LockBit: The Ransomware Brand That Survived Operation Cronos — A Threat Actor Profile
A profile of LockBit, the ransomware-as-a-service operation that survived the 2024 international law-enforcement takedown and continues to extort European NIS2 and DORA entities. Affiliate model, recent campaigns, and what defenders should learn from its persistence.
LockBit: The Ransomware Brand That Survived Operation Cronos
In February 2024, the UK's National Crime Agency and the FBI announced the largest ransomware takedown in history. Operation Cronos seized LockBit's infrastructure, compromised its administration panel, publicly released internal affiliate data, offered decryption keys to past victims, and exposed — to the criminal underground that depended on the group's reputation — that LockBit had retained stolen data even after victims paid for its deletion. Eighteen months later, on the sixth anniversary of LockBit's original affiliate programme, the group's never-arrested administrator posted a new version on the RAMP underground forum. By Q1 2026, LockBit 5.0 had climbed back to the fourth most active ransomware operation globally.
That story — the rise, the takedown, and the return — is the most instructive ransomware narrative of the decade, and it is the central case study for what European NIS2 entities should understand about the ransomware ecosystem in 2026. For the broader regulatory context, start with the complete NIS2 and DORA guide.
What is known about LockBit
LockBit is a ransomware-as-a-service (RaaS) operation — the model where a core group develops and maintains the ransomware, and affiliates execute attacks in exchange for a share of the proceeds (typically 80/20 in affiliates' favour). The model is industrial in structure: development, support, negotiation, payment infrastructure, and underground brand-management are run as functions, and the affiliate base — at peak, in the high hundreds — operates against organisations across every sector.
The operation has been continuously active since 2019. Its administrator, known publicly only by the handle LockBitSupp, has never been apprehended. Multiple affiliates and lower-tier members have been arrested or sanctioned — including, before Operation Cronos, Mikhail Vasiliev (Canada, 2022), Ruslan Astamirov (United States, 2023), and others — but the core development and administrative function has remained out of reach of law enforcement. The group is generally assessed to be Russian-speaking and Russia-based, though attribution at that level is less precise than for state-aligned actors.
By the time of Operation Cronos, LockBit accounted for 20-30% of all data-leak-site published victims globally — the dominant brand in a fragmented criminal ecosystem. Trend Micro and others later estimated total victim counts in excess of 2,500 and total ransom payments above $500 million across the group's lifetime.
The rise (2019-2024)
LockBit's growth from launch in 2019 to dominance by 2023 reflected three structural choices that distinguished it from competing ransomware programmes.
Technical sophistication continuously upgraded. The group released and refined major versions — LockBit 1.0, 2.0, Black (3.0), and eventually 5.0 — each adding capabilities its competitors took longer to ship: faster encryption, cross-platform targeting (Windows, Linux, ESXi), anti-analysis and obfuscation techniques (dynamic API resolution via hashing, DLL reflection), and increasingly aggressive anti-forensics.
Affiliate-program discipline. LockBit operated its affiliate model with the structure of a commercial software company — clear documentation, support channels, payment infrastructure, brand management, even (notoriously) a public bug bounty programme. For affiliates choosing where to operate, this professionalism mattered. It is the difference between joining an organisation and joining a chaotic forum collective.
Double extortion as standard. LockBit was among the early ransomware operations to combine encryption with data theft and threatened publication — the model now universal across the field. The brand's reputation for actually publishing when ransoms were not paid was part of what gave it leverage in negotiations.
By 2023, LockBit was responsible for roughly 25-33% of all ransomware attacks globally, with healthcare, financial services, manufacturing, and technology among the most-affected sectors.
Operation Cronos (February 2024)
On 19-20 February 2024, a coordinated international law enforcement action codenamed Operation Cronos — led by the UK National Crime Agency and the FBI, with Europol, Eurojust, and agencies from 12 countries — targeted LockBit's infrastructure.
