Searchlight Cyber Analysts

A Timeline of Events: Operation Cronos and LockBit

In this blog, the Searchlight Cyber threat intelligence team explains how the events of Operation Cronos led up to the sanction and unmasking of LockBit’s leader.

LockBit Administrator and Developer Unmasked by Operation Cronos

Last week, the leader of what was the world’s most prolific cyber gang was unmasked and sanctioned by the UK, US, and Australia. Russian national Dmitry Khoroshev, who was the administrator and developer of the ransomware group LockBit, was named on Tuesday by the Foreign, Commonwealth & Development Office (FCDO) alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs. With the unmasking of Khoroshev adding a new chapter to the story, this blog provides an overview of the National Crime Agency-led international disruption campaign “Operation Cronos”.

Where did LockBit Start?

In operation for four years (since September 2019) and known initially as ABCD, LockBit rose to become the most prolific ransomware group. Targeting organizations across the globe with its Ransomware-as-a-service (RaaS), when LockBit’s malicious software infected a victim’s network, their data was stolen, their systems encrypted, and a cryptocurrency ransom was demanded for the victim to decrypt their files and prevent their data from being published.

Over the years, LockBit has had several versions of its malware, including Red, Black, and Green. Its latest Tor leak site, LockBit 3.0, is where victims are led to pay or lose their organization’s data and the gang also actively engaged with its fans and detractors on dark web forums like XSS, promoting and gaining interest in its attacks and pushing brand awareness.

The most active ransomware group by the number of listed victims on its dark web leak site in 2022 and 2023, LockBit claimed over a thousand victims last year. Those victims included high-profile organizations such as Boeing, the UK Ministry of Defense, and TSMC, the world’s largest contract chipmaker.

Then, in February 2024, LockBit suffered significant disruption at the hands of the UK’s National Crime Agency (NCA), FBI, Europol, and other partners involved with Operation Cronos.

What is Operation Cronos?

Operation Cronos is a global law enforcement operation specifically targeting LockBit, with the aim of disrupting the group’s operation and exposing the members of the ransomware gang. The NCA and the FBI lead the operation but the taskforce includes multiple other agencies, including the South West Regional Organised Crime Unit (SWROCU) and Metropolitan Police Service in the UK; the Department of Justice in the US; Europol, Eurojust, and law enforcement partners in France (Gendarmerie), Germany (LKA and BKA), Switzerland (Fedpol and Zurich Cantonal Police), Japan (National Police Agency), Australia (Australian Federal Police), Sweden (Swedish Police Authority), Canada (RCMP), the Netherlands (National Police – Politie), and the the National Bureau of Investigation in Finland.

Infographics_Op Cronos - FINAL_Map (002).png

This image from Europol indicates the countries that have contributed to the law enforcement action dubbed “Operation Cronos”.

A Timeline of Operation Cronos

On February 20th, the first details of Operation Cronos came to light as international law enforcement agencies took control of LockBit’s servers, compromising its operation. This enabled the NCA to obtain the platform’s source code and a large amount of data, which led to intelligence about the cybercrime gang’s activity and the affiliates they work with to target organizations.

The technical infiltration and the disruption of the LockBit platform resulted in:

  • The NCA obtaining over 1,000 decryption keys.
  • Two indictments on Russian nationals (Artur Sungatov and Ivan Kondratyev).
  • The arrest of two LockBit actors in Poland and Ukraine.
  • Over 200 cryptocurrency accounts linked to the gang being frozen.

Infographics_Op Cronos - FINAL_Results (002).png

This image from Europol summaries some of the key figures around the disruption of LockBit achieved through Operation Cronos.

The NCA Director General Graeme Biggar commented, “This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cybercrime group. It shows that no criminal operation, wherever it is and no matter how advanced, is beyond the reach of the Agency and our partners. Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys to help victims decrypt their systems.

“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity. Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”

The evidence suggests that this initial phase of the operation did indeed succeed in majorly disrupting the ransomware group. Not only were there signs that LockBit’s operations were severely diminished by the seizure of its infrastructure – for example, with a notable decline in the number of new victims – but there was also evidence that the operation had succeeded in discrediting the group among the cybercriminal community, impacting its ability to recruit affiliates.

