LockBit was, for most of 2022 and 2023, the dominant ransomware-as-a-service (RaaS) operation in the world — at one point responsible for roughly a quarter of all observed ransomware attacks globally. The crew is Russian-speaking, with operators believed to be located in Russia and CIS states, and its developer figurehead — known as LockBitSupp — was unusually media-engaged for an underground operator, granting interviews and offering bounties for vulnerabilities in the LockBit code.
LockBit operated a classic RaaS franchise: a core team developed the encryptor and managed the leak site (lockbitblog), while affiliates carried out intrusions and split ransom payments roughly 80/20 in the affiliate's favor. The model proved durable because the core team rarely touched victims directly, allowing it to scale.
Operation Cronos
On 19–20 February 2024, a multi-agency operation led by the UK's National Crime Agency in partnership with the FBI, Europol, and ten national law-enforcement agencies seized LockBit's leak site, 34 servers, 200 cryptocurrency accounts, and over 1,000 decryption keys. The site was replaced with an NCA takeover page. The operation also unmasked LockBitSupp as a Russian national named Dmitry Khoroshev.
LockBit attempted to relaunch on new infrastructure, but the brand was permanently damaged: affiliates defected to rival operations (notably RansomHub and Akira), and observed activity dropped sharply through 2024.
Why it matters
LockBit is now the reference case for a successful disruption operation against a ransomware franchise. Its tooling, leak-site format, and affiliate model influenced every major RaaS operation that followed (BlackBasta, ALPHV, Cl0p, RansomHub). Indicators of compromise published by CISA (alert AA23-165A) remain operationally useful for defenders.