Anatomy of a Breach

Anatomy of a Breach: Operation Cronos — International Law Enforcement Dismantles LockBit

> series: anatomy_of_a_breach —— part: 182 —— event: operation_cronos —— target: lockbit —— led_by: uk_nca —— decryption_keys: 1,000+<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2024 14 min read
lockbit operation-cronos nca fbi europol ransomware-takedown law-enforcement series
Breach #182

The UK's NCA leads the takedown of the world's most prolific ransomware group.

On 19 February 2024, the UK's National Crime Agency (NCA), working with the FBI, Europol, and law enforcement agencies from 10 countries, executed Operation Cronos — a coordinated takedown of LockBit's ransomware infrastructure. The operation seized 34 servers across multiple countries, obtained over 1,000 decryption keys (which were made available to victims), froze cryptocurrency accounts, arrested affiliates in Poland and Ukraine, and indicted Russian nationals identified as key figures.

In a striking act of counter-messaging, law enforcement repurposed LockBit's own dark web leak site to publish details of the operation, mock the group's leader (identified as Russian national Dmitry Khoroshev), and release information about the group's operations, affiliates, and financial transactions. LockBit had been the world's most active ransomware operation — responsible for attacks against Royal Mail, ICBC, Boeing, and over 2,000 other victims worldwide, extracting more than $120 million in total ransom payments. While LockBit would attempt to rebuild, Operation Cronos significantly disrupted its operations and demonstrated that ransomware groups are not beyond the reach of law enforcement.

UK-Led Action
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The NCA at the forefront of the global fight against ransomware.

Most Significant Ransomware Takedown
Operation Cronos was the most impactful law enforcement action against ransomware in history — disrupting the group that had attacked <a href="/blog/anatomy-of-a-breach-royal-mail-lockbit">Royal Mail</a> and <a href="/blog/anatomy-of-a-breach-icbc-lockbit">ICBC</a>. The NCA's leadership role demonstrated the UK's commitment to combating ransomware at the highest level. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> works alongside law enforcement during ransomware investigations.
1,000+ Decryption Keys Released
Over 1,000 decryption keys were obtained and made available to victims — enabling recovery without paying ransom. This demonstrated the value of law enforcement engagement during ransomware incidents: seized infrastructure can yield decryption keys. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence's incident response</a> includes law enforcement liaison and decryption key coordination.
Counter-Messaging on LockBit's Own Site
Using LockBit's dark web site to publish takedown details was a psychological operation designed to undermine trust among ransomware affiliates — demonstrating that law enforcement could compromise their infrastructure and identify their operations. <a href="https://www.socinabox.co.uk/blog/what-is-the-dark-web-business-guide">Dark web monitoring</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> tracks ransomware group activity and takedown operations.
Disruption, Not Elimination
Operation Cronos significantly disrupted LockBit but did not eliminate ransomware. The group attempted to rebuild, and other groups (ALPHV/BlackCat, Cl0p, and others) continued operating. Ransomware defence remains essential: <a href="/cyber-essentials">Cyber Essentials</a>, <a href="/penetration-testing">penetration testing</a>, <a href="https://www.socinabox.co.uk">SOC in a Box</a>, and <a href="https://www.cyber-defence.io/services/incident-response">incident response capability</a>.
Lessons

Law enforcement is catching up. But prevention remains your responsibility.

Operation Cronos demonstrated that ransomware groups can be disrupted by determined, coordinated law enforcement action. But the operation also revealed the scale of the problem: 2,000+ victims and $120+ million in payments from a single group. Ransomware defence cannot depend on law enforcement alone — organisations must implement preventive controls. Cyber Essentials provides the baseline. Penetration testing validates defences. SOC in a Box detects ransomware deployment. And UK Cyber Defence provides the incident response capability that engages law enforcement effectively when ransomware strikes.

Ransomware Defence

LockBit was disrupted but ransomware continues. Are your defences ready for the next group?

<a href="/cyber-essentials">Cyber Essentials</a> provides the baseline. <a href="/penetration-testing">Penetration testing</a> validates defences. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects ransomware. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> engages law enforcement.

Commission a Security Assessment Next: Change Healthcare
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2014

Anatomy of a Breach: Operation Tovar — The Takedown of Gameover Zeus and CryptoLocker

Breach #066. On 2 June 2014, an international law enforcement coalition including the FBI, NCA, Europol, and agencies from 11 countries executed Operation Tovar — disrupting the Gameover Zeus botnet and the CryptoLocker ransomware infrastructure it powered. Gameover Zeus had infected an estimated 500,000-1,000,000 computers worldwide and caused over $100 million in financial losses. The UK's National Crime Agency took the unprecedented step of issuing a public 'two-week warning' urging UK citizens to protect their computers before the criminals rebuilt.

gameover-zeus cryptolocker
13 min read
Anatomy of a Breach 31 December 2024

Anatomy of a Breach: 2024 Year in Review — Change Healthcare, CrowdStrike, Synnovis, and the Year MFA Could Have Prevented Everything

Breach #192 and the 2024 finale. The year Change Healthcare halted US healthcare payments through a Citrix portal without MFA (100 million affected, $22M paid), the Snowflake campaign exposed 700 million+ people through accounts without MFA, CrowdStrike's faulty update crashed 8.5 million systems in the largest IT outage in history, Synnovis ransomware cancelled thousands of NHS blood tests and surgeries in London, LockBit was taken down by UK-led Operation Cronos, Transport for London was attacked, Blue Yonder disrupted UK supermarket supply chains, and the US Treasury was breached through BeyondTrust by China's Silk Typhoon. Sixteen years. 192 articles. MFA remains the single most important control.

year-in-review 2024
16 min read
Anatomy of a Breach 31 December 2023

Anatomy of a Breach: 2023 Year in Review — MOVEit, Royal Mail, Scattered Spider, and DNA as Data

Breach #180 and the 2023 finale. The year MOVEit's SQL injection compromised 2,500 organisations and 60 million people, Royal Mail's international post was halted by LockBit, Scattered Spider social-engineered MGM and Caesars for $100 million+, 3CX proved supply chain attacks cascade from supply chain attacks, Barracuda told customers to replace not patch their compromised appliances, the UK Electoral Commission lost 40 million voters' data for two years, 23andMe proved genetic data gets breached too, and ICBC — the world's largest bank — settled US Treasury trades via USB stick after LockBit. Fifteen years of this series. SQL injection is still the dominant vulnerability. Social engineering is still the dominant technique. Patching is still the dominant defence. The root causes have not changed.

year-in-review 2023
16 min read
All Posts Get in Touch