On February 19, 2025, we hit a significant milestone: the one-year mark of Operation Cronos. This was a major cyber law enforcement initiative led by the UK’s National Crime Agency (NCA) and backed by global partners. It specifically targeted the infamous LockBit ransomware group, drastically altering the landscape of cybercrime.
Reflecting on the period prior to 2023, LockBit’s dominance was striking. Secureworks’ Counter Threat Unit revealed that LockBit was responsible for 25% of ransomware attacks that year, far outpacing ALPHV/BlackCat, which stood at 12%. LockBit’s reach extended globally, but one of its most notable victims in the UK was the Royal Mail. In early 2023, after severe disruptions at its Heathrow Worldwide Distribution Centre, the Royal Mail refused to pay an extortion demand exceeding £60 million.
The impact of Operation Cronos became evident when Tim Mitchell, a senior researcher at Secureworks, weighed in. He recalled the moment law enforcement seized the LockBit leak site, marking it as a pivotal point in the fight against cybercriminals. “It set in motion a series of operations that reshaped the ransomware environment,” he said, noting how many affiliates either adapted or moved to operate independently.
Paul Foster, head of the NCA’s cyber crime unit, shared a sentiment of opportunity during the lead-up to Cronos. “We saw a chance to significantly disrupt ransomware threats. In the right circumstances, we could tackle about 25% of this menace,” he argued. Greg Linares, now with Huntress, recalled how they anticipated such a major operation but didn’t realize the scale it would achieve: “It was extensive and executed perfectly.”
The strategy behind Operation Cronos was broad and multifaceted, rather than simply focusing on identifying key players or shutting down individual sites. Foster explained, “If we solely labored over locating LockBit’s leader or dismantling the leak site, we would have missed the bigger picture.” By diversifying their approach and clearly communicating their actions, they maximized their disruptive potential.
After the initial excitement, Operation Cronos continued its momentum. Throughout 2024, there were multiple updates, arrests, and public announcements regarding LockBit and its affiliates. A significant breakthrough involved identifying the group’s ringleader, LockBitSupp, as Dmitry Khoroshev, linked to Russia.
There were also revelations about LockBit’s ties to the Russian government, further complicating the threat landscape. The authorities targeted not just ransomware operators but also those who laundered their money. In February 2025, the British government even imposed sanctions on specific Russian services that facilitated LockBit’s attacks.
As the landscape shifted, Mitchell noted that affiliates of LockBit were forced to reconsider their strategies. “They’re scattering to find new avenues. The disruptions have made it harder and costlier for them to operate,” he said. The assessment revealed that while the volume of ransomware attacks may have plateaued, it did not necessarily decline.
Foster cautioned that despite the temporary stabilization, the threat of ransomware could surge again without continued collaboration and action. He underscored the importance of collective efforts among law enforcement, government, and the private sector.
While initial signs pointed to a decline in LockBit’s activity post-Cronos, reports indicated a resurfacing of attacks. LockBit’s resilience surprised many; they quickly regrouped and continued targeting large organizations to reclaim lost profits. Linares noted that other gangs have learned from LockBit’s strategies, which included adopting tactics to enhance their operational efficiency.
Mitchell emphasized that while the nuisance may have altered, ransomware still presents a significant threat. “Even if the consequences have shifted for victims, suffering a ransomware incident is still serious,” he warned.
Both Mitchell and Foster encouraged organizations to prioritize cyber resilience through measures like regular patching, robust multi-factor authentication, and comprehensive incident response planning. The takeaway remains clear: while the situation has evolved, the fight against ransomware is far from over.