{ "id": "a86a9c71-7886-4d3d-9a00-d1d93167d0b1", "created_at": "2026-04-06T00:15:11.249243Z", "updated_at": "2026-04-10T03:29:39.979119Z", "deleted_at": null, "sha1_hash": "9d46c6444f89f5778ceaadbcdc3206413b1a3005", "title": "Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6455958, "plain_text": "Unveiling the Fallout: Operation Cronos' Impact on LockBit\r\nFollowing Landmark Disruption\r\nBy By: Christopher Boyton Apr 03, 2024 Read time: 21 min (5757 words)\r\nPublished: 2024-04-03 · Archived: 2026-04-02 11:10:12 UTC\r\nSummary:\r\nOn Feb. 19, 2024, Operation Cronos, a targeted law enforcement action, caused outages on LockBit-affiliated platforms, significantly disrupting the notorious ransomware group's operations.\r\nLockBit’s downtime was quickly followed by a takeover of its leak site by the UK’s National Crime\r\nAgency (NCA), spotlighting the concerted international effort against cybercrime.\r\nAuthorities leveraged the compromised LockBit leak site to distribute information about the group and its\r\noperations, announce arrests, sanctions, cryptocurrency seizure, and more. This demonstrated support for\r\naffected businesses and cast doubt on LockBit's promises regarding data deletion post-ransom payment —\r\nemphasizing that paying ransoms is not the best course of action.\r\nTrend Micro analyzed LockBit-NG-Dev, an in-development version of the ransomware. Key findings\r\nindicated a shift to a .NET core, which allows it to be more platform-agnostic and emphasizes the need for\r\nnew security detection techniques.\r\nThe leak of LockBit's back-end information offered a glimpse into its internal workings and disclosed\r\naffiliate identities and victim data, potentially leading to a drop in trust and collaboration within the\r\ncybercriminal network.\r\nThe sentiments of the cybercrime community to LockBit's disruption ranged from satisfaction to\r\nspeculation about the group’s future, hinting at the significant impact of the incident on the ransomware-as-a-service (RaaS) industry. Businesses can expect shifts in RaaS tactics and should enhance preparedness\r\nagainst potential reformations of the disrupted group and its affiliates.\r\nContrary to what the group themselves have stated, activities observed post-disruption would indicate that\r\nOperation Chronos has a significant impact on the group’s activities.\r\nOverview of Operation Cronos\r\nThe RaaS group LockBitnews article that has been in operation since early 2020, grew to become one of the\r\nlargest RaaS groups in the ransomware ecosphere and was responsible for 25% to 33% of all ransomware attacks\r\nin 2023. The group has claimed thousands of victims and was, by far, the biggest financialnews article threat actor\r\ngroup in 2023.\r\nThe LockBit group operated using an affiliate model, whereby the group claimed 20% of ransom payments with\r\nthe remainder going to affiliates responsible for the ransomware attacks. This report outlines how LockBit\r\noperated, and most importantly, the subsequent activity we observed following the disruption of its operations.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 1 of 26\n\nOn Feb. 19, 2024, at around 8 p.m. Greenwich Mean Time (GMT), we observed that several of the Onion sites\r\nassociated with the LockBit operation were showing a 404 error message.\r\nAfter determining that the various Onion sites refused any connection, Operation Cronos was underway.\r\nFigure 2. Unable to connect message on a LockBit-associated Onion site\r\nAt 9 p.m. GMT, the sites were back online but with a law enforcement agency (LEA) splash page announcing that\r\nthe sites were now under the control of the UK’s NCA.\r\nFigure 3. LEA splash page on a LockBit Onion site\r\nOn Feb. 20, 2024, the leak site was modified to keep the traditional look of the LockBit website, but instead of its\r\nusual content, the site showed a countdown timer — one that has been heavily associated with LockBit — leading\r\nto several press releases, indictments, arrests, and blog articles to be released.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 2 of 26\n\nFigure 4. LockBit’s leak site showing countdown timers to Operation-Cronos-related articles being\r\npublished\r\nPress releases housed on LockBit’s leak site\r\nPress releases from the NCA, the FBI, and Europol were made available on the seized leak site, showing the\r\ncombined efforts of the different agencies in tackling the biggest threats in cybersecurity.\r\nAn emphasis was also placed on the use of the word “disruption” rather than the use of “takedown,” which has\r\nbecome synonymous with previous law enforcement actions against criminal organizations. It was clear from the\r\ninformation released throughout the operation that this was not an opportunistic attempt to gain a win against a\r\nmajor cybercrime group. Instead, this was a meticulously planned, well-executed plan that shows how law\r\nenforcement agencies have the appetite to go after hard targets — indeed, even groups perceived to be beyond law\r\nenforcement’s reach could still be taken on with tangible results.  \r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 3 of 26\n\nFigure 5. Law enforcement press release page\r\nLockBitSupp banned from cybercrime forums\r\nAs part of the information released on the leak site, there was a reference to LockBitSupp’s recent status change in\r\nExploit and XSS, two of the most prominent and long-standing cybercrime forums today. LockBitSupp’s recent\r\nnegative behavior in the criminal community and its resultant ban from these two prominent underground criminal\r\nforums also left a negative impact in the cybercrime ecosystem when the operation was publicly announced.\r\nLockBitSupp’s ban also limited its ability to communicate its message in the aftermath of Operation Cronos. Had\r\nLockBitSupp maintained access to the forums, the entire LockBit group could have been in a better position to\r\nrespond to the ongoing commentary and offer reassurance to its affiliates. \r\nFigure 6. LockBit leak site showing that LockBitSupp was banned from Exploit.in, XSS.is, and now\r\nthe LockBit leak site\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 4 of 26\n\nOperation Cronos offers LockBit decryption keys\r\nAnother key element that sets Operation Cronos apart from traditional site seizures was the announcement that\r\ndecryption keys would be made available. This offer of support also highlights that ransom payments are not the\r\nbest course of action. This is further demonstrated by the fact that, contrary to what LockBit claimed in\r\nnegotiations, victim data was not deleted upon ransom payment.\r\nFigure 7. Operation Cronos made LockBit decryption details available on LockBit’s leak site.\r\nTrend's analysis of LockBit-NG-Dev\r\nTrend analyzed a sample that is believed to be an in-development version of a platform-agnostic build that we\r\ntrack as LockBit-NG-Dev, where “NG” stands for “next generation”). Our analysis was published on the seized\r\nleak site along with findings from other trusted partners.\r\nThe key findings of the analysis revealed that:\r\nLockBit-NG-Dev is now written in .NET and compiled using CoreRT. When deployed alongside the .NET\r\nenvironment, this allows the code to be more platform-agnostic.\r\nThe code base is completely new in relation to the move to this new language, which means that new\r\nsecurity patterns will likely be needed to detect it.\r\nWhile it has fewer capabilities compared to LockBit 2.0 (Red) and LockBit 3.0 (Black), these additional\r\nfeatures are likely to be added as development continues. However, it’s important to note that as it is, it’s\r\nstill a functional and powerful piece of ransomware.\r\nIt has removed the self-propagating capabilities and the ability to print ransom notes via the user’s printers.\r\nThe execution now has a validity period that can be seen by checking the current date, which is likely to\r\nhelp the operators assert control over affiliate use and make it harder for security systems to launch\r\nautomated analysis.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 5 of 26\n\nSimilar to LockBit Black, this version still has a configuration that contains flags for routines, a list of\r\nprocesses and service names to terminate, and files and directories to avoid.\r\nIt also still has the ability to rename encrypted files with random file names.\r\nAside from the technical analysis of the in-development build, our report also outlined the technical issues the\r\ngroup has experienced as well as the apparent decline of LockBit’s reputation.\r\nLockBit back-end leaks reveal victim, affiliate information\r\nIf onlookers had any doubt as to whether law enforcement had simply defaced the leak site, this was quickly\r\ndispelled when LockBit’s admin panel details were leaked. This leak has made it blatantly obvious to any affiliate\r\nthat LockBit would no longer be able to operate normally.\r\nFigure 8. Screenshots of LockBit’s admin panel\r\nThe succeeding parts of this section discuss some of the interesting takeaways from the leaked panel screenshots.\r\nThe stats page shows the number of viewers and which victims visited the site and/or decrypted a test file. This\r\nwas probably used to forecast the likelihood of a victim paying based on their type of engagement with the leak\r\nsite. It might have also been used to assess if a victim was attracting significant interest, as this is something that\r\ncould be leveraged in negotiations.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 6 of 26\n\nFigure 9. Leaked stats page from LockBit’s admin panel\r\nThe chats tab revealed that law enforcement had access to conversations between affiliates and victims. This\r\nwould have helped identify victims and also gauge the true scope of LockBit’s victims. The chat window also had\r\nan option for victims to download the decryptor. Any open negotiations or current victims might have been\r\nprovided this option.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 7 of 26\n\nFigure 10. Chat tab that features a “Download decryptor” option for victims\r\nThe builder tab confirmed that the group used the colors black, red, and green for the generational builds, as well\r\nas a Linux or an ESXi build. The lack of a differently named build suggests the sample we analyzed was definitely\r\nnot yet in active use.\r\nFigure 11. Builder tab that features build information for LockBit’s publicly released versions\r\nThe listing tab shows a table of victims’ names, number of files, revenue, and file size. These pieces of\r\ninformation were likely used for triaging purposes to focus on higher-revenue targets. The number 1912 at the\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 8 of 26\n\nbottom of the page suggests that this was the number of LockBit’s victims at the time the screenshot was taken.\r\nFigure 12. The listing tab possibly shows the number of LockBit’s victims at the time when the\r\nscreenshot was taken.\r\nThe admin page contains a list of affiliates along with a window showing the information gathered when\r\nregistering a user. Although affiliate names were believed to be randomly generated, the presence of the username\r\nfield suggests that usernames can be manually generated in some cases.\r\nThere’s also a dropdown for “parent adv”, which suggests that LockBit actors kept a record if a prospective\r\naffiliate was referred by an existing affiliate. This was likely used as a way of keeping an audit trail should there\r\nbe any security issues.\r\nAnother interesting item that can be noted in the admin page is the level. LockBit was at Level 4, while its\r\naffiliates were at Level 1. The user Kelton was listed at Level 3 even though they had far fewer active chats than\r\nsome of the other affiliates. This suggests that a member at Level 3 meant that they were either a LockBit operator\r\nworking directly for LockBitSupp or a very prominent threat actor who was trusted by LockBitSupp.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 9 of 26\n\nFigure 13. LockBit admin page showing a list of affiliates, referrer information, and hierarchy level\r\nLockBit affiliates exposed\r\nThe “Lockbit’s Hackers exposed” section that was published on the leak site revealed that affiliates who logged\r\ninto their LockBit control panel were greeted with a personalized message informing them that law enforcement\r\nhad taken control and might be in touch with them.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 10 of 26\n\nFigure 14. A screenshot of the “Lockbit’s Hackers exposed” page showing law enforcement’s\r\npersonalized message for affiliates\r\nAn examination of the list of affiliates shows that excluding the admin account, there were a total of 193 affiliate\r\naccounts. There were also several “testing” accounts seen. We observed that majority of the usernames used are\r\npopular first names; this is not at all unique and doesn’t give us much to go on. This also indicates that these\r\nusernames are not handles that would typically be reused on forums.\r\nFigure 15. List of LockBit affiliates’ usernames\r\nHowever, there are several interesting usernames that stand out, as well as some that overlap with handles\r\nobserved to have been used by members of the Conti group:\r\nId:5 Finn. This is an alias that was also used by the threat actor Buza (later revealed to be Maksim\r\nRudenskiy following announced sanctions), who was a key member of the TrickBot group and a team lead\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 11 of 26\n\nfor coders. This might be a coincidence, but the join time occurred one month after Conti shut downnews\r\narticle its operations.\r\nId:36 JohnRembo. This isn’t your typical first name, so it stands out from the list of affiliates. However,\r\nwe were not able to find any other notable activity for this moniker.\r\nId:46 BillieOLDDDDD. This is another unusual username, but we found no other related activity in our\r\ninvestigations.\r\nId:52 Stanton. This is also a handle used by a former crypter for the Conti team.\r\nId:112 to 113 and 117 to 120 – teststealergate*. These accounts were probably for internal testing for the\r\nStealc malware.\r\nId:126 federalvstavaiskolen. There could be different meanings or translations for this username. One\r\npossibility is that if you break it up into separate words (“fed eral vstavai skolen”), it translates to “fed raise\r\nfrom your knees” or “Federal get educated,” depending on the language. This might have been a test\r\naccount.\r\nId:129 AlphaKiller. This is also a peculiar username, but we found no other related activity in our\r\ninvestigations.\r\nId: 130, 132, and 140. The accounts dududu, pentestululu, and uluulu are not capitalized like the other\r\nnames. It’s possible that these are test accounts used by the operators.