Operation Cronos February 2024 — How NCA-Led International Action Took Down LockBit (Twice): Inside the Most Significant Ransomware Takedown

Operation Cronos is the rare cybersecurity story that ends in defensive victory. After years of observing ransomware groups operate with apparent impunity from non-cooperating jurisdictions, an NCA-led coalition demonstrated that determined international law enforcement could seize infrastructure, recover decryption keys, and identify operators. The operation’s long-term impact is still playing out, but its strategic importance for ransomware response policy is hard to overstate. This post reconstructs the operation, contextualises it within the multi-year campaign against LockBit, and identifies what defenders should learn from a rare law-enforcement win.

What happened — the seizure operation in detail

On the night of 19 February 2024, NCA officers in the UK and partner agencies in 10 other jurisdictions executed coordinated technical and physical operations against LockBit infrastructure. The technical seizure: NCA gained access to LockBit’s primary administrative servers (apparently through a combination of vulnerability exploitation in the LockBit infrastructure itself — reportedly a PHP vulnerability — and intelligence developed over months of operational work). The agency then: (1) seized the LockBit leak site domain and replaced it with a takedown notice; (2) exfiltrated the LockBit affiliate panel including affiliate identifiers, victim lists, transaction records, and decryption keys; (3) recovered approximately 1,000 decryption keys for past LockBit victims; (4) seized communication infrastructure including chats between LockBit operators and affiliates. Physical operations: arrests of suspected LockBit affiliates in Poland and Ukraine; freezing of cryptocurrency wallets associated with the group; sanctions designations against named individuals. The novel aspect: rather than simply taking down infrastructure quietly, NCA chose to dramatically signal the disruption — using the LockBit leak site itself as the platform for a multi-day reveal of operational details, a countdown timer to additional revelations, and direct messaging to remaining affiliates that they were exposed and at risk. This communication strategy was designed specifically to damage trust within the LockBit affiliate ecosystem, encouraging affiliates to leave the group rather than wait for arrests.

Why LockBit was the priority target

LockBit had become, by 2023-2024, the most prolific ransomware-as-a-service operation in the world. Documented victim count exceeded 2,000 organisations across 100+ countries; estimated total ransoms paid exceeded $1 billion (reported by US Treasury and other sources, with significant uncertainty given the unobservable nature of payments to criminal groups). LockBit affiliates ranged from sophisticated operators capable of high-value enterprise compromises (CDK Global, Boeing, ICBC, Royal Mail, the City of Oakland) to less-skilled operators targeting smaller organisations at higher volume. The group’s technical sophistication included: (1) LockBit Black (LockBit 3.0). Polished ransomware encryption with anti-analysis features, configurable encryption modes, and selective targeting capabilities. (2) StealBit. Custom data-exfiltration tool optimised for speed against large datasets. (3) Bug bounty program. LockBit famously offered bug bounties for vulnerabilities in their own ransomware — an unusually mature threat-actor practice. (4) Affiliate panel. Sophisticated web infrastructure for managing dozens of affiliates simultaneously, tracking ransom negotiations, and distributing decryption tools. (5) Public branding. LockBit operated as a brand — recruiting affiliates publicly, taunting victims publicly, and using press-release-style communication to maximise extortion pressure. For law enforcement: the group’s prominence, public communication, and breadth of victims made it the rational priority target. Successful disruption of LockBit signals capability against any ransomware group; failed disruption would signal that even the highest-priority targets were unreachable.

Khoroshev unmasking and the LockBitSupp identity

A core element of Operation Cronos was the alleged identification of LockBitSupp — the public face of LockBit, who managed press communications, recruited affiliates, and engaged in public taunting of victims and law enforcement. On 7 May 2024, US, UK, and Australian authorities jointly named Dmitry Yuryevich Khoroshev, a 31-year-old Russian national, as LockBitSupp. The agencies released photographs, sanctions designations, and a $10 million reward for information leading to his arrest. The unmasking included: (1) US Treasury OFAC designation placing Khoroshev under US sanctions, freezing any US-controlled assets, and prohibiting US persons from transactions with him. (2) UK Foreign, Commonwealth and Development Office sanctions imposing comparable UK restrictions. (3) Australian Department of Foreign Affairs and Trade sanctions aligning with UK and US designations. (4) US federal indictment charging Khoroshev with multiple counts of computer fraud, ransomware-related offenses, and conspiracy. (5) Detailed personal identification including name, photographs, date of birth, and addresses associated with him. The strategic effect: while Khoroshev remains in Russia and unlikely to face arrest in the foreseeable future, the unmasking damages LockBit’s reputation, exposes him to financial pressure (sanctions limit his cryptocurrency mobility), creates pressure for cooperation, and signals to other ransomware operators that anonymity is no longer guaranteed. The unanswered question: some independent analysts disputed the LockBitSupp = Khoroshev attribution, suggesting that LockBit operations involved multiple personas and Khoroshev may have been one of several. Public evidence is incomplete.

