{
	"id": "edb502c0-69e7-4605-8285-f5e05a47040d",
	"created_at": "2026-04-06T00:14:01.01939Z",
	"updated_at": "2026-04-10T13:12:58.317347Z",
	"deleted_at": null,
	"sha1_hash": "92ef0a0ae8af1c02ea7dddaf4ced3266f7d044f5",
	"title": "Law enforcement disrupt world’s biggest ransomware operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 544804,
	"plain_text": "Law enforcement disrupt world’s biggest ransomware operation\r\nBy Europol\r\nPublished: 2024-02-20 · Archived: 2026-04-05 16:17:42 UTC\r\nIn a significant breakthrough in the fight against cybercrime, law enforcement from 10 countries have disrupted\r\nthe criminal operation of the LockBit ransomware group at every level, severely damaging their capability and\r\ncredibility.\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation\r\nPage 1 of 4\n\nLockBit is widely recognised as the world’s most prolific and harmful ransomware, causing billions of euros\r\nworth of damage.\r\nThis international sweep follows a complex investigation led by the UK's National Crime Agency in the\r\nframework of an international taskforce known as ‘Operation Cronos’, coordinated at European level by Europol\r\nand Eurojust.\r\nThe months-long operation has resulted in the compromise of LockBit’s primary platform and other critical\r\ninfrastructure that enabled their criminal enterprise. This includes the takedown of 34 servers in the Netherlands,\r\nGermany, Finland, France, Switzerland, Australia, the United States and the United Kingdom.\r\nIn addition, two LockBit actors have been arrested in Poland and Ukraine at the request of the French judicial\r\nauthorities. Three international arrest warrants and five indictments have also been issued by the French and U.S.\r\njudicial authorities.\r\nAuthorities have frozen more than 200 cryptocurrency accounts linked to the criminal organisation, underscoring\r\nthe commitment to disrupt the economic incentives driving ransomware attacks.\r\nThe UK's National Crime Agency has now taken control of the technical infrastructure that allows all elements of\r\nthe LockBit service to operate, as well as their leak site on the dark web, on which they previously hosted the data\r\nstolen from victims in ransomware attacks.\r\nAt present, a vast amount of data gathered throughout the investigation is now in the possession of law\r\nenforcement. This data will be used to support ongoing international operational activities focused on targeting the\r\nleaders of this group, as well as developers, affiliates, infrastructure and criminal assets linked to these criminal\r\nactivities. \r\nThe world’s most harmful ransomware \r\nLockBit first emerged at the end of 2019, first calling itself ‘ABCD’ ransomware. Since then, it has grown rapidly\r\nand  in 2022 it became the most deployed ransomware variant across the world.\r\nThe group is a ‘ransomware-as-a-service’ operation, meaning that a core team creates its malware and runs its\r\nwebsite, while licensing out its code to affiliates who launch attacks.\r\nLockBit’s attack presence is seen globally, with hundreds of affiliates recruited to conduct ransomware operations\r\nusing LockBit tools and infrastructure. Ransom payments were divided between the LockBit core team and the\r\naffiliates, who received on average three-quarters of the ransom payments collected.\r\nThe ransomware group is also infamous for experimenting with new methods for pressuring their victims into\r\npaying ransoms. Triple extortion is one such method which includes the traditional methods of encrypting the\r\nvictim's data and threatening to leak it, but also incorporates Distributed Denial-of-Service (DDoS) attacks as an\r\nadditional layer of pressure.\r\nThe gang's move to triple extortion was partly influenced by a DDoS attack they themselves experienced, which\r\nimpeded their ability to publish stolen data. In response, LockBit enhanced their infrastructure to resist such\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation\r\nPage 2 of 4\n\nattacks.\r\nThis infrastructure is now under law enforcement control, and more than 14 000 rogue accounts responsible for\r\nexfiltration or infrastructure have been identified and referred for removal by law enforcement.\r\nEuropol’s coordinating role \r\nWith countries involved on either side of the world, Europol – which hosts the world’s biggest network of liaison\r\nofficers from EU Member States – played a central role in coordinating the international activity.\r\nEuropol’s European Cybercrime Centre (EC3) organised 27 operational meetings, and four technical one-week\r\nsprints to develop the investigative leads in preparation of the final phase of the investigation.\r\nEuropol also provided analytical, crypto-tracing and forensic support to the investigation, and facilitated the\r\ninformation exchange in the framework of the Joint Cybercrime Action Taskforce (J-CAT) hosted at its\r\nheadquarters. In addition, three Europol experts were deployed to the command post in London during the action\r\nphase.\r\nIn total, over 1 000 operational messages have been exchanged on this case via Europol’s secure information\r\nchannel SIENA, making it one of EC3’s most active investigations.\r\nThe case was opened at Eurojust in April 2022 at the request of the French authorities. Five coordination meetings\r\nwere hosted by the Agency to facilitate judicial cooperation and to prepare for the joint action.\r\nDecryption tools available on No More Ransom \r\nWith Europol’s support, the Japanese Police, the National Crime Agency and the Federal Bureau of Investigation\r\nhave concentrated their technical expertise to develop decryption tools designed to recover files encrypted by the\r\nLockBit Ransomware.\r\nThese solutions have been made available for free on the ‘No More Ransom’ portal, available in 37 languages. So\r\nfar, more than 6 million victims across the globe have benefitted from No More Ransom which contains over 120\r\nsolutions capable of decrypting more than 150 different types of ransomware.  \r\nReport it to the police\r\nThis investigation shows that law enforcement has the capabilities to disrupt high harm cybercriminals and reduce\r\nthe ransomware threat. However, continued victim and private sector engagement is key to us continuing this\r\nwork.\r\nThe first step to putting cybercriminals behind bars is to report cybercrime when it happens. The earlier people\r\nreport, the quicker law enforcement is able to assess new methodologies and limit the damage they can cause.\r\nReporting cybercrime can be as simple as clicking a button on a web browser. Europol has compiled a list of the\r\nreporting websites in EU Member States.\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation\r\nPage 3 of 4\n\nRobust cybersecurity measures are also key. Europol has put together some tips and advice on how to prevent\r\nransomware from infecting your electronic devices. \r\nTaskforce Operation Cronos\r\nThis activity forms part of an ongoing, concerted campaign by the international Operation Cronos taskforce to\r\ntarget and disrupt LockBit ransomware. The following authorities are part of this taskforce: \r\nFrance: National Gendarmerie (Gendarmerie Nationale – Unité nationale cyber C3N)\r\nGermany: State Bureau of Criminal Investigation Schleswig-Holstein(LKA Schleswig-Holstein), Federal\r\nCriminal Police Office (Bundeskriminalamt)\r\nThe Netherlands: National Police (Team Cybercrime Zeeland-West-Brabant, Team Cybercrime Oost-Brabant, Team High Tech Crime) \u0026 Public Prosecutor’s Office Zeeland-West-Brabant\r\nSweden: Swedish Police Authority\r\nAustralia: Australian Federal Police (AFP)\r\nCanada: Royal Canadian Mounted Police (RCMP)\r\nJapan: National Police Agency (警察庁)\r\nUnited Kingdom: National Crime Agency (NCA), South West Regional Organised Crime Unit (South\r\nWest ROCU)\r\nUnited States: U.S. Department of Justice (DOJ), Federal Bureau of Investigation (FBI) Newark\r\nSwitzerland: Swiss Federal Office of Police (fedpol), Public Prosecutor's Office of the canton of Zurich,\r\nZurich Cantonal Police\r\nThe successful action was made possible thanks to the support of the following countries:\r\nFinland: National Police (Poliisi)\r\nPoland: Central Cybercrime Bureau Cracow (Centralne Biuro Zwalczania Cyberprzestępczości - Zarząd w\r\nKrakowie)\r\nNew Zealand: New Zealand Police (Nga Pirihimana O Aotearoa)\r\nUkraine: Prosecutor General`s office of Ukraine (Офіс Генерального прокурора України),\r\nCybersecurity Department of the Security Service of Ukraine (Служба безпеки України), National Police\r\nof  Ukraine (Національна поліція України)\r\nSource: https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation"
	],
	"report_names": [
		"law-enforcement-disrupt-worlds-biggest-ransomware-operation"
	],
	"threat_actors": [
		{
			"id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5",
			"created_at": "2022-10-25T16:07:23.797925Z",
			"updated_at": "2026-04-10T02:00:04.752608Z",
			"deleted_at": null,
			"main_name": "LockBit Gang",
			"aliases": [
				"Bitwise Spider",
				"Operation Cronos"
			],
			"source_name": "ETDA:LockBit Gang",
			"tools": [
				"3AM",
				"ABCD Ransomware",
				"CrackMapExec",
				"EmPyre",
				"EmpireProject",
				"LockBit",
				"LockBit Black",
				"Mimikatz",
				"PowerShell Empire",
				"PsExec",
				"Syrphid"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434441,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/92ef0a0ae8af1c02ea7dddaf4ced3266f7d044f5.pdf",
		"text": "https://archive.orkl.eu/92ef0a0ae8af1c02ea7dddaf4ced3266f7d044f5.txt",
		"img": "https://archive.orkl.eu/92ef0a0ae8af1c02ea7dddaf4ced3266f7d044f5.jpg"
	}
}