\r\nId: 193 Sailor. “Sailor” is another username that isn’t typical. It’s possible that it’s related to the threat\r\nactor that uses the monikers “SailorMorgan” and “cipherpunk”, who has experience working with RaaS\r\ngroups as a former member of the FiveHands and Yanluowang ransomware groups.\r\nAnother notable observation is the large number of affiliates who joined in December 2023. There were 20\r\naffiliates registered in December, which is a significant amount when looking at the other 173 affiliates that joined\r\nover the previous 18 months. It is probably a little coincidental that this spike in registrations coincided with the\r\nALPHV (aka AlphaV or BlackCat)news article outage as a result of law enforcement action. LockBitSupp\r\nactively advertised that ALPHV affiliates would be welcome to join.\r\nLockBit indictments and arrests\r\nThe announcement of indictments against Ivan Kondratyev (Bassterlord) and Artur Sungatov further demonstrated\r\nthe extent to which law enforcement had gathered information on the LockBit group. In our previous blog entry,\r\nwe described how we suspected Bassterlord to be the leader of the National Hazard Agency, which is believed to\r\nbe a major subgroup of LockBit. This indictment targets one of the key members affiliated with LockBit and a\r\nprominent member of the cybercrime community.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 12 of 26\n\nFigure 16. A post about Ivan Kondratyev (aka Bassterlord) and Artur Sungatov on the LockBit leak\r\nsite\r\nFigure 17. Unsealed indictment document against Ivan Kondratyev (aka Bassterlord) and Artur\r\nSungatov\r\nUnderground perspective on LockBit’s disruption\r\nThe overall sentiment over LockBit’s disruption seems to fall into one of two groups: The first involves actors\r\nwho seemed to take some pleasure in the news; this was probably amplified by LockBitSupp’s recent ban from\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 13 of 26\n\nXSS and Exploit forums, as well as the events surrounding it. Meanwhile, the second group includes actors who\r\nfelt that LockBit would inevitably recover and reform or rebrand.\r\nWe monitored underground activity to assess the response to Operation Cronos and identify anyone who might\r\nhave been involved with the LockBit group. It was expected that given LockBit’s high-profile nature, there would\r\nbe many online discussions following its disruption. These posts on underground forums might also have caused a\r\nfew to inadvertently reveal themselves as potential affiliates. There were also plenty of speculations as to whether\r\nLockBit would continue as normal. Threat actors were also eager to point out what they would have done\r\ndifferently, which was an added bonus when considering the tactics, techniques, and procedures (TTPs) of actors.\r\nThe first 24 hours after LockBit’s disruption\r\nAs with any major disruption to a service, there was an immediate reaction from both affiliates and other\r\nunderground threat actors who were casual observers in the hours immediately following the operation.\r\nTwo actors in particular published posts on the XSS forum that indicate that they were LockBit affiliates judging\r\nby exchanges. An actor using the handle “Desconocido” complained that three ongoing campaigns were affected\r\nby the disruption. This comment was also made before the disruption was widely talked about, which gives more\r\nweight to the likelihood that the actor was an affiliate. Another actor using the handle “IT-user” announced that\r\nLockBit’s Tox account had been seized, which might indicate that prior to that, they were in communication with\r\nthe actor LockBitSupp. Desconocido revealed that LockBitSupp was already using a secondary account, again\r\nimplying that they had reason to be in contact with LockBitSupp. In addition, the actor “carnaval”, who is known\r\nto be either a current or  a former affiliate, was also active on XSS in the conversation regarding the disruption.\r\nA prominent threat actor known as “Bratva” began to highlight to other RaaS groups that CVE-2023-3284 might\r\nhave been used on both ALPHV and LockBit infrastructures, although this is not mentioned in any law\r\nenforcement publications. On the Exploit forum, there was also suspicion raised by the fact that LockBit operators\r\nlured affiliates away from ALPHV prior to being infiltrated themselves.\r\nMeanwhile, on the ramp_v2 forum, LockBitSupp, using the “Lockbit” moniker,  provided a new Tox ID and\r\nannounced that the LockBit infrastructure would be rebuilt. LockBitSupp also sought to reassure affiliates that it\r\nstill had the data intact.\r\nInterestingly, a post on X (formerly Twitter) by a user with the handle “Loxbit” claimed that they had worked as\r\nan affiliate and had been cheated by LockBitSupp. In Figure 18, we can see that this same LockBit affiliate uses\r\nthe handle “Chuck Norris”. We believe it’s possible that this actor also uses the monikers “chak Norris” and\r\n“sarg0n”.