A Global LockBit Takedown | A Guide for CISOs

Our CISO, Todd Carroll, shares his thoughts on the significant Cronos takedown and what it means for law enforcement efforts to combat LockBit.

In the last 24 hours, a significant international law enforcement effort led by the National Crime Agency (NCA) in collaboration with the Federal Bureau of Investigation (FBI) and agencies from nine other countries has successfully disrupted the operations of the LockBit cybercrime group. LockBit, known for its malicious ransomware software that steals and encrypts victims’ data, has been one of the most harmful global criminal entities over the past year.

Interested in a full guide on LockBit’s reign and biggest moves so far? Check out our extensive LockBit guide here.

CybelAngel has attributed more than 725 ransomware attacks to LockBit since June 2023. These attacks have occurred in 76 countries, with nearly 40% of the victims located in the United States.

Todd Carroll, CISO at CybelAngel

Industries most affected by LockBit’s activities include construction, manufacturing, education, and logistics.

Operation Cronos: Explained

As part of Operation Cronos, global law enforcement teams collaborated to infiltrate LockBit’s network, gaining control of its primary administration environment as well as the dark web leak site. They also seized the group’s source code and obtained vast amounts of intelligence on their activities and affiliates.

The operation resulted in the seizure of 28 servers belonging to LockBit affiliates across three countries, the confiscation of over 200 cryptocurrency accounts, and the apprehension of two LockBit actors in Poland and Ukraine. Additionally, over 1,000 decryption keys were obtained, providing global assistance in recovering encrypted data for victims.

Fighting back against ransomware

This takedown is remarkable for the level of international cooperation involved and its significant impact on the LockBit operation, which held a considerable share of the ransomware market. Since June 2023, LockBit has been responsible for almost three times the number of attacks compared to the combined total of the next three active cybercrime groups.

While we should be pleased with these actions and the disruption of LockBit, it is crucial to remain vigilant as past actions of this nature have resulted in the formation of splinter groups. Many companies still have their data encrypted and potentially exposed.

Therefore, it is imperative to continue scaling up efforts to disrupt these groups swiftly in 2024, imposing meaningful punishments that will deter future attempts at ransomware attacks.

Interested in more ransomware threat insights?

Deep dive into more ransomware analysis in our new annual report, CybelAngel 2024 State of the External Attack Surface Report, also authored by Todd Carroll.

This report is filled with impactful metrics and insights that reveal the latest challenges in the EASM landscape.

Access the report here.