LockBit Ransomware Operations Significantly Disrupted by Recent Law Enforcement Operations; Descriptor Tool Updated

An international law enforcement operation has arrested and indicted two members of the LockBit ransomware gang and seized significant portions of its internal infrastructure.

An international law enforcement operation led by Britain’s National Crime Agency and the United States Federal Bureau of Investigations has arrested and indicted two members of the LockBit ransomware gang and seized significant portions of its internal infrastructure.

Several components of LockBit services are still operational, including its data sharing component, which publishes data of victims who fail to pay.

Community Threat Assessment

While a significant portions of LockBit infrastructure remain offline as of writing, several components remain online and continue to expose sensitive data of private companies. This, along with LockBit’s ability to reestablish new infrastructure to resume ransomware operations, results in LockBit remaining a credible threat to any online organization. The RH-ISAC Intelligence Team assesses with medium confidence that LockBit presents a high threat for organizations if LockBit chooses to reestablish itself, either still under its LockBit name or under a new moniker.


LockBit first emerged at the end of 2019, first calling itself ABCD ransomware. Since 2019, LockBit has grown rapidly and in 2022 it became the most deployed ransomware variant across the world. The group is a ransomware-as-a-service (RaaS) operation, meaning that a core team creates its malware and runs its website, while licensing out its code to affiliates who launch attacks.

The ransomware group is infamous for experimenting with new methods for pressuring their victims into paying ransoms. Triple extortion is one such method which includes the traditional methods of encrypting the victim’s data and threatening to leak it, but also incorporates Distributed Denial-of-Service (DDoS) attacks as an additional layer of pressure.

The months-long operation to take down LockBit, designated Operation Cronos, has resulted in the compromise of LockBit’s primary platform and other critical infrastructure that enabled LockBit’s criminal enterprise. This includes the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom.

In addition, two LockBit actors have been arrested in Poland and Ukraine at the request of the French judicial authorities. Three international arrest warrants and five indictments have also been issued by the French and US judicial authorities. Authorities have frozen more than 200 cryptocurrency accounts linked to LockBit.

As a result of the operation, LockBit has released a statement, sent to all affiliates, prompting associates to reset their passwords and enable multi-factor, and apologized for the disruption.  

Decryption Tool

With Europol‘s support, the Japanese National Police Agency, the National Crime Agency and the Federal Bureau of Investigation have concentrated their technical expertise to develop decryption tools designed to recover files encrypted by the LockBit Ransomware. These solutions have been made available for free on the ‘No More Ransom’ portal, available in 37 languages, with a detailed guide included.

More Recent Blog Posts