The operation went well beyond a typical takedown. Specifically:
- LockBit's data-leak sites and Onion infrastructure were seized
- The group's administration panel was compromised by law enforcement and used to release internal data
- Decryption keys recovered from the seized infrastructure were offered to past victims through publicly-accessible portals
- The internal data release revealed — damagingly — that LockBit had retained stolen victim data even after ransoms had been paid for its deletion, breaking the implicit contract that ransomware operations depend on
- Several arrests followed (or had preceded the takedown), and US Treasury sanctions were applied to specific individuals
In the days immediately after the operation, LockBit-associated Onion sites showed 404 error messages and connection failures. Trend Micro's contemporaneous monitoring documented the rolling outages. The criminal underground reaction ranged from satisfaction (from competitor operations) to speculation about whether LockBit could recover.
The reputational damage was severe. The revelation about retained data specifically attacked the group's only durable asset — the reputation for delivering on the negotiation contract. Affiliates considering whether to remain with LockBit or migrate to RansomHub, Qilin, or other emerging brands had a concrete reason to leave.
The intermediate period (2024-2025) and the return
In the immediate aftermath, several things happened in parallel.
Successor groups attempted to absorb LockBit's affiliate base. RansomHub, then Qilin, briefly tried to inherit the dominant position. Qilin emerged as the most active group by 2025, eventually averaging around 75 victims per month and dominating the Q3 2025 ecosystem.
LockBit operated at reduced capacity through 2024. Activity continued but at substantially diminished volume, with documented patterns of reposting old victims to new leak sites — an effort to maintain the appearance of operational continuity.
LockBitSupp publicly hinted at a comeback. In May 2025, on the RAMP underground forum, the administrator posted that the group would "always rise up after being hacked." In August 2025, LockBitSupp returned to the forum claiming the group was "getting back to work."
LockBit 5.0 launched (3 September 2025). On the sixth anniversary of the original LockBit affiliate programme, LockBit 5.0 was advertised on RAMP. The new version delivered updated Windows, Linux, and ESXi variants; faster encryption and improved evasion; and unique negotiation portals per victim. Check Point Research identified roughly a dozen organisations targeted by the revived operation in September 2025 alone.
By Q1 2026, LockBit had climbed to the fourth most active ransomware operation globally, with 163 victims posted to its data-leak site — a 106% increase from Q4 2025. The Q1 2026 ransomware landscape, per Check Point, was dominated by Qilin (75+ victims/month), The Gentlemen (the breakout group of the quarter, third globally with 166 victims), and LockBit 5.0 — with the broader ecosystem showing 117% growth above the Q1 2024 baseline.
Recurring tradecraft
Across LockBit's lifetime, several technical and operational patterns recur.
- Initial access via brute-force, exposed services, and supplier compromise. LockBit affiliates typically gain initial access through exposed RDP, VPN credential compromise, exploitation of internet-facing vulnerabilities, or compromise of a supplier with access to the eventual victim.
- Privilege escalation and lateral movement using common tooling. Mimikatz, Cobalt Strike, and living-off-the-land techniques are typical.
- Data exfiltration before encryption. The double-extortion model requires data to be staged and exfiltrated prior to encryption.
- Cross-platform encryption. LockBit 5.0's Windows, Linux, and ESXi variants reflect the group's recognition that modern enterprise environments include all three, and that ESXi compromise in particular can encrypt entire virtualised estates rapidly.
- Negotiation portal management. LockBit's per-victim negotiation portals, with explicit data-publication countdowns, are the operational manifestation of the double-extortion model.
Why LockBit matters for NIS2 entities
The sectors LockBit targets — manufacturing, healthcare, financial services, technology, business services — overlap heavily with NIS2 Annex I and II. Manufacturing remained the most-affected sector by ransomware through 2025-2026; healthcare consistently around 8% of total victims. Both sectors are squarely inside NIS2 scope.
Three specific implications.
A ransomware incident is a NIS2 significant incident. For an NIS2 entity, an encryption event meeting the operational disruption threshold of Article 23(3) is a reportable significant incident — with the 24-hour early warning, 72-hour notification, and 30-day final report clocks running. See NIS2 Incident Reporting: The 24-72-30 Day Timeline. The compliance team needs the runbook before the encryption arrives.
The supply-chain dimension of Article 21(2)(d) is operationally critical. Many LockBit intrusions begin not at the eventual victim but at a supplier or service provider with access to it. The NIS2 supply chain measure — see NIS2 Supply Chain Security — is the regulatory expression of exactly this risk profile.