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 14 of 26\n\nFigure 18. The user “Loxbit” published a post on X claiming to be a LockBit affiliate who had been\r\ncheated by LockBitSupp. Source: https://x.com/loxbit60511/status/1759960443861258365?s=20\r\nThe first 72 hours after LockBit’s disruption\r\nIn the days following the disruption, the topic was still being widely discussed across underground forums.\r\nMembers of the forums seemed to appreciate the NCA’s sense of humor, commenting that the law enforcement\r\nagency was trying to be “lulzy” (internet slang for comical or amusing) in its actions on LockBit’s leak site. The\r\nrelease of information regarding the arrests also instigated further conversation. There was also a consensus that\r\nLockBit would simply rebrand and return, similar to what happened with Conti, Royal, Black Basta, and Hive,\r\nalthough as the rest of the week went by, LockBit’s reputation was further damaged.\r\nOn one Breachforums thread that discussed the disruption, one member was of the opinion that LockBit deserved\r\nthe disruption due to the group targeting hospitals. In the initial days following the disruption, the Exploit and\r\nXSS forums seemed to be unusually constrained in their discussion of the topic. The discussion about\r\nLockBitSupp’s ban status was active, but the overall discussion pertaining to LockBit’s disruption seemed to be\r\nless active than in other forums. One reason for this could have been that as two of the more mature forums in\r\noperation, the members of Exploit and XSS might have been under instruction to be wary of researchers and law\r\nenforcement monitoring their activity following such a high-profile action.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 15 of 26\n\nAn interesting observation when looking at the fallout from the disruption is that it sparked some self-reflection\r\namong other active RaaS groups. Notably, competitor RaaS groups expressed much interest in learning about how\r\nLockBit was infiltrated. A Snatch RaaS operator also pointed out on their Telegram channel that they were all at\r\nrisk. This is a subtle bonus stemming from the disruption operation: the spread of paranoia in the cybercriminal\r\necosystem. Other groups are now taking a closer look at what they need to do to reduce the risk of infiltration.\r\nAnything that makes operating more difficult is a good thing in the fight against ransomware actors.\r\nIn a period that fostered paranoia and introspection, it’s no surprise that members of the criminal underground\r\nstarted to question whether LockBitSupp had collaborated with law enforcement or otherwise. Although there\r\nwere several mentions of LockBitSupp cooperating with the Federal Security Service (FSB), it’s important to note\r\nthat this is just speculation and not something we can confirm. The claims were probably bolstered by a\r\nChainalysis reportopen on a new tab that LockBit group sent donations to a certain “Colonel Cassad” in Donetsk.\r\nAlthough LockBitSupp was guarded when it came to public communication efforts, which is partly due to its\r\nbeing banned on XSS and Exploit, LockBitSupp attempted to preserve the appearance of being in control of the\r\nsituation. For example, LockBitSupp responded to the law enforcement countdown that would release information\r\nabout its identity by doubling the reward to US$20 million. This was a clever move on LockBitSupp’s part, as it\r\nseemed to garner support in the criminal underground. The apparent defiance might have also been part of a\r\nstrategic plan to try to persuade affiliates that the operation was not under threat. In some ways, LockBitSupp\r\nappears to have resorted to a PR tactic that many of its own victims were forced to enact following ransomware\r\nattacks: LockBitSupp publicly projected a position of strength to its customer base while also internally trying to\r\nrebuild and get back to business.\r\nIn the first 72 hours, many speculated about the extent of the information to be released about LockBitSupp. There\r\nwas a lot of build-up leading up to it, which was heightened by the NCA using the infamous LockBit countdown\r\nto make the announcement. There was also some confusion in the first few days, with people looking for the\r\nofficial LockBitSupp Telegram channel. This was a result of several accounts masquerading as LockBitSupp.\r\nGiven the curiosity and media attention generated by the disruption, some actors sought to capitalize on the\r\nconfusion and take advantage of unwitting victims. For example, a Telegram user with the handle “Lockbit 3.0”\r\nclaimed to be a LockBit operator and offered positions for affiliates to join the group for a small fee of US$150.