Timeline — from years of work to a multi-day reveal

2020-2023: LockBit operates increasingly prominently; international law-enforcement coordination begins; intelligence gathering against group operations and infrastructure. 2022-2023: NCA UK, FBI US, and partner agencies develop technical and intelligence capabilities specifically targeting LockBit. Late 2023: Operational planning for Operation Cronos finalises; technical exploitation paths into LockBit infrastructure identified. 19 February 2024: Operation Cronos executes. Infrastructure seized. Leak site replaced with takedown notice. Initial countdown begins. 20-25 February 2024: Daily revelations from NCA via the seized leak site — affiliate identifiers, operational details, decryption tools released to victims. Late February – March 2024: LockBit attempts to relaunch with new infrastructure. Significant affiliate departures. Ransomware-as-a-service operations continue but reduced. 7 May 2024: US, UK, Australia formally name Dmitry Khoroshev as LockBitSupp; sanctions and indictments announced; $10M reward offered. May – October 2024: Continued operations against LockBit affiliates and infrastructure; additional arrests in Spain, France, and elsewhere; related ransomware groups (ALPHV/BlackCat) experience similar disruption (Operation Cronos II / additional FBI operations). 2024-2025: LockBit continues partial operations but significantly reduced from peak; affiliates migrate to other RaaS programs; ransomware ecosystem reshapes around the disruption.

The decryption-key recovery — operational impact for victims

A specific tangible outcome of Operation Cronos was the recovery of approximately 1,000 decryption keys for past LockBit victims. NCA, in coordination with FBI and partner agencies, made these decryption tools available to affected organisations through national CERT and law-enforcement channels. For victims: organisations that had been encrypted by LockBit but had not paid ransom (or had paid but not received working decryption tools) could now recover their data without further payment. The practical impact varied: many victims had already moved on (rebuilt from backups, accepted the loss); some had been waiting for exactly this outcome; some discovered through this channel that they had been LockBit victims when they had previously suspected other groups. The legal complications: using law-enforcement-provided decryption tools generally does not raise legal issues, but using them on systems already restored may raise data-integrity questions. Some organisations declined to use the tools to avoid forensic complications in ongoing class-action litigation. The strategic message: the recovery underscored that ransomware victim-value extends beyond the immediate ransom decision; even months or years later, decryption capability may emerge through law-enforcement action. This complicates the pure ransom-payment economic calculation in interesting ways.

What this means for ransomware response strategy

Operation Cronos changed the calculation around ransomware response in several specific ways. (1) Decryption-key emergence. The possibility that decryption tools may be recovered through law enforcement action (months or years later) makes “do not pay, hold the encrypted data” a more viable strategy than it was previously. Organisations with affected systems should preserve encrypted artifacts (rather than deleting them) in case decryption keys later become available. (2) Investigation and prosecution viability. The arrests in Poland, Ukraine, and elsewhere — and the indictment and sanctions of Khoroshev — demonstrate that ransomware operations are not entirely beyond law enforcement reach. This shifts the economics of ransomware operations on the criminal side and provides a more credible “law enforcement is engaged” promise from defenders’ perspective. (3) Affiliate ecosystem instability. The exposure of LockBit affiliates may have damaged the broader trust ecosystem within RaaS — affiliates may be more cautious about which groups they work with, what operational security they maintain, and how they handle their own communications. This increases friction in ransomware operations even when specific groups remain active. (4) Sanctions tooling. The naming and sanctioning of Khoroshev demonstrates that coordinated multi-jurisdiction sanctions can be deployed against ransomware operators despite the geographic challenges of physical arrest. Sanctions create real friction for criminal financial operations. (5) Public attribution practice. The detailed public identification of LockBitSupp / Khoroshev — with photographs, biographical details, sanctions, indictments — sets a precedent for how seriously law enforcement is willing to engage publicly. Future ransomware operators must factor in higher probabilities of public unmasking.

