Wednesday 19 February 2025 marked the first anniversary of Operation Cronos, a multinational cyber law enforcement action led by the UKs National Crime Agency (NCA) with support from global partners, which disrupted the activities of the notorious LockBit ransomware crew in a targeted operation that has had a lasting impact on the ransomware economy.Looking back to 2023 and earlier, LockBits effectiveness and influence cannot be understated. According to the Counter Threat Unit (CTU) at Secureworks, now part of Sophos, LockBit attacks accounted for 25% of all listed victims on ransomware leak sites in 2023, with its closest competitor at the time, ALPHV/BlackCat, managing just 12%.LockBit targeted organisations across Britain and around the world, with its arguably most prominent UK victim the Royal Mail, which rejected an extortion attempt of more than 60m described at the time as absurd after the crews ransomware downed IT systems at its Heathrow Worldwide Distribution Centre in January 2023, paralysing international deliveries for weeks.Reflecting on the success of Operation Cronos, Secureworks CTU senior researcher Tim Mitchell said: When we coordinated our research alongside law enforcements seizure of the LockBit leak site on February 19, 2024, we knew it was a significant moment in time in the fight against cyber criminals.It was the first step in a steady march of operations against ransomware, its enablers and cyber crime more broadly. And the most obvious result is the mark its left on the landscape, with affiliates scattering to new schemes or turning to independent operations.Paul Foster, head of the NCAs cyber crime unit, said that during the investigation leading up to Operation Cronos, he too had a distinct feeling that the agency was on the verge of a significant coup de grce.We knew, in the context of ransomware, that we had a unique opportunity to have a significant impact on the threat, he told Computer Weekly. How often do you get the opportunity to look at the threat landscape and say we can probably take out if we do it well and right 25% of that threat?Greg Linares, now principal threat analyst at US-based managed security platform provider Huntress but at the time working elsewhere, also remembers the events of 19 February clearly. We had a feeling this was going to occur, he said. We had FBI contacts that we worked with But we didnt know how big it was going to be. And it was a massive operation, it was really well executed.But of course the immediate headline action was only part of the story, and much hinged on delivering the right blows at the right time to maximise the hoped-for results not to do so would risk things backfiring, or missing the opportunity altogether.To get the best results, the NCA elected to significantly broaden the scope of its activity against the gang.We could have put everything into trying to find out who was behind LockBit and effectively take out the kingpin, said Foster.Similarly, we could have gone down a technical route and taken down the leak site, their splash pages, etcetera. Alternatively, we could have gone out and hoovered up lots of people and tried to make arrests all around the world, and indict people and sanction people.Actually, it was a combination of all of those things delivered in a sequenced way, combined with a very clear public articulation of what wed done, and that together delivered a significant disruptive effect.Foster also singles out the work of the NCAs partners, security researchers, the wider private sector industry, and even the technology and national media whose reporters swarmed the story in short order, for amplifying the impact of Operation Cronos, and even building on it.All of that together said that good quality cyber crime operations in the future need to be multifaceted, not linear. I think it was the multifaceted nature of Operation Cronos that was one of the key reasons as to why it was so successful.After the first flush of excitement had faded and the news stories started to drop off the top of Google searches, Operation Cronos kept on keeping on, with the NCA and others particularly its US partners keeping up a constant drumbeat of anti-ransomware law enforcement activity.Over the course of 2024 further announcements, indictments, and even arrests, were made against LockBit and its affiliates. Significantly, the investigators named-and-shamed LockBit ringleader LockBitSupp as a Russian national named Dmitry Khoroshev.Theauthorities also proved long-suspected links between the gang and the Russian government after demonstrating connections between LockBitSupp and Evil Corps Maksim Yakubets, who likely had access to senior Kremlin officials through his father-in-law, an ex-intelligence man, and may even have received tasking from Russias spy agencies.Other operations also targeted leak site operators and the money launderers who helped the likes of LockBit wash its ill-gotten gains. Most recently, in February 2025 the British government announced sanctions against Russian infrastructure services provider Zservers and its UK representative, XHOST, the bulletproof hosting service that allegedly facilitated LockBit attacks against targets in the UK.The most obvious result is the mark its left on the landscape, with affiliates scattering to new schemes or turning to independent operations, said Mitchell at Secureworks.With these disruptions to the status quo, it has added friction and increased the cost for the cyber criminals, which ultimately makes such operations more challenging to successfully execute. The more collaboration we see across the industry and with law enforcement will lead to making it harder for cyber criminals to succeed.Foster added: Our overall assessment of the threat landscape for ransomware is that it has plateaued, but not decreased. Thats good news though, because it was accelerating at some rate. In the run up to our LockBit disruption, it was unequivocally true that the threat from ransomware was going up and up.That ransomware attacks have levelled off in their volume is not just a consequence of Operation Cronos, said Foster, but also a reflection of other operations conducted last year, and significantly increased awareness of the ransomware threat in relevant stakeholder communities, which is to say, among CISOs and others empowered to take steps to address the threat.However, said Foster: I am concerned that it [the ransomware threat] will continue to rise in the future, and I think we would reasonably expect it to unless we can continue to maintain our