Despite law enforcement efforts, ransomware groups like LockBit remain resilient, demonstrating the evolving challenge in the fight against cybercrime.
Months after the UK’s National Crime Agency (NCA) launched a major offensive against the notorious ransomware group LockBit, the cybercriminal gang appears to have resurfaced, continuing to carry out attacks.
Despite law enforcement efforts, ransomware groups like LockBit remain resilient, demonstrating the evolving challenge in the fight against cybercrime.
In February 2024, the NCA, in co-ordination with nine other countries, launched Operation Cronos, a decisive strike on LockBit, a group that emerged around 2019.
This cybercrime group had gained infamy for its use of ransomware – a type of malicious software that locks victims’ data and demands a ransom for its release. It operates on a Ransomware-as-a-Service (RaaS) model, where it provides ransomware tools and infrastructure to affiliates who then carry out the attacks.
LockBit was also known for a tactic called ‘double extortion’, threatening not only to keep data locked but also leak sensitive information if the ransom wasn’t paid. Operating through the dark web, the group was built on anonymity and encryption, making it difficult for authorities to track.
An estimated $8 billion in financial damage
Since its emergence, LockBit has become one of the most active ransomware groups, targeting industries like finance, healthcare and critical infrastructure.
The NCA’s operation infiltrated and disrupted Lockbit’s criminal infrastructure, seizing control of their computing systems and even repurposing their dark web leak site – a publicly accessible website where cybercriminal groups publish stolen data.
With an estimated 20-25% share of the ransomware market, LockBit’s attacks have caused billions of dollars in global damages. The group’s financial impact, exceeding $8billion by some accounts, has drawn comparisons to other notorious ransomware actors like REvil and DarkSide.
But Operation Cronos changed that. The NCA’s operation infiltrated and disrupted Lockbit’s criminal infrastructure, seizing control of their computing systems and even repurposing their dark web leak site – a publicly accessible website where cybercriminal groups publish stolen data.
Operation Cronos marked a bold new approach to combating cybercrime, proving to criminals that law enforcement agencies were ready to go on the offensive.
From Cronos to Endgame
In May 2024, global law enforcement agencies launched Operation Endgame, a co-ordinated strike aimed at dismantling the infrastructure used by multiple cybercrime groups.
While similar in its objectives to Operation Cronos, which focused on LockBit, Endgame had a broader scope: it targeted the malware infrastructures used by various ransomware and data-stealing groups, including those that likely collaborated with LockBit.
Malware, a type of software designed to infiltrate digital devices, is often used by cybercriminals to steal information or take control of systems. One particularly dangerous form of malware creates networks of infected computers, known as botnets, which can be remotely controlled without the owners’ knowledge.
These botnets are used for a range of criminal activities, from sending spam and stealing data to launching distributed denial-of-service (DDoS) attacks – overwhelming a system with fake requests so that it can’t process legitimate ones.
Cronos and Endgame underscored the increasing collaboration between law enforcement agencies across the globe, signalling a united front against the growing cybercrime threat.
Operation Endgame specifically dismantled the infrastructure of ‘droppers’ and ‘loaders’ – programs used to stealthily install malware onto victims’ systems.
The operation marked another significant step in the global fight against cybercrime, highlighting the importance of international collaboration in taking down not only individual criminals but the tools and networks that enable them.
Endgame’s successes were notable: it disrupted over 100 infected servers and seized more than 2,000 domain names used to host malicious software, dealing a major blow to botnet networks that had caused hundreds of millions of dollars in damages worldwide.
The back-to-back operations, Cronos and Endgame, marked a pivotal shift in global cybersecurity tactics, directly targeting the rise of cybercrime-as-a-service (CaaS).
CaaS enables anyone, regardless of technical skill, to buy or lease tools and services to carry out cyberattacks. This model has lowered the barrier to entry for cybercrime, making it easier for individuals or groups to launch sophisticated attacks.
LockBit is a prime example: the group provides the infrastructure while affiliates execute the attacks, with affiliates getting the majority of the ransom and LockBit claiming a cut for providing the tools.
Cronos and Endgame underscored the increasing collaboration between law enforcement agencies across the globe, signalling a united front against the growing cybercrime threat.
Ransomware’s persistent threat
Despite these victories, LockBit’s return underscores a key challenge – cybercriminals are constantly adapting. The group’s re-emergence raises concerns about whether organisations are adequately prepared for future attacks. Many still lack essential cybersecurity measures, leaving them vulnerable to increasingly sophisticated ransomware groups.
