Impact of Operation Cronos on LockBit: Unveiling Fallout and Landmark Disruption

Operation Cronos caused outages on LockBit-associated Onion sites and the UK NCA temporarily seized the leak site, exposing admin-panel data, affiliate identities, victim lists, and law‑enforcement press releases. Trend Micro’s analysis showed an in-development LockBit build (LockBit-NG-Dev) moved to .NET/CoreRT with execution guardrails and platform-agnostic aims, and telemetry recorded a sharp drop in genuine LockBit infections after the disruption. #LockBit #OperationCronos

Keypoints

On Feb 19, 2024 Operation Cronos disrupted multiple LockBit Onion sites and the UK NCA replaced leak‑site content with law‑enforcement material and countdowns.
Law enforcement published press releases, indictments, seized crypto details, and offered decryption support on the seized leak site to undermine the group’s business model.
Trend Micro analyzed a LockBit in-development build (LockBit-NG-Dev) showing a shift to .NET compiled with CoreRT, removal of some prior features, and new anti-analysis guardrails.
Leaked LockBit admin‑panel screenshots revealed affiliate lists, victim stats, chat logs (including decryptor distribution), a builder for multi‑platform binaries, and affiliate hierarchy metadata.
Post‑disruption telemetry showed a significant drop in LockBit infections; most new leak‑site postings were reuploads or likely manipulated to simulate normal activity.
A small post‑disruption cluster used ALZip attachments delivered by email to launch LockBit executables (example SHA256 provided), indicating limited affiliate activity persisted.

MITRE Techniques

[T1486] Data Encrypted for Impact – Ransomware encrypted and renamed victim files as part of its impact; [‘it also still has the ability to rename encrypted files with random file names.’]
[T1566.001] Phishing: Spearphishing Attachment – Delivery via email using ALZip archives to launch the LockBit executable; [‘ALZip is distributed to victims via email.’]
[T1588.001] Develop Capabilities: Malware – Use of a builder to produce generational builds (Linux/ESXi) and different color‑tagged releases indicates in‑house development and capability management; [‘The builder tab confirmed that the group used the colors black, red, and green for the generational builds, as well as a Linux or an ESXi build.’]
[T1078] Valid Accounts – Affiliates logged into the LockBit control panel (admin panel access used to manage victims and affiliates); [‘affiliates who logged into their LockBit control panel were greeted with a personalized message…’]
[T1497.003] Anti-Analysis: Time-Based Evasion – The sample checks the current date and enforces a validity period to limit execution and hamper automated analysis; [‘The execution now has a validity period that can be seen by checking the current date, which is likely to help the operators assert control over affiliate use and make it harder for security systems to launch automated analysis.’]

Indicators of Compromise

[SHA256] Ransomware sample – 1dab85cf02cf61de30fcda209c8daf15651d649f32996fb9293b71d2f9db46e1 (ransomnote/executable submitted to VirusTotal, linked to post‑disruption South Korea cluster).
[File name] Malicious executable – “이력서14$$$$$입사지원서_240226$$$$$ 누구보다 열정적인 인재입니다.exe” (Korean‑named executable used in email attachments), and its translated filename as seen in screenshots.
[File type] Distribution method – ALZip archive used as the delivery container for the LockBit executable (delivered via email attachments).

Operation Cronos targeted LockBit’s public-facing infrastructure: multiple Onion leak sites went offline on Feb 19, 2024 and were replaced with an NCA‑controlled landing page and countdowns that published coordinated press releases, indictments, seized crypto details, and decryption support. Law enforcement also published leaked admin‑panel screenshots showing the control panel’s stats, chat logs (including decryptor distribution options), the builder tab (multi‑platform build options including Linux/ESXi), the victim listing used for triage, and a full affiliate roster with hierarchy and referrer metadata—demonstrating both access to operational data and actionable intelligence for follow-up enforcement.

Trend Micro’s technical analysis of an in‑development sample tracked as LockBit‑NG‑Dev shows a rewrite to .NET compiled with CoreRT to enable platform‑agnostic binaries; the build lacks some prior self‑propagation and printing features but retains configuration flags (process/service termination lists, exclusion paths) and file renaming behavior. The sample implements execution guardrails by validating the current date (a time‑based evasion method) to restrict affiliate use and impede automated analysis, and the existence of a builder confirms continued capability development and potential for future feature additions.

Telemetry after the disruption recorded a marked drop in true LockBit infections; only a small cluster was observed in the three weeks following the operation, with a low‑volume campaign delivering ALZip attachments by email that launched LockBit executables (sample SHA256 above). Analysis of post‑seizure leak‑site postings found many reuploads, batch uploads, and manipulated timestamps—suggesting a single operator maintaining the site and efforts to simulate normal activity rather than a full operational recovery by affiliates.