Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The Conversation
The Conversation
Christine Abdalla Mikhaeil, Assistant professor in information systems, IÉSEG School of Management

Major cybercrime crackdowns signal shift in global cybersecurity strategies

Months after the UK’s National Crime Agency (NCA) launched a major offensive against the notorious ransomware group LockBit, the cybercriminal gang appears to have resurfaced, continuing to carry out attacks. Despite law enforcement efforts, ransomware groups like LockBit remain resilient, demonstrating the evolving challenge in the fight against cybercrime.

In February 2024, the NCA, in coordination with nine other countries, launched Operation Cronos, a decisive strike on LockBit, a group that emerged around 2019. This cybercrime group had gained infamy for its use of ransomware – a type of malicious software that locks victims’ data and demands a ransom for its release. It operates on a Ransomware-as-a-Service (RaaS) model, where it provides ransomware tools and infrastructure to affiliates who then carry out the attacks. LockBit was also known for a tactic called “double extortion,” threatening not only to keep data locked but also leak sensitive information if the ransom wasn’t paid. Operating through the dark web, the group was built on anonymity and encryption, making it difficult for authorities to track.

An estimated $8 billion in financial damage

Since its emergence, LockBit has become one of the most active ransomware groups, targeting industries like finance, healthcare and critical infrastructure. With an estimated 20-25% share of the ransomware market, LockBit’s attacks have caused billions of dollars in global damages. The group’s financial impact, exceeding $8 billion by some accounts, has drawn comparisons to other notorious ransomware actors like REvil and DarkSide.

But Operation Cronos changed that. The NCA’s operation infiltrated and disrupted Lockbit’s criminal infrastructure, seizing control of their computing systems and even repurposing their dark web leak site – a publicly accessible website where cybercriminal groups publish stolen data. Operation Cronos marked a bold new approach to combating cybercrime, proving to criminals that law enforcement agencies were ready to go on the offensive.

From Cronos to Endgame

In May 2024, global law enforcement agencies launched Operation Endgame, a coordinated strike aimed at dismantling the infrastructure used by multiple cybercrime groups. While similar in its objectives to Operation Cronos, which focused on LockBit, Endgame had a broader scope: it targeted the malware infrastructures used by various ransomware and data-stealing groups, including those that likely collaborated with LockBit.

Malware, a type of software designed to infiltrate digital devices, is often used by cybercriminals to steal information or take control of systems. One particularly dangerous form of malware creates networks of infected computers, known as botnets, which can be remotely controlled without the owners’ knowledge. These botnets are used for a range of criminal activities, from sending spam and stealing data to launching distributed denial-of-service (DDoS) attacks – overwhelming a system with fake requests so that it can’t process legitimate ones.

Operation Endgame specifically dismantled the infrastructure of “droppers” and “loaders” – programs used to stealthily install malware onto victims’ systems. The operation marked another significant step in the global fight against cybercrime, highlighting the importance of international collaboration in taking down not only individual criminals but the tools and networks that enable them.

Endgame’s successes were notable: it disrupted over 100 infected servers and seized more than 2,000 domain names used to host malicious software, dealing a major blow to botnet networks that had caused hundreds of millions of dollars in damages worldwide.

The back-to-back operations, Cronos and Endgame, marked a pivotal shift in global cybersecurity tactics, directly targeting the rise of cybercrime-as-a-service (CaaS). CaaS enables anyone, regardless of technical skill, to buy or lease tools and services to carry out cyberattacks. This model has lowered the barrier to entry for cybercrime, making it easier for individuals or groups to launch sophisticated attacks. LockBit is a prime example: the group provides the infrastructure while affiliates execute the attacks, with affiliates getting the majority of the ransom and LockBit claiming a cut for providing the tools. Cronos and Endgame underscored the increasing collaboration between law enforcement agencies across the globe, signalling a united front against the growing cybercrime threat.

Ransomware’s persistent threat

Despite these victories, LockBit’s return underscores a key challenge – cybercriminals are constantly adapting. The group’s re-emergence raises concerns about whether organisations are adequately prepared for future attacks. Many still lack essential cybersecurity measures, leaving them vulnerable to increasingly sophisticated ransomware groups.

As LockBit reasserts its influence, new ransomware groups are also gaining prominence. Analysts have identified at least 10 emerging ransomware actors in 2024, including Play Ransomware, RansomHub and Akira, all of which have adopted tactics similar to LockBit’s. Play Ransomware has been a persistent and growing threat, known for its large-scale attacks on municipalities and critical infrastructure. In 2024, it continued to execute high-profile breaches, including an attack on Swiss government vendors. RansomHub has rapidly gained prominence in 2024, with its highly attractive affiliate program offering up to a 90% commission for attackers. RansomHub has targeted over 100 organisations globally, particularly focusing on business services and smaller companies that may be more vulnerable. Akira has gained notoriety for its successful double-extortion attacks, focusing on industries like healthcare, education and technology.

These groups, along with others like Medusa and IncRansom, are part of a dynamic ransomware ecosystem where new groups emerge while established ones like LockBit struggle to maintain dominance. Despite a brief drop in ransomware incidents from mid-2023 to 2024, there was a 20% uptick between the first and second quarters of 2024.

More global coordination needed

Operations Cronos and Endgame mark a turning point in the fight against cybercrime, shifting law enforcement’s focus from targeting individual hackers to dismantling the infrastructure that powers these attacks. These efforts showed a new approach, going after the servers, networks, and tools that ransomware and malware groups rely on rather than just chasing high-profile criminals.

The operations also underscored unprecedented levels of international cooperation, with agencies like Europol, the FBI and Interpol working together for global takedowns across multiple jurisdictions – a feat previously hampered by legal and political challenges. This cross-border teamwork enabled simultaneous strikes on cybercrime networks, hitting them where it hurts the most: their operational backbone.

The operations also highlighted how far law enforcement has come in understanding the technical vulnerabilities of cybercrime infrastructure. Instead of waiting for attacks to happen, agencies exploited flaws in the cybercriminals’ systems, delivering decisive blows that crippled their ability to operate.

These operations signal a global push to crack down on cybercrime and the growing power of international law enforcement working together. But LockBit’s quick comeback is a stark reminder that the fight is far from over. As cyberthreats get more sophisticated, so must the tactics to stop them. While Cronos and Endgame were key wins, they also emphasise the need for even more global coordination. One recent effort is the UN’s first treaty aimed at creating universal laws and protocols for investigations. Beyond legal measures, the real battle is technical – governments, tech companies and civil groups must work together to not only hack the hackers but also slow down their ability to rebuild.

Law enforcement is also turning to psychological operations (psyops) to disrupt cybercrime. By taking over dark web forums and ransomware leak sites, it is undermining the criminals’ credibility and creating paranoia within these networks. Cryptocurrency, the backbone of ransomware payments, is another focus. Authorities are increasingly freezing accounts linked to cybercriminals, cutting off their financial lifelines.

The message is clear: law enforcement must stay ahead of fast-evolving threats, and organisations need to ramp up their defences. The battle against cybercrime is ongoing, and it’s going to take both relentless vigilance and smart, coordinated strategies to win.

The Conversation

Christine Abdalla Mikhaeil is a member of the Association for Information Systems (AIS).

Carin Venter est membre de Association for Information Systems (AIS).

Jennifer L. Ziegelmayer is a member of the Association for Information Systems (AIS) and the Decision Sciences Institute (DSI).

This article was originally published on The Conversation. Read the original article.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.