Limitations of the operation — what didn't change

A clear-eyed assessment requires acknowledging what Operation Cronos did not achieve. (1) LockBit operations continued. Despite the disruption, LockBit was not permanently shut down. The group attempted relaunch within weeks, and ransomware operations continue from LockBit and affiliates, albeit at reduced volume. (2) Khoroshev remains free. Russian nationals operating from Russia are not subject to extradition to US/UK jurisdictions; sanctions and indictments do not lead to arrest. The unmasking creates pressure but does not produce custody. (3) Affiliate migration. LockBit affiliates have largely migrated to other RaaS programs (Akira, Play, BlackBasta, others). The total ransomware ecosystem has not contracted; the market share has reshuffled. (4) Underlying economics. The fundamental economics of ransomware — high payouts, low arrest risk for operators in non-cooperating jurisdictions — remain intact. The operation increases friction but does not change the fundamental cost-benefit calculation for would-be ransomware operators. (5) Defensive imperative unchanged. The operation does not reduce the need for defensive investment. Organisations remain on the hook for backup architecture, identity controls, network segmentation, incident response planning. Law enforcement disruption is a useful supplement to defensive practice, not a substitute. The honest takeaway: Operation Cronos is a defensive win and a precedent for future operations, but it is not a turning point that has fundamentally changed the ransomware threat landscape. Continued investment in defensive practice remains essential.

India context — implications for Indian ransomware response

Indian organisations have been LockBit victims (multiple disclosed and undisclosed cases through 2022-2024) and Indian law enforcement participated to some extent in the international coordination around Operation Cronos. The implications for Indian organisations: (1) Decryption-key access. Indian victims of LockBit attacks have access to recovered decryption keys through CERT-In coordination with international partners; affected organisations should engage with CERT-In to determine availability for their specific cases. (2) International coordination demonstration. The operation demonstrates the value of formal international cybersecurity coordination — useful precedent for India’s own engagement with international law enforcement on cyber matters. India’s participation in Quad cyber coordination, BRICS cyber working groups, and bilateral arrangements with US, UK, EU all become more valuable in the wake of demonstrated success. (3) Domestic capability development. The technical capability to disrupt sophisticated criminal infrastructure represents a category of state capability that India is in the process of developing. Domestic equivalents of NCA’s technical operations against LockBit are an aspirational target for I4C, CERT-In, and related Indian agencies. (4) Threat actor diversification. Indian organisations should expect that the LockBit-displaced affiliate population will operate under other brands. The specific group identifiers change; the threat patterns and defensive priorities do not. (5) Public-private intelligence sharing. Operation Cronos’s success depended on years of intelligence development. Indian organisations contributing to threat intelligence sharing through DSCI, NASSCOM, sector-specific ISACs, and CERT-In contribute to the long-term capability that enables future similar operations.

Lessons learned — five durable takeaways

(1) Ransomware operators are reachable. The persistent assumption that ransomware operators in non-cooperating jurisdictions are entirely beyond law enforcement is incorrect. Sustained intelligence work, technical operations, and international coordination can reach even sophisticated criminal infrastructure. This shifts the long-term equilibrium of the ransomware ecosystem. (2) Patience pays. Operation Cronos was the result of years of intelligence and operational work. The visible operation in February 2024 was the public face of a much longer campaign. Defensive strategy should similarly invest in long-horizon capabilities — threat intelligence, relationships with law enforcement, slow-build forensics capabilities. (3) Public communication is a tool. NCA’s decision to dramatically signal the takedown — using the LockBit leak site for the takedown announcement, the countdown timer, daily reveals — was strategic communication. This sets a precedent for offensive law-enforcement communication that other agencies will emulate. (4) Affiliate ecosystems are fragile. Trust within criminal affiliate ecosystems is a structural vulnerability. Operations that expose affiliates damage these ecosystems for years. Future law enforcement operations may target affiliate trust as much as core infrastructure. (5) Defenders should preserve evidence. Encrypted data from past ransomware incidents may be recoverable through later law-enforcement action. Organisations that delete encrypted artifacts after declining to pay foreclose this possibility. Preserve forensic evidence for at least several years after ransomware incidents.

