Close Menu
Ransomware

LockBit, 2 years after Operation Cronos: where are they now?

Ransomnews Research TeamBy No Comments6 Mins Read56 Views
Fragmented padlock with shadow figures dispersing in different directions, dark editorial illustration

Published May 2026, by the Ransomnews Research Team.

In February 2024 a multinational coalition led by the UK’s National Crime Agency, the FBI, and Europol seized the public-facing infrastructure of LockBit, at the time the most prolific ransomware operation in the world. The action, branded Operation Cronos, captured the leak site, control panels, affiliate dashboards, and a sizeable cache of decryption keys for past victims. It was the largest operational disruption against a single ransomware brand in the genre’s history.

Two years on, the question is no longer “did Cronos work”, it’s “what did it actually do, and what didn’t it touch.” This is a retrospective on that question, written from the leak-site monitoring perspective.

What Cronos changed

  • The LockBit brand became damaged goods. Pre-Cronos, LockBit was the most-recognised RaaS brand in the underground economy. The seizure flipped that, for an affiliate, signing up under a brand whose admin dashboards had just been mirrored by Western law enforcement was now a counter-intelligence risk. New affiliate signups under the LockBit name collapsed almost immediately.
  • The myth of operator anonymity took a public hit. The coalition not only seized infrastructure but published material identifying the lead administrator. Whether or not that identification translates into custody is secondary to its signalling effect: the people running ransomware brands could be named, in public, by their real identities.
  • Past victims received decryptors. The publicly-released decryptor for LockBit Black covered a meaningful share of historical victims and gave defenders a concrete recovery tool months or years after the original incident.
  • Affiliate trust in centralised RaaS infrastructure declined. The Cronos action followed within months of a similar exit-scam from ALPHV/BlackCat. The combined impact made affiliates more wary of staking their operational dependencies on a single brand’s centrally-administered platform.

What Cronos didn’t change

  • The affiliate workforce was not arrested. The seizure focused on infrastructure and core operators. The wider affiliate population, the actual people running campaigns against named victims, was largely untouched, and free to migrate.
  • The technical artefacts remained in circulation. The LockBit Black builder, leaked back in September 2022, continues to be reused by unrelated crews. DragonForce, several minor brands, and various lone operators still deploy LockBit-derived encryptors in 2026.
  • The leak-site economic model survived intact. No single law-enforcement action has yet broken the underlying business: leak-site-driven double extortion still works as a pressure mechanism, still extracts payments, still operates under the same affiliate-revenue-share economics that preceded Cronos.
  • The “LockBit” brand itself didn’t die. Within months a successor administrator was announcing LockBit 4 and later LockBit 5, on rebuilt Tor infrastructure, claiming continuity. The 2026 LockBit 5 listings are modest in volume relative to the pre-Cronos brand but the name endures.

Where did the affiliate base go?

The most operationally consequential question. Pre-Cronos, LockBit ran one of the largest affiliate rosters in the genre. Most of those operators did not exit the criminal economy after the takedown, they migrated. Tracking that migration through 2024 and 2025, three patterns dominate:

  • Qilin absorbed a meaningful share. Several former LockBit affiliates, identifiable by signature TTPs, target-selection patterns, and forum-account overlaps, appeared running Qilin campaigns in the second half of 2024. Qilin’s emergence as the top-volume operator of 2025–2026 (now leading our Ransomtracker dashboard) is partly explained by that absorbed affiliate capacity.
  • RansomHub picked up another tranche. RansomHub appeared in early 2024 as a new RaaS brand with an aggressive affiliate-recruitment policy and a high payout share. It absorbed not only former LockBit operators but a sizeable share of the disbanded ALPHV/BlackCat affiliate pool. RansomHub itself ran extremely hot through 2024 before its own quieter periods in 2025, illustrating that the affiliate market remains liquid even at the operator-tier level.
  • A smaller set went freelance. Some affiliates moved away from the RaaS-brand model entirely, running data-extortion-only campaigns under no published banner, monetising through direct contact rather than leak-site pressure. This tier is the hardest to track because it doesn’t produce leak-site listings.

The net effect: the displaced affiliate capacity recombined elsewhere in the ecosystem within roughly six months. Total visible activity dipped briefly in Q2 2024 and recovered to pre-Cronos levels by Q4 2024.

The strategic lessons for the next coordinated action

If a similar coalition prepares to disrupt Qilin or another current top-tier operator in the near future, three lessons from Cronos are worth pre-baking into the planning:

  • Infrastructure seizure alone moves the needle for months, not years. If the goal is durable disruption, the affiliate workforce has to be at least partially targeted alongside the brand. That’s a far harder operational problem because affiliates are decentralised, often in jurisdictions that don’t cooperate, and individually less visible than the brand operator.
  • Damaging the brand is a real lever. Cronos’s public-information component, the named operator, the published material, the deliberately humiliating tone of the seized leak site, did measurable work to discourage affiliate signups. The signalling matters.
  • Plan for the migration pattern. Anticipate where the displaced affiliate base will move. Targeting Qilin without simultaneously preparing for RansomHub or a fresh brand to absorb the displaced capacity just shifts the volume without reducing it. The 2024 Cronos / 2024 ALPHV scrambles produced exactly that effect.

What it means for defenders in 2026

Three practical conclusions:

  • Don’t read the LockBit decline as a ransomware decline. The volume migrated. The threat to your organisation isn’t materially lower in 2026 than it was in early 2024, it’s just from different named operators. Update your threat-group profile tracking to match the current tier-1 set (Qilin, The Gentlemen, Akira) rather than the LockBit-centric narrative of two years ago.
  • The 2022 LockBit Black builder leak still matters. Encryptors built from that leak continue to appear in unrelated campaigns. A YARA hit on “LockBit Black” in a 2026 incident does not necessarily mean LockBit-the-operator was involved. See our attribution methodology piece for the distinction between strain and operator.
  • Affiliate-pattern detection holds up across brand changes. The same affiliate often persists across multiple RaaS brands using the same TTPs (same initial-access vector, same lateral-movement tools, same exfiltration choices). Building your detection around affiliate TTP patterns rather than brand-specific indicators makes your controls more durable across the kind of disruption Cronos delivered.

The takeaway

Operation Cronos was the most consequential takedown action in ransomware’s modern history, and on two-year inspection its impact is best described as “real, partial, and largely re-absorbed.” It demonstrated that a coordinated international coalition can dismantle a top-tier brand. It also demonstrated that the ecosystem itself, the affiliate workforce, the leak-site model, the economic incentives, survives that kind of disruption with surprising elasticity.

For defenders, that means the operational threat landscape stays roughly constant under brand-level disruption. For policy, it means the next round of similar actions needs a broader theory of change: pair brand seizures with affiliate targeting, plan for migration patterns, and accept that any single action is a chapter in a longer campaign rather than a finishing move.

The LockBit name is a footnote to its former self. The people who ran campaigns under it are still working, just under different banners. Track the banners on our Ransomtracker dashboard; treat the affiliates as the actual unit of analysis.

Share.

The Ransomnews Research Team is the collective byline used for collaborative pieces, editorial briefings, and articles drawing on contributions from multiple researchers. Coverage spans ransomware operations, breach economics, threat actor profiling, OSINT methodology, and emerging risks across security, privacy, and AI.

Related Posts

Comments are closed.