\r\nThe first week post-LockBit disruption\r\nThe much-anticipated leak of information about the threat actor LockBitSupp seemed to have been perceived as\r\nanti-climactic in the underground community. Law enforcement’s use of the “Tox Cat” emojiopen on a new tab in\r\nits announcement, to imply some level of access that it had to LockBit’s operations, was also seen as further\r\ntrolling from law enforcement. To add, some felt that the lack of details showed that LockBitSupp had called its\r\nbluff. However, it was clear that the vague reference to LockBitSupp’s communication with law enforcement did\r\nhave the desired effect of seeding doubt among some members. Less than an hour after the release of the message\r\npertaining to LockBitSupp talking with law enforcement, some messages on Telegram mentioned that “There’s\r\nchatter that Lockbit is a snitch.”\r\nThere was also speculation that other groups could now become the market leader, with ALPHV being touted to\r\nrise to the top. We now know following the events surrounding ALPHVopen on a new tab that this would not be\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 16 of 26\n\nthe case.\r\nThere was also a discussion about how victim data wasn’t deleted following a payment. It was pointed out that\r\nthis was no surprise when you consider the value such data would still hold.\r\nAs the dust settled following the first few days, there were still a few actors who were focused on how the\r\ndisruption came about and what its implications were. Some members of the criminal underground undertook their\r\nown investigation and began trawling through old posts and dissecting what was said in the past. This further\r\ndemonstrates the state of paranoia that the disruption instilled.\r\nIn a rebuttal to law enforcement’s press release, LockBitSupp announced that it will return with new Onion sites\r\non Feb. 24, 2024 and added fbi.gov as the first victim on the new leak site.\r\nFigure 19. A post identifying “fbi.gov” as LockBit’s first victim on its new leak site\r\nWhen the countdown reached zero, a lengthy statement was released by LockBitSupp. Instead of sensitive FBI\r\ndata, the new leak site showed a lengthy statementopen on a new tab outlining the events and a declaration that it\r\nwould continue to operate.  \r\nLockBitSupp also posted a shoutbox message on the ramp_v2 forum seeking out anyone selling access to .gov,\r\n.edu, and .org top-level domains (TLDs), which seemed to have signaled its intent to attack government\r\norganizations as a reprisal.\r\nThe revival of the leak site appeared to have brought more scrutiny on the LockBit operation. LockBitSupp\r\nclaimed that its infrastructure had been compromised by law enforcement via a PHP vulnerability, an assertion\r\nthat many threat actors discussed and echoed in forums. However, this also led to these actors pointing out that the\r\nalleged PHP vulnerability was over six months old, calling into question the ability of LockBit operators to secure\r\ntheir environment. This also prompted a closer inspection of the new leak site, after which some were quick to\r\npoint out that it was still using PHP.\r\nAnother forum member using an account that mimicked the FBI recalled how LockBitSupp was looking for an\r\nexperienced system administrator a year and a half ago.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 17 of 26\n\nFigure 20. A post by a user in a cybercrime forum questioning LockBitSupp’s use of PHP for its\r\nnew site\r\nAnother commentator posted a screenshot that suggested LockBitSupp was having authentication issues with one\r\nof the new Onion sites.\r\nFigure 21. A screenshot posted on a cybercrime forum showing an Onion site with authentication\r\nissues\r\nSimilar to the law enforcement leak, there was a lot of interest surrounding the public statement by LockBitSupp\r\non its new leak site. While some saw it as a sign that LockBit operators were back in action, others were a bit\r\nmore skeptical, with some chat messages discussing how the new leak site is a continuation of the law\r\nenforcement operation due to the lack of anything substantial from the FBI leak.\r\nThe first two weeks post-LockBit disruption\r\nThe return of the LockBit leak site might have been a sign to some that LockBit was back. However, for others,\r\nthe commotion surrounding the new site didn’t take away from the fact that LockBitSupp got banned from Exploit\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 18 of 26\n\nand XSS. One access broker using the handle “dealfixer” advertised access but specifically mentioned that they\r\ndid not want to work with anybody from LockBit. There are two possible reasons for this: They were either\r\napprehensive about having any association with a group possibly compromised by law enforcement, or they did\r\nnot have the desire to work with LockBit following a public complaint by the actor “michon” who alleges that\r\nthey did not get properly compensated by LockBitSupp.\r\nIn the two weeks following Operation Cronos, we observed another arbitration thread against LockBitSupp. This\r\ntime, another initial access broker going by the moniker “n30n” opened a claim on the ramp_v2 forum due to a\r\nloss of payment surrounding the disruption.