BIPI
BIPI

LockBit Two Years After Operation Cronos: What Actually Changed

Threat Intelligence

Operation Cronos in February 2024 was the largest ransomware takedown in history. Two years on, the LockBit brand is wounded but the operators rebuilt. We trace the splinter groups, the affiliate migrations, and what defenders should adjust.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 4, 2024 · 7 min read

#lockbit#ransomware#threat-intelligence

When the NCA and FBI seized LockBit's infrastructure in February 2024, the noise was deafening. The group had been the dominant ransomware-as-a-service operator for three years. Operation Cronos took down 34 servers, recovered 7,000 decryption keys, and indicted Dmitry Khoroshev. Two years on, the picture is more complicated than the press releases suggested.

What the takedown actually disrupted

The takedown removed the brand's leak site, the affiliate panel, and the StealBit exfiltration infrastructure. It did not remove the operators. Within 72 hours, LockBit had stood up a new leak site and posted defiant messages on hacker forums. But affiliate trust never recovered. The brand value of LockBit dropped to near zero in affiliate forums by mid 2024 according to data we have seen from Recorded Future and Flashpoint.

The affiliate migration patterns

Affiliates do not stay loyal to brands. They follow the most reliable payment and the lowest fees. We tracked affiliate naming overlap across leak sites from March 2024 to early 2024 and found three patterns:

  • Approximately 35 percent of identifiable LockBit affiliates migrated to ALPHV BlackCat through Q2 2024, then scattered after ALPHV's own exit scam in March 2024
  • Around 20 percent appeared on RansomHub, which became the dominant RaaS by volume by late 2024
  • Roughly 15 percent moved to smaller operations: Akira, Play, BianLian, and the resurgent Hunters International

The remaining 30 percent went dark. Some retired with their last paydays, some shifted to data theft only, some are still active under new handles we have not correlated yet.

The rebrand cycle is accelerating

Pre-2024, ransomware brands typically ran for 12 to 24 months before rebranding. Since Operation Cronos, the cycle has compressed to 6 to 9 months. Operators are treating brand identity as disposable. RansomHub itself shows signs of internal fracturing, with affiliate complaints about payment delays appearing on forums in Q4 2023.

35%
of LockBit affiliates migrated to ALPHV initially
6-9 months
current ransomware brand lifecycle
30%
of LockBit affiliates went fully dark after the takedown

Tactics that survived the brand

Brand changes. Tradecraft persists. We see the same TTPs across rebranded groups: Cobalt Strike via legitimate file-sharing services for initial drop, Atera or AnyDesk for persistence, RClone for staging, MEGAcmd or custom binaries for exfiltration. The defenders' detection logic written against LockBit TTPs is still catching active intrusions in 2024, just under different brand names on the leak posts.

Detect tradecraft, not brand names. The operators rotate brands faster than your SIEM rules can keep up.

What changed in negotiation behaviour

Pre-takedown LockBit affiliates had a reputation for aggressive negotiation and timely decryption after payment. Post-takedown, victims report decryptor failures in higher numbers across multiple brands. The ransomware ecosystem's quality control degraded after the affiliate base scattered. We have seen at least four cases in 2023 where the victim paid, received a decryptor, and the decryptor corrupted half the files. The reputation feedback loop that used to constrain operators has weakened.

Detection adjustments we recommend

Three changes we have made in client SOCs since the takedown:

  1. Reweight detection toward tradecraft signatures instead of IOC lists. Brand-specific IOCs are stale within weeks now.
  2. Add explicit detections for RClone, MEGAcmd, and FreeFileSync in unexpected contexts. Exfiltration tools span all the major rebrands.
  3. Monitor for Cobalt Strike beacons against your egress proxies, not just from EDR. Operators have gotten better at evading EDR but still leak in network telemetry.

The Khoroshev indictment is not a deterrent

The May 2024 indictment of Dmitry Khoroshev was a useful intelligence release but it has not changed operator behaviour. The five-year mark since the original LockBit launch came and went in 2023. Operators understand they will not be extradited from Russia. The takedowns matter because they cost operators time and money, not because they remove them from the field.

What we tell clients now

Operation Cronos was a tactical victory and a strategic education. The lesson for defenders is not that ransomware is decreasing. The lesson is that the ecosystem reorganises faster than enforcement can keep pace. Build resilience to the threat class, not to specific brands. Test your IR runbook against TTPs and assume the brand on the leak site will change three times before you finish the tabletop exercise.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.