International effort leads to closure of LockBit ransomware operations

International effort leads to closure of LockBit ransomware operations

In a significant development, the LockBit ransomware group, notorious for causing disruptions worldwide, has been significantly disrupted by international law enforcement operations. The disruption came following Operation Cronos, led by the FBI in October 2024, which crippled LockBit's infrastructure and resulted in multiple arrests of its members.

According to the Department of Justice, two Russian nationals, Artur Sungatov and Ivan Kondratyev, were indicted for deploying LockBit ransomware. Sungatov allegedly began deploying ransomware as early as January 2021, targeting victims in various parts of the United States, including Minnesota, Indiana, Wisconsin, New Mexico, and Puerto Rico, as well as international companies in Singapore, Taiwan, and Lebanon. Kondratyev, on the other hand, allegedly deployed LockBit against municipal and private targets in Oregon, New York, and Puerto Rico.

LockBit has been a formidable force in the ransomware landscape, with over 2,000 ransomware victims, including large enterprises and small, local businesses. The group claimed responsibility for high-profile attacks, such as the January attack on trading platform EquiLend and the attack against the U.S. broker-dealer arm of the Industrial and Commercial Bank of China, causing over $9 billion in assets, backed by U.S. Treasuries, to be disrupted.

The group has collected more than $120 million in ransom payments, according to the DOJ. However, the disruption has diminished its power and reach. In the current ransomware landscape, LockBit is no longer the most dominant threat group, with SafePay and other ransomware groups emerging and taking over a significant portion of the market.

The Cybersecurity and Infrastructure Security Agency, a new international law enforcement partner, was involved in the LockBit ransomware operation disruption. The FBI and U.K. National Crime Agency, along with multiple partners, seized numerous public-facing websites and servers used by LockBit.

Researchers suggest that the capabilities of law enforcement are vital in the fight against ransomware. Rafe Pilling, director of threat intelligence at Secureworks, stated that law enforcement can take the fight further by conducting technical disruption, seizing illicit funds, and ultimately bringing people to justice, which is critical to the fight against ransomware.

Attorney General Merrick Garland announced that U.S. and U.K. law enforcement are taking away the keys to the LockBit criminal operation. While LockBit's core team has suffered arrests that lowered its operational strength, the group has not been entirely eliminated and remains active but less dominant. Key individuals charged have not been publicly named in the sources examined.

Meanwhile, LockBit’s technical innovations and code continue to influence newer ransomware operations, and affiliated actors disperse into other groups or new independent operations. The broader ransomware landscape in 2025 has seen over 60 active groups, with persistent targeting focused on sectors such as services, healthcare, and technology. Law enforcement and sanctions continue targeting entities linked to ransomware profiteering, including financial conduits associated with LockBit payments as recently as August 2025.

Sources: 1. https://www.wired.com/story/lockbit-ransomware-group-disrupted-but-not-defeated/ 2. https://www.forbes.com/sites/thomasbrewster/2023/01/12/lockbit-ransomware-group-most-dominant-in-2023-with-25-of-the-market/ 3. https://www.cyberintelligence.org/blog/lockbit-ransomware-group-disrupted-but-not-defeated/ 4. https://www.bleepingcomputer.com/news/security/lockbit-ransomware-group-still-active-despite-fbi-operation-cronos/

1. The disruption of LockBit ransomware group, which has been a significant threat to cybersecurity, was led by international law enforcement operations, including the FBI and the Cybersecurity and Infrastructure Security Agency.
2. Despite the arrests of its key members, such as Artur Sungatov and Ivan Kondratyev, LockBit ransomware group remains active, albeit less dominant in the current ransomware landscape.
3. In the fight against ransomware, threat intelligence gathered from cybersecurity professionals is crucial, with Rafe Pilling of Secureworks stating that technical disruption, seizing illicit funds, and bringing criminals to justice are critical.
4. While the operation Cronos disrupted LockBit's infrastructure significantly, the group's technical innovations and code continue to influence newer ransomware operations, making the ongoing fight against ransomware in the fields of technology, politics, general-news, and crime-and-justice a pressing concern.

Read also: