Two years ago today, on February 20, 2024, the UK’s National Crime Agency and the FBI announced Operation Cronos, a coordinated international law enforcement action that dismantled the infrastructure of LockBit, the world’s most prolific ransomware operation. The operation represented the most significant action against ransomware to date, seizing control of the group’s leak site and using it to publish information about the criminal operation.
Operation scope
| Metric | Result |
|---|
| Countries involved | 10 |
| Lead agencies | NCA (UK), FBI (US) |
| Servers seized | 34 |
| Affiliates identified | 194 |
| Accounts taken down | 14,000+ |
| Cryptocurrency frozen | $112 million (2,200 BTC) |
| Decryption keys obtained | 1,000+ |
Participating countries
| Country | Agency |
|---|
| United Kingdom | National Crime Agency |
| United States | FBI, DOJ |
| France | Gendarmerie Nationale |
| Germany | BKA |
| Netherlands | Dutch Police |
| Australia | AFP |
| Canada | RCMP |
| Japan | NPA |
| Sweden | Swedish Police |
| Switzerland | fedpol |
LockBit’s reign
Before the takedown, LockBit dominated the ransomware landscape:
By the numbers
| Metric | Value |
|---|
| Global ransomware share | ~25% of all attacks |
| US attacks (2020-2024) | ~1,700 |
| Total ransom collected | $500+ million |
| Countries affected | 120+ |
| Sector targeting | Indiscriminate |
Notable victims
| Organization | Year | Impact |
|---|
| Royal Mail (UK) | 2023 | International shipping halted |
| Boeing | 2023 | 43GB data leaked |
| ICBC (China) | 2023 | Largest bank ransomware attack |
| Allen & Overy | 2023 | Major law firm compromised |
| Multiple hospitals | 2020-2024 | Healthcare disruptions |
The takedown
Technical seizure
| Component | Action |
|---|
| Primary leak site | Seized and repurposed |
| Admin panel | Law enforcement controlled |
| Affiliate infrastructure | 34 servers taken down |
| Communication channels | Compromised |
| Source code | Obtained |
Creative law enforcement
In an unprecedented move, law enforcement repurposed LockBit’s leak site to publish information about the criminal operation:
| Content posted | Purpose |
|---|
| Affiliate identities | Expose criminal network |
| Operation details | Demonstrate compromise depth |
| Decryption tool announcements | Help victims |
| Countdown timers | Mock LockBit’s own tactics |
| Admin identity reveal | Psychological pressure |
The agencies used LockBit’s own intimidation tactics against them, posting countdown timers to the reveal of the group’s administrator identity.
Identifying LockBitSupp
Dmitry Khoroshev unmasked
On May 7, 2024, law enforcement revealed the identity of LockBit’s administrator, known as “LockBitSupp”:
| Detail | Information |
|---|
| Name | Dmitry Yuryevich Khoroshev |
| Nationality | Russian |
| Age | 31 (at time of identification) |
| Role | LockBit creator and administrator |
| Reward offered | $10 million |
Sanctions and charges
| Action | Details |
|---|
| US Treasury sanctions | Assets frozen, transactions prohibited |
| UK sanctions | Parallel asset freeze |
| Criminal indictment | 26 counts including extortion, fraud |
| Travel restrictions | International arrest warrant |
Khoroshev remains at large in Russia, which does not extradite citizens to Western countries.
Arrests and prosecutions
Individuals charged
| Individual | Country | Status |
|---|
| Mikhail Vasiliev | Canada/Russia | Arrested, extradited to US |
| Ruslan Astamirov | Russia | Arrested in Arizona |
| Mikhail Matveev | Russia | Indicted, at large |
| Artur Sungatov | Russia | Indicted, at large |
| Ivan Kondratyev | Russia | Indicted, at large |
| Two affiliates | Poland, Ukraine | Arrested February 2024 |
Prosecution outcomes
| Case | Result |
|---|
| Mikhail Vasiliev | Pleaded guilty, sentenced to 4 years |
| Multiple affiliates | Ongoing prosecutions |
Victim recovery
Decryption assistance
| Resource | Availability |
|---|
| Decryption keys | 1,000+ obtained |
| No More Ransom portal | Free decryption tools |
| FBI victim outreach | Direct assistance offered |
| Estimated recovery value | Hundreds of millions |
Law enforcement obtained encryption keys from seized infrastructure, enabling victims to recover data without paying ransoms.
LockBit’s attempted comeback
Despite the takedown, LockBit attempted to resume operations within days:
Resilience efforts
| Action | Result |
|---|
| New leak site | Launched within week |
| Defiant messaging | Claimed minimal impact |
| Recruitment | Attempted to attract new affiliates |
| Operations | Significantly degraded |
Diminished capability
| Metric | Before Cronos | After Cronos |
|---|
| Monthly attacks | 100+ | Significantly reduced |
| Affiliate count | 194 identified | Many departed |
| Reputation | Dominant brand | Trust damaged |
| Infrastructure | Robust | Compromised |
The takedown did not eliminate LockBit, but significantly degraded its operations and reputation. The exposure of affiliate identities and administrator information damaged trust within the criminal ecosystem.
Lessons for ransomware defense
What worked
| Factor | Impact |
|---|
| International cooperation | 10 countries coordinated effectively |
| Technical capability | Complete infrastructure compromise |
| Psychological operations | Using criminals’ tactics against them |
| Transparency | Public disclosure of operation details |
What remains challenging
| Challenge | Status |
|---|
| Russian safe haven | Operators beyond arrest reach |
| Ransomware ecosystem | Other groups continue operating |
| Affiliate model | Decentralized structure provides resilience |
| Cryptocurrency | Enables ransom payments |
Impact on ransomware landscape
| Effect | Duration |
|---|
| LockBit disruption | Significant, months |
| Affiliate migration | Many moved to other groups |
| Temporary attack reduction | Brief overall decrease |
Long-term implications
| Implication | Assessment |
|---|
| Deterrence value | Demonstrates law enforcement capability |
| RaaS trust | Affiliates now question operator security |
| Investment in takedowns | Justified by Cronos success |
| Collaboration model | Template for future operations |
Context
Operation Cronos demonstrated that even the most sophisticated ransomware operations can be dismantled through coordinated international law enforcement action. The creative approach—using LockBit’s own infrastructure against them and publicly mocking the criminal operation—added psychological impact to the technical disruption.
However, the operation also illustrated the limitations of enforcement against ransomware:
| Limitation | Reality |
|---|
| Safe havens | Russian operators remain beyond reach |
| Ecosystem resilience | Other groups absorbed displaced affiliates |
| Business model | Ransomware-as-a-service continues |
| Recovery challenges | Many victims still unrecoverable |
Two years later, ransomware remains a significant threat, but Operation Cronos established a template for future international cooperation against cybercriminal infrastructure. The $10 million reward for Khoroshev’s arrest remains outstanding, a reminder that the most consequential actors in the ransomware ecosystem continue to operate with impunity from jurisdictions that refuse to cooperate with Western law enforcement.
For organizations, the takedown reinforces that prevention remains more reliable than hoping for law enforcement intervention. While operations like Cronos help, they cannot eliminate the ransomware threat. Robust backups, network segmentation, and incident response capabilities remain essential.