\r\nAnother actor named “SDA” also emerged as a partner and made claims pertaining to LockBitSupp’s existing\r\nbans on other cybercrime forums. While the claims were dismissed as an unfortunate side effect of the LockBit\r\ndisruption, the claims did reveal some chat logs that transpired between the threat actors to confirm their LockBit\r\naffiliation. While addressing the claims, LockBitSupp also revealed that it went through all affiliate activity to\r\nidentify possible infiltrators and removed affiliates who didn’t have ransomware payments from the admin panel.\r\nThere was also a new deposit requirement in order to become a LockBit affiliate.\r\nWhile there were a lot of commentaries about how LockBit was back and that the group would come back\r\nstronger, evidence to the contrary continued to mount. Interestingly, one user on a Telegram channel belonging to\r\nransomware developers pointed out that LockBit was reposting old victims. We discuss the victims that were\r\nposted on the new leak site in a succeeding section that discusses LockBit’s post-disruption activities.\r\nA review of LockBit activity post-Operation Cronos\r\nWhile the disruption operation was ongoing, we continued to monitor our internal telemetry to gauge the impact it\r\nhad on LockBit infections. Based on our data, there was a clear drop in the number of actual LockBit infections.\r\nWe excluded threat emulation data and any infections that were a result of the leaked LockBit build. We also used\r\nthe new Onion sites to track any newly posted attacks and only one small cluster was observed in the three weeks\r\nthat followed the disruption.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 19 of 26\n\nFigure 22. LockBit infections post-Operation Cronos\r\nThis small cluster occurred on Feb. 27, 2024, when we observed the first indication of a possible LockBit affiliate\r\nactivity following Operation Cronos. We observed what appeared to be a low-volume campaign targeting South\r\nKorea. \r\nWe observed a ransom note containing links to the new LockBit Onion sites (SHA256:\r\n1dab85cf02cf61de30fcda209c8daf15651d649f32996fb9293b71d2f9db46e1).\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 20 of 26\n\nFigure 23. LockBit ransom note that points to a new Onion site\r\nFigure 24. LockBit desktop background image\r\nThe infection chain uses a less popular compressed file type, ALZip, which launches the LockBit executable file.\r\nALZip is distributed to victims via email.\r\nBoth the ransom note and executable file were submitted to VirusTotal by users in South Korea and are believed to\r\nbe from two separate attacks. Following further investigation, we were able to identify a successfully blocked\r\ndetection for the executable in a customer based in Singapore. Although the customer was in Singapore, the\r\nextracted attachment’s file name was in Korean.\r\n이력서14\\$$$$$입사지원서_240226$$$$$ 누구보다 열정적인 인재입니다.exe\r\nFigure 25. A LockBit executable file’s file name in Korean (left) and its English translation (right)\r\nvia Google Translate\r\nOne of the victim conversations from the LockBit chat page shows that the ransom demand was only US$2,800\r\nwhich is significantly lower than what we would expect for a LockBit negotiation. This could be a minor affiliate\r\ndesperate to keep some cash flow. If it is LockBitSupp operating alone in an effort to maintain a facade that\r\neverything is operating normally, the ransom amount would expectedly be higher, especially since LockBitSupp\r\ncould post victim information to the leak site.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 21 of 26\n\nFigure 26. LockBit chat page showing a ransom amount of US$2,800\r\nLockBit breaches post-Operation Cronos\r\nFollowing the disruption operation, there was much discussion about whether or not LockBit would be able to\r\nweather the storm and continue to operate. On the surface, it would appear that LockBit is operating like it had\r\nbefore the disruption, but an examination of the leak site victims and its results paint a very different picture. As of\r\nthis writing, 95 victims were posted to the leak site after Operation Cronos.\r\nBy checking previous LockBit posts and the timestamps on leaked data, the following are some highlights of what\r\nwe’ve uncovered in our investigation:\r\nOver two-thirds of the victims were reuploaded and the attacks on these victims occurred prior to\r\nOperation Cronos.\r\nIn the middle of March 2024, we observed that victims being posted to the LockBit leak site were recently\r\nposted by other groups — the majority were ALPHV victims, while one was a RansomHub victim.\r\nSeven victims were removed before we could confirm when the attacks were likely to have been carried\r\nout.\r\n14 victims were still not published and we did not find any public data other than the posts on the LockBit\r\nsite that claim to verify the actual attack dates.