What CISOs and security teams should do this quarter

A practical 90-day plan informed by Operation Cronos. Month 1 — Inventory and engagement. Inventory past ransomware incidents (your own and your sector); identify any unrecovered encrypted data that might be recoverable through new decryption tools. Engage CERT-In and your sectoral ISAC for current threat intelligence on active ransomware groups. Month 2 — Capability uplift. Review your incident response capability against the post-LockBit threat landscape. Are you prepared for affiliate-migration patterns where the same operators work under new brand names? Are your detection capabilities tuned to current TTPs rather than 2022 patterns? Is your forensic-evidence preservation aligned with the new reality that decryption keys may emerge later? Month 3 — Strategic positioning. Brief executive leadership on the implications of the changing ransomware landscape. Review cyber insurance terms in light of new realities. Confirm relationships with law enforcement (FBI, NCA, CERT-In, state-level agencies) and incident response vendors. Update tabletop exercises with current ransomware patterns. Beyond 90 days: sustained engagement with the changing threat landscape, regular review of detection capabilities, ongoing investment in identity controls and backup architecture as the dominant defensive investments.

Wider implications — the ransomware ecosystem in 2025-2026

Operation Cronos and parallel operations against ALPHV/BlackCat reshape the ransomware threat landscape in ways that are still unfolding. (1) Affiliate consolidation. Displaced LockBit affiliates have migrated to other groups (Akira, Play, BlackBasta, Cl0p, RansomHub, and emerging brands). Some affiliates have also begun operating independently rather than within affiliate programs, increasing fragmentation. (2) Reduced public branding. Some surviving ransomware groups are operating with lower public profiles — fewer leak-site dramatic reveals, less press-release-style communication, more direct extortion-only operations. The “ransomware-as-brand” model is partially in retreat. (3) Increased operational security. Surviving operators have increased operational security — better infrastructure compartmentalisation, more careful affiliate vetting, more cautious communication. This makes future law-enforcement operations technically harder but also makes operations more friction-laden for criminals. (4) Diversification of threat models. The ransomware-encryption model continues but data-exfiltration-only extortion (Cl0p’s preferred model) is gaining share. Defenders need to plan for both encryption-and-exfiltration and exfiltration-only patterns. (5) Continued international coordination. The success of Operation Cronos provides political and operational support for further international coordination. Expect additional disruption operations through 2025-2026 against current top-tier ransomware groups. (6) Long-term equilibrium. The ransomware ecosystem will not disappear but its operating economics are tilting somewhat against operators. Defensive maturity continues to be the primary determinant of organisational risk; law enforcement disruption is a useful but secondary factor. Operation Cronos will be cited in cybersecurity discourse for years as the proof that determined defensive coordination can produce real strategic effects against sophisticated criminal operations.

FAQ

Did Operation Cronos kill LockBit?

No — LockBit attempted to relaunch within weeks and continues partial operations. But the operation significantly damaged LockBit’s capability, reputation, and affiliate base. The group is materially diminished from its 2022-2023 peak.

Will Khoroshev ever be arrested?

Unlikely while he remains in Russia, given the absence of US-Russia extradition cooperation on cyber matters. The sanctions and indictment create financial and travel restrictions that materially affect his operational freedom even without physical custody.

Can I get a decryption tool if my organisation was attacked by LockBit?

Possibly. Approximately 1,000 decryption keys were recovered. Engage CERT-In, FBI, NCA, or the equivalent national agency in your jurisdiction; they can determine if a key is available for your specific incident.

Did LockBit really pay people to find vulnerabilities in their own ransomware?

Yes. LockBit famously offered a public bug bounty program for vulnerabilities in their ransomware tooling — an unusually mature operational practice for criminal groups. The program created some friction with security researchers around participation ethics.

What was the bigger ransomware story of 2024 — LockBit takedown or ALPHV exit-scam?

Different stories with different significance. LockBit takedown was a defensive win demonstrating law-enforcement capability. ALPHV exit-scam (March 2024 — operators apparently absconded with affiliate funds after the Change Healthcare ransom) demonstrated criminal-ecosystem fragility. Both reshaped the ransomware landscape. Together they marked 2024 as a turning point in ransomware operator economics.

Should I pay ransom if attacked now?

Even more questionable than before. Operation Cronos demonstrated that decryption keys may be recoverable later through law enforcement; ALPHV exit-scam demonstrated that paying provides no guarantee of decryption. Backup architecture and incident response planning are more rational investments than payment-readiness.

📰 Note: This analysis is compiled from public reporting (Reuters, Bloomberg, court filings, threat-intel firm publications) and is intended for security education. Some technical details remain disputed in ongoing legal proceedings; we have attributed claims where the source is established and noted where matters remain contested.