Global LockBit Takedown Disrupted Operations and Exposed Its Leadership
An international law enforcement operation led by the UK's National Crime Agency and the FBI seized LockBit infrastructure on 19 February 2024, disrupting one of the world's most prolific ransomware-as-a-service groups. Follow-on actions publicly identified and sanctioned a senior LockBit leader, while officials said the campaign targeted the gang's administrators, infrastructure, and criminal affiliates. Subsequent reporting said the disruption sharply reduced LockBit's standing in ransomware rankings after years in which the group had claimed thousands of victims across more than 100 countries.
Threat research shows LockBit's reach was driven by a scalable affiliate model rather than malware alone, with intrusions commonly starting through abused VPN, Citrix, and RDP access or stolen credentials, followed by use of tools such as Impacket, Mimikatz, PsExec, Rclone, and StealBit. Affiliates increasingly targeted VMware ESXi environments to maximize operational impact, and some skipped encryption entirely in favor of data-theft extortion using LockBit-branded notes. The group's earlier attacks included a reported $80 million demand against CDW, but researchers and investigators warn that even as LockBit declines, its affiliates and copycats are likely to continue operating under other ransomware brands.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
State Department offers rewards for information on LockBit members
On 2026-04-09, the U.S. Department of State announced Rewards for Justice offers of up to $10 million for information identifying or locating key LockBit leaders and up to $5 million for information leading to the arrest or conviction of participants in LockBit activities. The notice described LockBit as responsible for more than 2,000 attacks since January 2020 and at least $144 million in bitcoin ransom payments.
DOJ charges alleged LockBit developer Rostislav Panev
U.S. prosecutors announced charges against Rostislav Panev, a dual Russian-Israeli national accused of serving as a LockBit developer and helping build and maintain the group's malware and infrastructure from around 2019 through February 2024. The DOJ said Panev had been arrested in Israel in August 2024 on a U.S. provisional arrest request and remained in custody pending extradition.
BlackSuit ransomware blamed for CDK Global outage
On 2024-06-22, reporting attributed the major CDK Global outage to a BlackSuit ransomware attack. This is a separate ransomware event included in the references but not part of the LockBit enforcement timeline.
Reports show LockBit's standing falls after the takedown
By 2024-05-22, reporting indicated the February disruption had significantly reduced LockBit's prominence among ransomware groups. The takedown was described as taking a measurable toll on the gang's activity and rankings.
DOJ unseals indictment against alleged LockBit administrator
On 2024-05-07, the U.S. Department of Justice unsealed a 26-count indictment against Dmitry Yuryevich Khoroshev, alleging he created, developed, and administered LockBit from 2019 through May 2024. The DOJ said the case followed the February infrastructure seizure and described LockBit as responsible for more than 2,500 victims worldwide and at least $500 million in ransom payments.
LockBit leader identified as Dmitry Khoroshev and sanctioned
On 2024-05-07, UK and US authorities publicly unmasked LockBit's alleged administrator, Dmitry Khoroshev, and imposed sanctions on him. The announcement marked a major attribution and enforcement escalation following the February takedown.
Global law-enforcement operation disrupts LockBit infrastructure
On 2024-02-19, a multinational operation led by the UK's National Crime Agency and the FBI seized LockBit infrastructure and disrupted the ransomware group's operations. The action also targeted individuals associated with the group.
LockBit reaches more than 2,350 named victims worldwide by end of 2023
Secureworks reported that LockBit had compromised thousands of organizations and accumulated more than 2,350 named victims across 112 countries by the end of 2023. The scale was driven by its ransomware-as-a-service affiliate model and strong criminal branding.
LockBit extorts CDW and demands $80 million ransom
By mid-October 2023, reports said the LockBit ransomware gang had attacked CDW and demanded an $80 million ransom. This reflects LockBit's continued high-profile activity before the 2024 law-enforcement disruption.