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 22 of 26\n\nFigure 27. LockBit leak site victim information post-Operations Cronos\r\nAnother interesting observation is the distribution of countries after the disruption compared to normal LockBit\r\noperations. Following the operation, LockBitSupp appears to be attempting to inflate the apparent victim count\r\nwhile also focusing on posting victims from countries whose law enforcement agencies participated in the\r\ndisruption. This is possibly an attempt to reinforce the narrative that it would come back stronger and target those\r\nresponsible for its disruption.\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 23 of 26\n\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 24 of 26\n\nFigure 28. A comparative view of LockBit’s pre- and post-Operation Cronos victimology\r\nFurther bolstering the hypothesis that the leak site is being manipulated to give an appearance of normalcy is the\r\naddition of victims in batches, which indicates one person is maintaining it. This is far from how normal affiliates\r\nwould typically behave.\r\nFigure 29. LockBit victims are uploaded to the leak site in batches.\r\nThere’s also the removal of some victims, just as the countdown timer is about to end. It could be argued that this\r\nis a result of victim payment. However, when taking everything into account, it could also be another method of\r\ninflating numbers as there is no proof without leaked data.\r\nWhen examining the leaked data for victims that weren’t previously posted on the old leak site, it was evident that\r\nthe file tree was modified to make it look like it was updated recently. However, the remainder of the dates might\r\nreflect the true date.\r\nFigure 30. A screenshot showing leaked data with modified file tree data\r\nForecasting the future of LockBit\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 25 of 26\n\nWith Operation Cronos, we saw a new approach to combatting ransomware. Disrupting and undermining the\r\nbusiness model seem to have had a far more cumulative effect than executing a technical takedown. And while\r\nLockBitSupp was not part of the cohort of people arrested, affiliates will likely consider all the publicly available\r\ninformation and opt to work for other groups; or better yet, they might reconsider if ransomware is too high-risk\r\nof a venture.\r\nThere is a valuable lesson to be gained from Operation Cronos. This modern approach to tackling cybercrime\r\nshows how powerful collaboration among multiple law enforcement agencies, cooperation between trusted\r\npartners in the industry, and arguably the most important factor — patience — can be in thwarting high-profile\r\ncybercrime groups. Had law enforcement gone for the traditional takedown approach, we would have likely seen a\r\nrapid recovery from the group. In its spearheading of this new multilayered disruption approach, the NCA and its\r\npartners have a set a new standard on how such operations can be carried out in the future.\r\nBefore we declare that LockBit is completely gone, we should look back on previous law enforcement operations\r\nand consider whether a month is enough time to make that assessment. Other high-profile operations, such as the\r\nEmotet and Qakbot takedowns, were also very successful in the short term. However, after a few months they re-emerged. It’s important to note that comparing botnets and loaders with RaaS groups isn’t quite the same. With\r\nbotnets and loaders, the product speaks for itself and if it stands out as something that will deliver, then threat\r\nactors will flock back to buy it. With RaaS groups, there’s a bit more at stake when attempting to rebuild.\r\nReputation and trust are key to attracting affiliates, and when these are lost, it’s harder to get people to return.\r\nThat’s probably why we see groups rebranding rather than re-emerging under the same name. Another factor is the\r\nsheer availability of other groups to join.\r\nWhile it is true that in its inception, LockBit led the way and proved innovative compared to its peers, Operation\r\nCronos succeeded in striking against one element of its business that was most important: its brand.\r\nThe playing field is a lot more level now, and with the stagnation of the LockBit brand last year, followed by\r\nfurther reputational damage caused by this operation, affiliates must be seriously asking themselves if it would be\r\nworth the risk to return to a previously compromised operation.\r\nSource: https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nhttps://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.html" ], "report_names": [ "operation-cronos-aftermath.html" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434511, "ts_updated_at": 1775791779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9d46c6444f89f5778ceaadbcdc3206413b1a3005.pdf", "text": "https://archive.orkl.eu/9d46c6444f89f5778ceaadbcdc3206413b1a3005.txt", "img": "https://archive.orkl.eu/9d46c6444f89f5778ceaadbcdc3206413b1a3005.jpg" } }