These groups, along with others like Medusa and IncRansom, are part of a dynamic ransomware ecosystem where new groups emerge while established ones like LockBit struggle to maintain dominance.
As LockBit reasserts its influence, new ransomware groups are also gaining prominence. Analysts have identified at least 10 emerging ransomware actors in 2024, including Play Ransomware, RansomHub and Akira, all of which have adopted tactics similar to LockBit’s.
Play Ransomware has been a persistent and growing threat, known for its large-scale attacks on municipalities and critical infrastructure. In 2024, it continued to execute high-profile breaches, including an attack on Swiss government vendors.
RansomHub has rapidly gained prominence in 2024, with its highly attractive affiliate program offering up to a 90% commission for attackers. RansomHub has targeted over 100 organisations globally, particularly focusing on business services and smaller companies that may be more vulnerable.
Akira has gained notoriety for its successful double-extortion attacks, focusing on industries like healthcare, education and technology.
These groups, along with others like Medusa and IncRansom, are part of a dynamic ransomware ecosystem where new groups emerge while established ones like LockBit struggle to maintain dominance.
Despite a brief drop in ransomware incidents from mid-2023 to 2024, there was a 20% uptick between the first and second quarters of 2024.
More global co-ordination needed
Operations Cronos and Endgame mark a turning point in the fight against cybercrime, shifting law enforcement’s focus from targeting individual hackers to dismantling the infrastructure that powers these attacks.
These efforts showed a new approach, going after the servers, networks, and tools that ransomware and malware groups rely on rather than just chasing high-profile criminals.
The operations also underscored unprecedented levels of international co-operation, with agencies like Europol, the FBI and Interpol working together for global takedowns across multiple jurisdictions – a feat previously hampered by legal and political challenges. This cross-border teamwork enabled simultaneous strikes on cybercrime networks, hitting them where it hurts the most: their operational backbone.
Law enforcement is also turning to psychological operations (psyops) to disrupt cybercrime. By taking over dark web forums and ransomware leak sites, it is undermining the criminals’ credibility and creating paranoia within these networks.
The operations also highlighted how far law enforcement has come in understanding the technical vulnerabilities of cybercrime infrastructure. Instead of waiting for attacks to happen, agencies exploited flaws in the cybercriminals’ systems, delivering decisive blows that crippled their ability to operate.
These operations signal a global push to crack down on cybercrime and the growing power of international law enforcement working together. But LockBit’s quick comeback is a stark reminder that the fight is far from over.
As cyberthreats get more sophisticated, so must the tactics to stop them. While Cronos and Endgame were key wins, they also emphasise the need for even more global co-ordination. One recent effort is the UN’s first treaty aimed at creating universal laws and protocols for investigations.
Beyond legal measures, the real battle is technical – governments, tech companies and civil groups must work together to not only hack the hackers but also slow down their ability to rebuild.
Law enforcement is also turning to psychological operations (psyops) to disrupt cybercrime. By taking over dark web forums and ransomware leak sites, it is undermining the criminals’ credibility and creating paranoia within these networks.
Cryptocurrency, the backbone of ransomware payments, is another focus. Authorities are increasingly freezing accounts linked to cybercriminals, cutting off their financial lifelines.
The message is clear: law enforcement must stay ahead of fast-evolving threats, and organisations need to ramp up their defences. The battle against cybercrime is ongoing, and it’s going to take both relentless vigilance and smart, coordinated strategies to win.
This article first appeared on The Conversation, and is republished under a Creative Commons Licence; you can read the original here.
Christine Abdalla Mikhaeil is an Assistant Professor in Information Systems at the IÉSEG School of Management; she has a PhD in Business Administration, Information Technology from the Paris Dauphine University in France, and from Georgia State University in the USA. Her research interests include artificial intelligence, collective action and use of social media, cybersecurity and privacy, and misinformation and disinformation.
Carin Venter is Senior Professor of Professional Practice at the IÉSEG School of Management; she has a PhD in Information Technology from North-West University in South Africa, where she went on to become an associate professor and senior researcher and lecturer for information technology degrees, before joining IÉSEG in 2022. She is also Academic Director of IÉSEG’s Data Management for Business apprenticeship programme.
Jennifer L. Ziegelmayer is an Associate Professor of Information Systems and Academic Director of the Master’s program on Cybersecurity Management at the IÉSEG School of Management. She earned her PhD in Management Information Systems from the University of Mississippi, and her research interests focus on information privacy, behavioural security, and self-presentation in social media. Her research has appeared in journals including European Journal of Information Systems, Information Technology and Management, Journal of Computer Information Systems, and Information Technology & People.
Picture © Golden Dayz / Shutterstock