International LockBit investigation begins
Europol said the multinational investigation into LockBit began in April 2022, well before the public takedown. The long-running probe involved coordination among multiple law-enforcement agencies ahead of Operation Cronos.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Reward for Information: LockBit Ransomware as a Service (RaaS) - United States Department of State
state.gov
Open sourceUnpicking LockBit - 22 Cases of Affiliate Tradecraft | SOPHOS
sophos.com
Open sourceDistrict of New Jersey | U.S. Charges Dual Russian And Israeli National As Developer Of Lockbit Ransomware Group | United States Department of Justice
justice.gov
Open sourceCDK Global outage caused by BlackSuit ransomware attack
bleepingcomputer.com
Open sourceAuthorities disrupt LockBit ransomware, indict two RaaS affiliates
chainalysis.com
Open sourceSix things we learned from the LockBit takedown | TechCrunch
techcrunch.com
Open sourceLockBit ransomware disrupted by global police operation
bleepingcomputer.com
Open sourceLockbit ransomware gang demanded an 80 million ransom to CDW
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LockBit 5.0 Infrastructure Exposure and Post-Takedown Activity
LockBit 5.0, a major ransomware-as-a-service operation, recently attempted to reestablish its presence by launching a new 'secure' blog domain with claims of enhanced protection against law enforcement. However, security researchers quickly identified and publicly exposed the IP address and domain (`karma0[.]xyz`, IP: `205.185.116.233`), revealing multiple open ports and vulnerable remote access, which left the infrastructure susceptible to disruption. Further analysis showed that LockBit was recycling old victim data on its leak site, with several entries originating from previous leaks or other ransomware groups, highlighting operational security failures and attempts to maintain the appearance of ongoing activity. This exposure comes in the wake of a significant international law enforcement operation (Operation Cronos) that disrupted LockBit's infrastructure, compromised its administration panel, and led to the public release of affiliate and victim data. Despite these setbacks and reputational damage, LockBit has demonstrated resilience, attempting to reassert itself by reusing old data and launching new infrastructure, though these efforts have been undermined by continued security lapses. Defenders are advised to block the exposed IP and domain and monitor for further developments as the group persists in its operations.
Mar 21, 2026
LockBit 5.0 Ransomware Introduces Advanced Encryption and Maintains Global Dominance
LockBit 5.0 has emerged as the latest evolution of the notorious ransomware-as-a-service operation, introducing sophisticated encryption algorithms and advanced anti-analysis techniques that significantly complicate detection and recovery efforts for targeted organizations. The malware now employs a combination of ChaCha20-Poly1305 for file encryption and X25519 with BLAKE2b for secure key exchange, while also terminating Volume Shadow Copy Service processes to prevent system recovery. LockBit 5.0’s runtime flexibility allows it to operate even without specific parameters, and its use of advanced packing and obfuscation further hinders static analysis by security professionals. Despite increased law enforcement pressure, LockBit has sustained its position as a dominant global ransomware threat, accounting for a substantial share of attacks worldwide. The group’s operations have impacted a wide range of sectors, including IT, electronics, law firms, and religious institutions, resulting in billions of dollars in ransom payments and recovery costs. LockBit continues to leverage its dark web platform to publicly list compromised organizations and stolen data, using these tactics to pressure victims into paying ransoms.
Mar 21, 2026
LockBit 5.0 Ransomware Variants and Updated Affiliate Panel Exposed
Security researchers reported that **LockBit** has continued operating after the law-enforcement disruption known as **Operation Cronos**, releasing multiple new **LockBit 5.0** payload variants and maintaining an active ransomware-as-a-service (RaaS) affiliate ecosystem. Reporting citing *Flare.io* analysis described four newly observed builds labeled `LB_Black_14_01_2026` (Windows), `LB_Linux_14_01_2026` (Linux), `LB_ESXi_14_01_2026` (VMware ESXi), and `LB_ChuongDong_14_01_2026` (specialized deployments), indicating an ongoing multi-platform targeting strategy. Analysis of the latest **LockBit 5.0 affiliate panel** indicated the operation’s core workflows remain largely intact, with only minor cosmetic/interface changes (including **holiday-themed** elements). The panel reportedly supports coordination of multiple concurrent campaigns and includes capabilities for attack management, affiliate onboarding, and victim payment/negotiation handling—signaling continued operational maturity despite reputational damage and prior takedown pressure. Researchers recommended organizations prioritize updated detection/signatures and closely monitor EDR alerts for activity consistent with these new LockBit 5.0 variants.
Mar 21, 2026