Just over a year ago, prolific ransomware outfit LockBit was infiltrated by the UK National Crime Agency (NCA) and fundamentally disrupted in a takedown dubbed “Operation Cronos”. In a dramatic turn of events that was the first of its kind, the NCA played LockBit at its own game, taking control of its platform and technical infrastructure, while blocking user access and administrator capabilities. 

The takeover included LockBit’s dark web leak site, on which the NCA began to publish information about the group. The NCA also identified over 1,000 decryption keys for LockBit 3.0, as well as some previous versions.  

The NCA was able to engage with 250 UK victims of LockBit, and in many cases provide them with decryption keys to get their data back. Decryption keys were also shared around the world, helping partners in the US, Japan and Europol to develop a victim support tool, now housed on the nomoreransom.org website. 

As the one year anniversary of the LockBit takedown arrives, the operation has had a huge impact. Not long afterwards, the U.S. announced that two LockBit affiliates were in custody and had been charged, with unsealed indictments against a further pair. Arrests took place in Ukraine and Poland, and over 200 cryptocurrency accounts linked to the group were frozen. 

After all this, has LockBit really gone away, how has the takeover impacted the landscape, and what do security leaders need to do to protect themselves against ransomware?  

LockBit Activity Reduced 

Following the takedown, LockBit’s activity reduced dramatically. In 2023, LockBit accounted for nearly 20 percent of all ransomware events, according to security outfit Huntress. Post-takedown in early 2024, the numbers drastically dropped and by the end of the year, LockBit accounted for only 1.4 percent of ransomware events. 

However, experts say LockBit has not completely gone away. Its operations have continued to evolve and pivot, allowing the brand to persist, with LockBit 4.0 – now discredited according to the NCA – emerging in November 2024, says SentinelLabs senior threat researcher Jim Walter. “The group continues to attract affiliates, extort victims and leak data across their still-very-active network of data leak sites. Branding is extremely important and valuable to LockBit, and the operation continues to use the cachet of the LockBit brand to attract new partners and affiliates.” 

Although the numbers make it seem like LockBit has gone away, it is “actually a testament to LockBit’s restructuring and adaptability”, adds Greg Linares, principal threat intelligence analyst at Huntress. “LockBit has shifted focus from smaller, medium-sized businesses and healthcare and pivoted into targeting large enterprise environments to maximise payouts.” 

He says LockBit is “easily the most complex ransomware group” when it comes to infrastructure, organisational operations and structure. “They operate very much like a business and are a fully functional criminal enterprise.” 

Adding to this, the number of LockBit copycats appearing across Telegram and other forums has increased. Meanwhile, multiple adversaries are currently masquerading under LockBit branding, which “further complicates and muddies the landscape”, says Walter. 

Resilient Ransomware

It’s clear Operation Cronos was a success, but similar takedowns won’t make the problem of ransomware go away. “Takedowns” of Ransomware as a Service (RaaS) infrastructure are an important component of combatting ransomware, but they are not a solution in isolation, says Adam Harrison, managing director in the cybersecurity practice at FTI Consulting. “While arrests and infrastructure seizures have caused disruptions, ransomware groups have proven resilient, often rebranding or shifting tactics.” 

He points out that affiliates associated with LockBit have “found new homes with alternative RaaS schemes or splintered into smaller lone wolf operations.” 

This is because many criminals view association with a major RaaS operator as “putting a target on their backs”, making smaller-scale operations a more attractive alternative, says Harrison. This has resulted in a greater number of smaller groups, he says. 

When LockBit shifted out of the smaller markets, it opened up opportunities for smaller groups to rise, Linares explains. He cites the example of “extremely aggressive groups” such as RansomHub, Play, Akira, INC, Basta and Medusa. “These groups often offer extremely high payouts to their affiliates, attracting attention from criminals to join them. We have also seen members be in many groups simultaneously in order to maximise their payouts.” 

Extortion Rather Than Ransom  

Linares describes how, as businesses shore up their defences, some groups focus on extortion more heavily than ransomware. “Groups such as BianLian have announced that they will forego ransoming customers and have switched to exclusively stealing data and extorting them. This is due to how much upkeep maintaining and developing ransomware software has become and how much better EDRs, NGAV and other defensive products are at identifying and preventing ransomware.” 

This will help fuel the trend of smaller groups carrying out ransomware attacks, Harrison says. “Data theft extortion, without the use of ransomware malware, is likely to increase, as smaller, less-resourced groups can carry out these attacks without relying on complex infrastructure.” 

A year after the NCA’s takedown, LockBit has been hit, but ransomware is still thriving. Looking ahead, the only thing that is certain is continued change and evolution, says Harrison. “Successful law enforcement operations, a changing regulatory landscape and global geopolitics are all going to have an impact on ransomware.”   

Taking this into account, companies should do everything in their power to prevent attacks from occurring in the first place, Hannah Baumgaertner, head of research at Silobreaker says. “You can do this by securing your networks and patching systems in a timely manner, while also teaching staff about the common attack vectors employed by such groups.” 

If ransomware attackers do get past a company's defences, stringent policies will help you deal with the attack, says Baumgaertner. “Ensure secure backups for data restoration and methods to remove attackers from your network in a swift manner.” 

Kate O'Flaherty Cybersecurity and privacy journalist