Skip to content
CBCyber Breaches
Search

Campaign

LockBit ransomware-as-a-service franchise

2019–2024 · disrupted

The most prolific ransomware-as-a-service operation of 2022–2024, responsible for ~25% of all observed ransomware attacks at peak. Disrupted by NCA-led Operation Cronos in February 2024, with developer Dmitry Khoroshev unmasked as LockBitSupp.

The LockBit ransomware-as-a-service franchise was, for most of 2022 and 2023, the dominant ransomware operation in the world. At its peak, the operation was responsible for approximately 25% of all observed ransomware attacks globally. A coordinated international law-enforcement operation — Operation Cronos, led by the UK's National Crime Agency — disrupted LockBit's infrastructure in February 2024, unmasked the operation's developer and chief operator as Dmitry Khoroshev, and triggered a significant operational decline.

LockBit is the canonical case for state-of-the-art ransomware-as-a-service during the era when the model was at its operational peak.

The franchise model

LockBit ran the classic ransomware-as-a-service (RaaS) franchise:

  • A core team (small — likely under 20 people at peak) developed and maintained the encryptor, the leak site (lockbitblog), the affiliate-management infrastructure, and the negotiation platform.
  • Affiliates (estimated 100–200 at peak) carried out intrusions independently. They paid the core team a percentage (~20%) of any ransom payments; affiliates kept the remaining 80%.
  • The core team rarely touched victims directly — the operational separation between development and intrusion was key to LockBit's longevity, allowing the franchise to scale without proportionally exposing operators.

Operational distinctives

  • Speed of evolution: LockBit went through major version releases at a rapid pace — LockBit 1.0 (2019), LockBit 2.0 (2021), LockBit 3.0 / Black (2022), LockBit Green (2023). Each version improved encryption performance, anti-analysis features, and affiliate tooling.
  • Public-facing operations: Developer LockBitSupp (Khoroshev) was unusually media-engaged for an underground operator — granting interviews to security press, running bug-bounty programs on the LockBit code, engaging publicly with researchers.
  • Self-policing rules: LockBit had nominal "no critical infrastructure / no hospitals" rules. The rules were violated repeatedly by affiliates (Royal Mail, Indigo, multiple healthcare operators), but the existence of the rules was part of LockBit's public framing as a "professional" operation.
  • StealBit data-exfiltration tool: a custom utility for exfiltrating data prior to encryption, supporting the double-extortion model.

Component incidents

  • Royal MailRoyal Mail LockBit 2023. 6-week UK international postal outage. £65.7M ransom publicly refused.
  • Indigo Books & MusicIndigo Books 2023. Canadian retail. CEO Reisman publicly refused; employee data leaked.
  • MGM ResortsMGM Resorts 2023 — attributed to Scattered Spider + ALPHV partnership but with LockBit affiliate involvement in earlier reconnaissance phases.

Many additional LockBit incidents are catalogued in the broader cyberattaque.org imports. Notable named victims not separately authored include: Boeing (October 2023, 43 GB exfiltrated), ICBC Financial Services (November 2023, U.S. Treasury market briefly disrupted), Continental tires (August 2022, 40 TB exfiltrated).

Operation Cronos (February 2024)

On 19–20 February 2024, a multi-agency operation led by the UK's National Crime Agency in partnership with the FBI, Europol, and ten national law-enforcement agencies seized:

  • LockBit's leak site (replaced with NCA takeover content).
  • 34 servers across multiple jurisdictions.
  • 200 cryptocurrency accounts linked to operation revenue.
  • 1,000+ decryption keys from operations stretching back years.

On 7 May 2024, the operation also unmasked LockBitSupp as Dmitry Khoroshev, a 31-year-old Russian national in Voronezh. Joint U.S./U.K./Australian sanctions and a $10M State Department reward followed the same day.

Post-Cronos operational decline

LockBit attempted to relaunch on new infrastructure in the weeks following Cronos. The brand survived but the operational scale collapsed:

  • Affiliates defected to rival operations, primarily RansomHub, Akira, and the rebooted BlackBasta.
  • Observed LockBit attacks declined sharply through 2024 (multiple threat-intelligence trackers report 80%+ reduction year-over-year).
  • The published affiliate roster (leaked during Cronos) made some affiliates extractable by law enforcement.

The brand persists in 2025 but is operationally a shadow of its 2023 peak.

Why it matters

LockBit established or matured several patterns now standard in ransomware-as-a-service:

  • Continuous version evolution as a competitive differentiator among RaaS operations.
  • Public-facing developer personae as a credibility-and-affiliate-recruitment tool. The model has been imitated, with varying success, by ALPHV's developer persona and others.
  • Custom exfiltration tooling (StealBit) as a polished affiliate amenity.
  • The vulnerability of public-facing developer personae to detailed law-enforcement attribution. LockBitSupp's high-profile public engagement provided the operational signal that ultimately enabled the Cronos unmasking.

Operation Cronos is the canonical case for successful disruption of a ransomware franchise. The model — multi-agency, multi-jurisdiction, simultaneous infrastructure seizure plus public attribution plus sanctions and indictments — has been imitated in subsequent disruption operations including the 2023 Hive disruption by U.S. and German law enforcement and the 2024 Volcano Demon / Dispossessor disruption.

Component incidents (3)

RansomwareContained

Indigo Books LockBit ransomware

LockBit affiliates encrypted Canada's largest bookseller, taking the website and in-store payment systems offline for weeks. Indigo publicly refused the ransom; LockBit published employee personal data.

Victim
Indigo Books & Music Inc.
Loss
$40.0M
Records
5.0K