LockBit Responds

Four days after the NCA took hold of LockBit’s infrastructure, the criminal gang released a lengthy response to the law enforcement action. Among other things, the LockBit actor conceded that the group had been caught out by its own “personal negligence”, speculating that their infrastructure had been compromised through an unpatched vulnerability. The author(s) also claimed that they had been targeted so aggressively by the FBI because they were going to release sensitive data relating to the former president Donald Trump. While acknowledging the disruption law enforcement has inflicted, LockBit remained bullish on staying operational, even stating that they were looking to recruit more affiliates.

BlackCat Retires

Less than two weeks after the NCA took down LockBit, the BlackCat ransomware group – the second most prolific ransomware gang of 2023shut down its dark web site and uploaded a fake law enforcement seizure banner, in what was more likely an exit scam. The NCA told news outlets that it had no connection to BlackCat going offline and the issues it was facing with its infrastructure.

While it is impossible to say for certain, it could be speculated that the extremely-public law enforcement action against LockBit may have spooked the group, influencing its decision to “take the money and run”, so to speak. Whether that is the case or not, the fact is that – within a space of a month – two of the most infamous ransomware gangs were severely diminished.

LockBit Operations Slow

While BlackCat has not re-emerged, LockBit has continued to bubble away with activity since the initial law enforcement action in February. The group has attempted to rebuild over the past few months and has continued to post victims to its leak site.

However, the NCA and other researchers have published evidence that LockBit is currently running at a limited capacity and that global threat has been significantly reduced by Operation Cronos.

Data shows that the average number of monthly LockBit attacks in the UK has been reduced by 73 percent since the technical infiltration in February. Any attacks appear to have been much less sophisticated than those LockBit conducted in the past and have had a lower impact on their victims.

There is also evidence that LockBit resorted to re-posting old victims on its leak site to inflate its victim numbers and give the impression of normal operations. Trend Micro researchers noted in April that two-thirds of its victims post-Operation Cronos were re-posed victims.

Operation Cronos: Phase Two

The next step in Operation Chronos came to a head on Tuesday May 7, 2024 when the U.S. Justice Department revealed charges against a Russian national for his alleged involvement as the creator, developer, and administrator of LockBit. Dimitry Khoroshev, also known as LockBitSupp, LockBit, and putinkrab, 31 of Voronezh, Russia, was charged in a 26-count indictment returned by a grand jury in the District of New Jersey.

Alongside the U.S. Justice Department, the FCDO placed sanctions against the gang’s leader, who will now be subject to asset freezes and travel bans. The U.S. Justice Department is offering a reward of up to $10m for information leading to his arrest and/or conviction.

Reward poster issued by the FBI for Dmitry Khoroshev, believed to be the administrator and developer behind LockBit.

“Today’s indictment of LockBit developer and operator Dimitry Yuryevich Khoroshev continues the FBI’s ongoing disruption of the LockBit criminal ecosystem,” said FBI Director Christopher Wray in a statement. “The LockBit ransomware group represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals. Today’s charges reflect the FBI’s unyielding commitment to disrupting ransomware organizations and holding the perpetrators accountable.”

The True Impact of LockBit

The true impact of LockBit’s criminality had been previously unknown, but data obtained from their systems shows that between June 2022 and February 2024, more than 7,000 attacks took place using their RaaS. The top five countries that were victims of LockBit’s ransomware were:

  • US.
  • UK.
  • France.
  • Germany.
  • China.

The group’s ransomware targeted over 1,000 hospitals and healthcare companies, and cybercriminals forced more than 2,000 victims into negotiations.

As well as looking at the victims of LockBit, the Operation Cronos investigation has also given the NCA and FBI an insight into their gang’s network and affiliates. There have been 194 affiliates identified as using LockBit’s services up until February of this year, which resulted in:

  • 148 built attacks.
  • 119 engaged in negotiations with victims, meaning they deployed attacks.
  • 39 who appear to have never received a ransom payment.
  • 75 who did not engage in any talks, so may not have received ransom payments.

By taking on LockBit – once the most prolific ransomware-as-a-service group – Operation Cronos has sent a clear message to the cybercriminal community that operating on the dark web does not mean that you can commit crimes with impunity. It has required major, global coordination but demonstrates even the biggest perpetrators can be unmasked and undermined.

LockBit is only one of dozens of ransomware groups, meaning any gap left by it will likely be filled by one or several of its competitors. It is possible that we will see its affiliates defect to other ransomware groups. However, there is no doubt that this operation has been a major win for law enforcement, effectively exposing and disrupting one of the major culprits.

You can find more intelligence on LockBit and the other ransomware gangs we track on our DARK WEB HUB.