disruptive impact and disruptive effect, which means more of these operations, fundamentally based on more joint collaboration and information sharing across law enforcement, with government partners [and] between the public and the private sector.This is never a one organisation mission, without a doubt. Its everybodys challenge. And I think if we can keep that up, hopefully we can continue to suppress the threat.Evidence gleaned through Secureworks telemetry at first glance supports the plateauing of ransomware attack volumes, but it also reveals that even though LockBits demise did cause a slowdown in the wider landscape, December and January bucked the trend with a 61% year-on-year increase in the number of victims listed on leak sites in December, and an 80% increase in January.Also noteworthy is a significant increase in the number of operational gangs, said Mitchell. So, what is going on here?The first months of the year invariably see the publication of multiple annual threat and ransomware reports from security suppliers which usually say exactly the same thing Mitchell explained, and in early 2025, most of them pointed to a fragmentation of the ecosystem, which tracks with the idea that many individuals associated with LockBit have scattered to the four winds.The increase through the year in the number of schemes operating is indicative of that fragmentation in the landscape. And its important to remember that a victim is named on a leak site when they havent paid a ransom, so an increase in victim numbers could mean that the number of victims paying is actually decreasing, he said.On the flipside, Linares at Huntress said that, unfortunately, LockBit also proved more defiant and resilient than many had hoped.Its interesting how LockBit has handled this takedown. It [Operation Cronos] was very successful but as we all know, LockBit hasnt gone away, he said. They have put themselves back together again. They have reformed and stayed vigilant and persistent.Thats a testament to how well theyre able to perform their activities. Unlike many other groups, they are well organised and this is not their first rodeo.He said other gangs, such as RansomHub, Play, and even Cl0p, have all incorporated elements of LockBits playbook into their own, and learned lessons from its downfall. One notable effect of this is likely a widely observed decrease in dwell times, the amount of time between when ransomware gangs first access a future victims network and when they execute their attack.Weve [also] seen groups even skip out of ransomware entirely now and just go for straight extortion, because they find out that theyre getting caught at the level when they drop ransomware. LockBit has absolutely fuelled some of these trends, said Linares.Foster at the NCA is sanguine on the fact that the LockBit gang or people claiming to be associated with them still pop up regularly, often trying to counter the NCAs narrative with their own viewpoints, and recently teasing a return to business and a new locker malware, LockBit 4.0.When we did this we knew we would never be able to obliterate LockBit completely because of course, theres legacy code, once somethings online it is, to a degree, permanently so, and its very easy for people to adopt the brand or try to find new things they could put out there. We accept the fact there will always be a bit of a legacy of LockBit floating around the system, he said.I think whats clear though is that whatever it is thats left of LockBit, through a cyber criminal lens, has got very little credibility if any. That plays out in what were seeing in the victim reporting, certainly in the UK.I understand LockBit recently launched its new version a couple of weeks ago. Were not seeing any effect from that. There hasnt been a known, reported LockBit attack in the UK for over four months now and our international partners are seeing similar trends, he added.This is not to say no LockBit ransomware attacks are taking place. Linares said that while the NCA operation credibility damaged the credibility of LockBit and LockBitSupp, even now theres still some gang activity.We have seen them in government and hospitals, mostly, he said. One thing that has happened post-their takedown is they started only going after targets that were much larger to help their credibility and also to help them recoup money and lost income.A couple of weeks ago, he said, Huntress started to see evidence of the previously-trailed version of LockBit 4.0, now dubbed LockBit Green a LockBit 4.0 Black version may also be available according to some sources being used in the wild.Were starting to see some activity there. So, I believe while [Operation Cronos] helped discredit LockBitSupp unfortunately theyre still ransoming people, said Linares.The jury is still out on whether or not LockBit 4.0 is a severe threat, but Secureworks Mitchell said we must remember the wider ransomware threat has not gone away.Far from it, he said. Although the impact of such attacks on individual victims might be reduced, experiencing a ransomware incident is still a very bad day in the office.Organisations should be prioritising the basics including regularly patching internet-facing devices, implementing phishing-resistant multi-factor authentication [MFA] as part of a conditional access policy, and monitoring the network and endpoints for malicious activity.Organisations should also have an incident response plan in place, battle-tested regularly to ensure theyre prepared to respond a cyber attack with speed and precision, he said.Foster also urges defenders to prioritise their own cyber resilience and ransomware response plans, describing law enforcement as merely one weapon in the fightback, albeit a very important one.We will never not keep an eye on LockBit, that would be nave, but there are other ransomware strains that my team and I are far more concerned about at the moment, he concludes.Read more about ransomwareA ban on ransomware payments by UK government departments will be extended to cover organisations such as local councils, schools and the NHSshould new government proposals move forward.NCA-led Operation Destabilise disrupts Russian crime networks that funded the drugs and firearms trade in the UK, helped Russian oligarchs duck sanctions, and laundered money stolen from the NHS and othersby ransomware gangs.An individual associated with the LockBit ransomware gang has broken cover to tease details of a new phase of the cyber criminal operations activity, which they claim isset to begin in February 2025.