The Operation Cronos lesson is operational, not reassuring. A historic law enforcement operation produced a year of reduced activity, and then the brand returned. NIS2 entities relying on "law enforcement will deal with it" as part of their threat model have miscalibrated. Disruption is real and consequential; elimination, historically, is not.
How you would actually watch this
Three concrete monitoring postures.
Exposed-service exposure management. RDP, VPN, and internet-facing service inventories — and the credentials authorised to reach them — are the single most consistent initial-access surface for LockBit affiliates and for the broader ransomware ecosystem. An accurate, current inventory plus MFA across the inventory shuts down a substantial fraction of attempts.
ESXi and virtualisation infrastructure as a priority target. LockBit 5.0's continued investment in ESXi variants reflects an ecosystem-wide pattern: ransomware operations that can encrypt the hypervisor encrypt the entire virtualised estate at once, with disproportionate impact relative to a single-host compromise. ESXi management plane protection, MFA, network segregation, and patch cadence are part of the ransomware defensive surface specifically.
Data-leak-site monitoring as an early-warning channel. Where an entity discovers it has been compromised by appearing on a ransomware data-leak site, the disclosure clock starts before the entity's own detection — and before any negotiation. Monitoring the data-leak ecosystem (including for supplier names appearing on LockBit's, Qilin's, or other operations' sites) is the same intelligence-derived awareness signal that compensates for slow internal detection against any sophisticated actor.
The honest framing
A note on what LockBit's persistence does and does not mean.
Operation Cronos was not a failure. A year of substantially reduced LockBit activity, a documented affiliate exodus, public reputational damage to the brand, several arrests, and material disruption to the ransomware-as-a-service ecosystem are not failure outcomes. They are real wins that nonetheless do not constitute elimination.
The return reflects structural features of the ecosystem. Ransomware-as-a-service operates as a software-and-services business with global distributed personnel, cryptocurrency-based payment infrastructure, and the ability to rebuild quickly when the core administration evades capture. LockBit's specific return depended on LockBitSupp remaining at large, which highlights why the harder law enforcement objective is the people, not the infrastructure.
The threat is durable but not stable. Q1 2026's data shows ransomware reconcentrating around a few dominant brands (Qilin, LockBit, The Gentlemen) after two years of fragmentation. The ecosystem's structure shifts; the overall threat volume continues to grow.
The takeaway
Three things follow.
- Ransomware is the most likely NIS2 significant-incident trigger for many in-scope entities. Manufacturing, healthcare, financial services, and technology — all heavily affected — are all in NIS2 scope.
- LockBit's persistence demonstrates the ecosystem's durability. A historic takedown produced reduced activity and a year-and-a-half delay; the brand returned. Defensive postures cannot rely on law enforcement as the primary mitigation.
- The defensive surface is mostly upstream of the encryption event. Exposed services, credential compromise, supplier compromise, and ESXi management plane exposure are where the work pays off. The 24-hour NIS2 clock starts after the work that could have prevented it.
For the regulatory mechanics, NIS2 Incident Reporting: The 24-72-30 Day Timeline and NIS2 Supply Chain Security.
Sources & further reading
- UK National Crime Agency — Operation Cronos announcement (February 2024) and post-operation updates
- US Federal Bureau of Investigation — Operation Cronos joint statement; LockBit indictments and sanctions
- Europol and Eurojust — Operation Cronos coordination
- Trend Micro — Unveiling the Fallout: Operation Cronos' Impact on LockBit
- Check Point Research — The State of Ransomware Q3 2025 and Q1 2026 reports
- Check Point Research — LockBit 5.0: Ransomware Gang Returns in Force (September 2025)
- Picus Security — The LockBit Comeback (December 2025)
- The Hacker News — LockBit-Qilin-DragonForce alliance reporting (October 2025)
- ReliaQuest — LockBit return analysis
- Chainalysis — 2025 and 2026 Crypto Crime Reports (ransomware payment flows)
- NCC Group — Annual Cyber Threat Monitor Report 2024
- Industrial Cyber — Q1 2026 ransomware sector analysis
Attribution note: LockBit's assessed Russian-speaking origin reflects industry consensus rather than a formal government attribution to a specific state. The named operations — Operation Cronos and follow-on actions — are official law enforcement operations of the named agencies.