LockBit stands out as one of the most prolific and harmful ransomware strains, inflicting billions of euros in damages worldwide. A recent international operation, known as ‘Operation Cronos’, spearheaded by the UK's National Crime Agency (NCA) within the framework of Europol and Eurojust, has made significant strides in combating this cyber threat.


The Crackdown on LockBit's Infrastructure

  1. Server Takedown: The operation led to the compromise of LockBit’s primary platform and critical infrastructure. Authorities dismantled 34 servers across multiple countries including the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom.

  2. Arrests and Warrants: Two LockBit actors were apprehended in Poland and Ukraine, following requests from French judicial authorities. Moreover, three international arrest warrants and five indictments were issued by French and U.S. authorities.

  3. Cryptocurrency Freeze: Law enforcement agencies froze over 200 cryptocurrency accounts associated with the criminal organization, disrupting the economic incentives behind ransomware attacks.

Disruption of LockBit's Operations

  • The NCA has taken control of LockBit's technical infrastructure, including their dark web leak site, which previously hosted data stolen from ransomware victims.

  • With a wealth of gathered data, law enforcement is actively targeting the leaders, developers, affiliates, and assets linked to LockBit's criminal activities.

Understanding LockBit: A Ransomware Menace

LockBit, which initially appeared as ‘ABCD’ ransomware in late 2019, rapidly ascended to become the most deployed ransomware variant globally by 2022.

Modus Operandi of LockBit

  1. Ransomware-as-a-Service (RaaS): LockBit operates on a RaaS model, with a core team creating malware and licensing its code to affiliates who execute attacks.

  2. Global Reach: Its presence spans the globe, with hundreds of affiliates leveraging LockBit tools and infrastructure to conduct ransomware operations.

  3. Triple Extortion: LockBit employs triple extortion tactics, combining data encryption, data leakage threats, and Distributed Denial-of-Service (DDoS) attacks to pressure victims.

Europol's Crucial Role in the Operation

Europol played a pivotal role in coordinating the international efforts to combat LockBit ransomware.

Key Contributions of Europol

  • Operational Meetings: Europol’s European Cybercrime Centre (EC3) organized 27 operational meetings and provided analytical support throughout the investigation.

  • Technical Expertise: Europol facilitated the development of decryption tools by collaborating with Japanese Police, the NCA, and the FBI.

Reporting Cybercrime and Prevention

Victim and private sector engagement are crucial in combating cyber threats. Reporting cybercrime promptly and adopting robust cybersecurity measures are paramount.

Europol's Recommendations

  • Reporting Procedures: Europol provides guidance on reporting cybercrime through designated websites across EU Member States.

  • Cybersecurity Measures: Europol offers tips and advice to prevent ransomware infections on electronic devices.

Operation Cronos: International Taskforce

Operation Cronos brings together a coalition of law enforcement agencies from around the world to tackle LockBit ransomware.

Read More

Participating Authorities

  • France, Germany, the Netherlands, Sweden, Australia, Canada, Japan, the United Kingdom, the United States, Switzerland, Finland, Poland, New Zealand, and Ukraine collaborated to make this operation successful.

This collaborative effort underscores the commitment of international law enforcement in combating cyber threats and safeguarding global cybersecurity.