The NCA gained administrative access to LockBit's affiliate panel before taking it down, which gave law enforcement a rare view into the affiliate roster, payment flows, and victim communications. Two LockBit-linked individuals were arrested in Poland and Ukraine, and the Department of Justice unsealed indictments against two Russian nationals — Artur Sungatov and Ivan Kondratyev (alias Bassterlord) — for LockBit-related activity. Europol coordinated the cross-border component and documented at least 14,000 rogue accounts on associated services.
How did the NCA actually get in?
The NCA exploited a vulnerability in a PHP-based LockBit infrastructure component, reported publicly as CVE-2023-3824, to gain access to the affiliate panel and supporting servers. LockBitSupp's subsequent admission confirmed the PHP vector, and security researchers noted that LockBit's affiliate panel ran on an outdated PHP stack on servers that the group apparently did not patch. This is a recurring pattern in ransomware disruption: the operators compromise victim networks by exploiting unpatched Fortinet, Citrix, or Microsoft Exchange appliances, and then get disrupted themselves by failing to patch their own infrastructure. Hive, ALPHV/BlackCat, and now LockBit all ran on servers their own customers would have been ashamed of.
What did the decryptor release look like in practice?
The NCA and FBI released a LockBit 3.0 decryptor through the No More Ransom portal that works against files encrypted with specific LockBit builds where the NCA had recovered decryption keys from the seized infrastructure. It is not universal — victims encrypted with LockBit 2.0, LockBit Green, or LockBit 3.0 builds whose keys were not in the seized database cannot recover files from the tool. Japan's National Police Agency provided significant forensic work and contributed to the decryptor engineering. For victims in the covered window, the tool is a genuine recovery path; for everyone else, the release is a reputational weapon against LockBit rather than an operational rescue.
How did LockBit rebuild, and how fast?
LockBit's administrator put up a new leak site on February 24, five days after the takedown, with an initial roster of 12 victim posts — some of which were recycled from the seized site. By March, LockBitSupp was posting regularly again and the group claimed attacks on Fulton County, Georgia and on several manufacturers. The rebuild was faster and more public than in the BlackCat/ALPHV takedown of December 2023, partly because the NCA's seizure theatre gave LockBit a reason to appear resilient. Affiliates are the real operational capital, though, and reporting from Mandiant and Check Point in the weeks after indicated that some senior affiliates moved to BianLian, 8Base, and newer brands rather than wait for LockBit to stabilize.
What did the takedown really accomplish?
The takedown accomplished three durable things even though LockBit continued to operate: it eroded affiliate trust, it produced intelligence that is still feeding indictments, and it gave CISOs and insurers a concrete example of coordinated criminal disruption to cite in budget cases. LockBit's previous selling point to affiliates was reliability — consistent leak site availability, consistent payment processing, consistent victim pressure. Losing the main leak site, the affiliate panel, and a chunk of the key material damages that pitch even after the rebuild. The intelligence yield — 200+ wallets, 14,000+ accounts, the affiliate roster — will generate sanctions and indictments for years, not just the February news cycle.
What should defenders take away?
Defenders should assume LockBit continues to exist and that its tradecraft — initial access via VPN and RDP appliances, Cobalt Strike plus SystemBC, then data theft before encryption — remains the template the rest of the market copies. The concrete moves: put KEV-listed edge CVEs (Fortinet, Citrix, Ivanti, ConnectWise) on two-week remediation SLAs; require phishing-resistant MFA on every remote access path; move privileged access to tiered PAWs; and harden backups with immutable storage that cannot be deleted by a domain admin. None of these are new, but LockBit's affiliates continue to succeed against organizations that did not execute them.
# Minimal detection query for LockBit 3.0 behaviour
# Look for rundll32 executing unsigned DLLs from temp paths
rundll32.exe path LIKE '%\\Temp\\%' AND signed=FALSE
How Safeguard Helps
Safeguard tracks ransomware operator advisories as first-class threat intelligence, mapping LockBit's known initial-access vectors — Fortinet, Citrix, ConnectWise, Ivanti — against your asset graph with reachability analysis so you can see the specific paths an affiliate would walk into your environment. Griffin AI correlates Operation Cronos indicators of compromise with your telemetry and flags SBOM components tied to affiliate tradecraft. SBOMs include every edge-device firmware version, and policy gates block deployments that depend on components present on the KEV list LockBit historically exploits. TPRM assessments rate suppliers against their historical ransomware exposure so you can require proof of remediation from partners whose compromise would propagate to you.