<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">

RL Blog


Operation Cronos and the LockBit takedown: What we know

The U.S., U.K., Canada and eight partner countries have disrupted the LockBit ransomware group. Here are the key takeaways, along with expert insights.

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Writer, ReversingLabs.

lockbit-ransomware-what-we-knowThe United Kingdom’s National Crime Agency (NCA), in collaboration with the U.S., Canada and eight other international partners shared a major update this past Tuesday regarding Operation Cronos, the international disruption campaign created to take down the LockBit ransomware group. The government action successfully compromised LockBit’s “entire criminal enterprise” by infiltrating the group’s network, taking control of its services, and accessing its source code, as well as other important intelligence. 

LockBit is considered to be one of the most prolific ransomware groups to date, having targeted a plethora of victims globally — and hauling in more than $90 million in ransom payments from the U.S. alone since 2020.

The successful takedown effort consisted of taking control of the group’s primary administration environment, prohibiting it from building and carrying out further attacks on victims. Operation Cronos also compromised LockBit’s site used for leaking information on the dark web, which was previously used to blackmail victims by threatening to post confidential data. The group’s website is now fully run and controlled by the NCA, and is being used to share vital information. 

In addition to the takedown, Operation Cronos accessed all of LockBit’s source code, plus a vast amount of intelligence on the gang’s activities and partnerships with other cybercriminals globally, noted Graeme Biggar, Director General of the NCA: 

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.” 

Here’s what we know about the takedown of the LockBit ransomware group, along with expert insights.

[ Key takeaways: The State of Software Supply Chain Security 2024 | Get the full report | See the Webinar discussion ]

A look at LockBit’s history

LockBit has been active since as early as September 2019, and has rebranded itself several times over the past five years by changing its name and improving its arsenal of tools. As a ransomware-as-a-service group (RaaS), LockBit had an expansive network of cybercriminals, recruited to pull off ransomware attacks using the gang’s proprietary malicious tooling. 

The Operation Cronos agencies have expressed that the work toward neutralizing LockBit “does not stop here,”  noting that much of this work will include prosecuting cybercriminals affiliated with the group, and seizing more of their operations. On Tuesday morning, Europol arrested two LockBit members and froze more than 200 cryptocurrency accounts. And the U.S. Department of Justice criminally charged two defendants and indicted two Russian nationals — all responsible for carrying out LockBit attacks, the NCA said in a statement.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said LockBit made up over 15% of all ransomware incidents targeting Australia, Canada, New Zealand and the U.S. in 2022, making it one of the most successful ransomware organizations in the world. 

Ransomware doesn’t end with LockBit

While the efforts associated with Operation Cronos are a huge step towards inhibiting international cybercrime, several ransomware groups in the past have risen from the ashes in the form of new groups with the same members, but under different names and with improved tools. 

Ashlee Benge, Director of Threat Intelligence at ReversingLabs, said the end of LockBit won’t be the end for ransomware. 

“These takedowns are impactful in that they disrupt ransomware gang operations for a time, but inevitably, something new will pop up in LockBit’s place.”
Ashlee Benge

The Conti ransomware gang, for example, which was once considered to be a leading cybercrime group, ceased its operations after the group’s private chats were leaked by one of its own members out of retaliation for the war in Ukraine. Not long after Conti’s fall, several threat researchers spotted a never-before-seen ransomware group in late 2022 known as Black Basta. By analyzing several of Black Basta’s attacks, experts believed that the group was an offshoot of the original Conti group, based on similarities between both groups’ tactics, techniques and procedures. 

Despite the successful Operation Cronos takedown campaign, the track record set by ransomware groups to date likely indicates that an offshoot of LockBit will arise in the future.   

Life after LockBit: Tools and best practices are key

Through the efforts of the NCA and the other member agencies of Operation Cronos, millions of LockBit victims worldwide can now access a free decryptor for the ransomware. But for those who have not been hit with LockBit, it’s important to take precautions and practice defensive measures, despite all of this progress. 

The utilization of YARA rules can aid threat hunters and researchers in their ability to detect malware such as the LockBit ransomware. ReversingLabs’ open-source YARA rule for LockBit can detect when this ransomware is running on an organization’s network.

ReversingLabs’ Benge said that in addition to the utilization of YARA rules, organizations should continue to bolster their threat intelligence and hunting capabilities in order to prevent malware families such as the LockBit ransomware from infecting their systems in the first place.

“As defenders, we have to block 100% of threats, but an attacker only has to be successful in a single attempt out of many. A multi-pronged security approach and incident preparedness strategy are key in fighting against ransomware successfully.”
—Ashlee Benge

Get up to speed on RL's malware analysis and threat hunting solution updates with our year in review post. Plus: Learn more about our malware analysis and threat hunting solutions

More Blog Posts

    Special Reports

    Latest Blog Posts

    Chinese APT Group Exploits SOHO Routers Chinese APT Group Exploits SOHO Routers

    Conversations About Threat Hunting and Software Supply Chain Security

    Reproducible Builds: Graduate Your Software Supply Chain Security Reproducible Builds: Graduate Your Software Supply Chain Security

    Glassboard conversations with ReversingLabs Field CISO Matt Rose

    Software Package Deconstruction: Video Conferencing Software Software Package Deconstruction: Video Conferencing Software

    Analyzing Risks To Your Software Supply Chain