For about four years, if you were tracking ransomware, you were mostly tracking LockBit. By the time of its dismantling in February 2024, the gang had claimed more victims, on more leak-site listings, than any other operator in history. Its core team had professionalised RaaS to a degree no rival quite matched. Its takedown, Operation Cronos, was a case study in how to fight back.
Origins
LockBit first appeared in September 2019 under the unimaginative name "ABCD ransomware," after the .abcd extension it appended to encrypted files. By early 2020 it had rebranded as LockBit and was actively recruiting affiliates on Russian-language criminal forums. The brand’s identity was set early: technical credibility, fast iteration, public swagger. The core operator, who used the handle LockBitSupp, was unusually willing to engage publicly, running interviews with researchers, posting bounties for vulnerabilities in the locker, and making regular forum appearances.
Three generations of locker
LockBit’s malware went through three named major versions, each a meaningful step forward:
- LockBit 1.0 / Red (2019–2021). A capable but unremarkable Windows locker.
- LockBit 2.0 / Black (2021–2022). Marketed as "the fastest ransomware in the world," with benchmarks the operators ran themselves and published. Introduced a Linux/ESXi variant and the StealBit data-exfiltration tool.
- LockBit 3.0 / Black (mid-2022 onward). A substantial rewrite that borrowed code from BlackMatter (itself a DarkSide successor), added anti-analysis features, and launched a bug bounty program, a first for a ransomware brand.
- LockBit Green (2023). A separate variant repurposing leaked Conti source code, primarily aimed at affiliates familiar with Conti tooling.
The "fastest encryptor" claim was not just marketing. Independent benchmarks broadly confirmed it, in part because LockBit aggressively used multi-threading and intermittent ("partial") encryption, encrypting only blocks of each file rather than the whole thing.
The affiliate program
LockBit’s RaaS was the gold standard of the criminal underground. Affiliates received roughly 70–80% of ransom payments; the operators kept the rest. The affiliate panel offered build customisation, victim management, negotiation chat, and revenue tracking. Crucially, LockBit pioneered a payment model in which the affiliate received the ransom directly and paid the operator’s cut, rather than the more common reverse arrangement, a design intended to demonstrate trustworthiness to a paranoid affiliate base.
The brand emphasised stability and uptime. Where rival operations went offline for days or weeks under pressure, LockBit prided itself on always being reachable. When the original LockBit data-leak site was seized in 2024, the operator stood up a backup within days.
Notable victims
The list of LockBit victims runs to thousands of organisations and includes:
- Accenture (2021), one of the world’s largest consultancies.
- The UK Royal Mail (2023), causing an extended international shipping disruption.
- Boeing (2023), with ~50GB of data eventually published.
- Industrial and Commercial Bank of China (ICBC) Financial Services (2023), reportedly disrupting US Treasury market trading.
- Continental (2022), with 40+ TB allegedly stolen.
- The UK’s NHS indirectly via several supplier compromises.
- Many municipalities, hospitals, and school districts, despite the operator’s nominal "no critical infrastructure" rules.
The operation was so prolific that, on some quarterly reports, LockBit alone accounted for a quarter or more of all observed ransomware activity globally.
Operation Cronos
In February 2024 a coalition of law-enforcement agencies, the UK’s National Crime Agency, the FBI, Europol, and partners from Australia, Canada, France, Germany, Japan, the Netherlands, Sweden, Switzerland, and Ukraine, seized LockBit’s infrastructure in a coordinated action branded Operation Cronos. The defaced leak site became a marketing channel for law enforcement, with countdown timers replaced by a series of disclosures about the operation, indictments, and a decryptor.
The technical entry point was a long-standing PHP vulnerability on LockBit’s own infrastructure (CVE-2023-3824). The seizure included the affiliate panel, source code, large numbers of decryption keys, and chat logs revealing how negotiations had been run.
Two Russian nationals were named and indicted as core operators. In May 2024 the NCA publicly identified LockBitSupp as Dmitry Yuryevich Khoroshev, sanctioning him under UK, US, and Australian regimes and offering a $10 million reward for information.
The aftermath
LockBit attempted to reconstitute. New leak sites appeared. New victim listings were posted, though many turned out to be recycled or fabricated. The brand’s credibility, the most valuable asset a RaaS operator owns, was permanently dented. Affiliates voted with their feet, migrating to RansomHub, Akira, Play, and other emerging programs. By late 2024 LockBit’s victim count had dropped to a fraction of its peak.
Why it mattered
LockBit’s significance is not just scale. It was the operation that proved the RaaS model could be run with the discipline and reliability of a real software business. It set the template for how affiliates were recruited, how lockers were marketed, how brands were defended in public. Even successor groups owe their playbook to LockBit’s example.
Its takedown was equally important. Operation Cronos demonstrated that even the most professionalised, jurisdictionally protected RaaS could be hollowed out from the inside if law enforcement combined patient infrastructure work, intelligence sharing, and a willingness to use the operator’s own platform for counter-messaging. The LockBit chapter is closed. Whether the lessons stick depends on what defenders and law enforcement do with them next.