In our recent report, 2025 Cyber Incident Insights Report, we showed that the growth of ransomware incidents had begun to slow amidst a fragmentation of larger criminal groups and a diminishing willingness among victims to pay ransoms. In this article, Tom Crooke explores the role played by law enforcement operations and the merits of a more holistic approach to combatting the ransomware threat.
On 20 February 2024, visitors to the dark web leak site for LockBit, one of the most prolific ransomware gangs of all time, were greeted with a surprising message: “THIS SITE IS NOW UNDER CONTROL OF LAW ENFORCEMENT”.
Any fears this was an elaborate prank were allayed when the UK’s National Crime Agency issued a statement that it had taken control of LockBit’s site as part of a multi-agency taskforce dubbed ‘Operation Cronos’. The NCA claimed not only to have compromised LockBit’s entire backend infrastructure but also unmasked members of the gang’s leadership and seized cryptocurrency and decryption keys for LockBit ransomware.
The LockBit takedown, coming hard on the heels of similarly successful operations against Hive, RagnarLocker and AlphV at the end of 2023, raised hopes that law enforcement agencies might finally be turning the tide in the global battle against organised ‘Ransomware-as-a-Service' operators.
Measuring success
Yet over a year on, it is easy to wonder if high-profile actions such as Cronos have had a significant impact. Rates of ransomware attacks have continued to tick steadily upwards, with new RaaS actors – Akira, PLAY, RansomHub – quickly gobbling up LockBit’s market share.
But the benefits of law enforcement takedowns shouldn’t be underestimated, even if they are principally felt only in the short term. They force cybercriminals to reconstitute their infrastructure and reputation at significant cost, sparing many potential victims from attacks during the forced downtime. They also seed friction within cybercriminal communities, who rely on assured anonymity to conduct their operations. Compromising their backend infrastructure sows distrust between RaaS groups and the affiliates they rely on to penetrate networks and extract payments.
Nonetheless Operation Cronos and the 2023 compromises of Hive, AlphV, RagnarLocker and others show that the ransomware ecosystem has its own circle of life: groups emerge, professionalise, accumulate success and notoriety before being cut down by law enforcement actions. Their technical capabilities – affiliates, administrators, negotiators - are reassimilated into the cybercriminal underground and the cycle repeats anew.
The ransomware ecosystem has its own circle of life: groups emerge, professionalise, accumulate success and notoriety before being cut down by law enforcement actions.’’
A broader approach
There are signs that the NCA, FBI and others have recognised this pattern and are shifting towards a more multifaceted approach, targeting the wider criminal networks that support them: developers of hacking tools, money launders and the gang leaders themselves.
In May 2024, Europol announced Operation Endgame, a multiagency effort targeting the developers and distributors of ‘malware droppers’, malicious tools commonly used by threat actors in the early phases of ransomware attacks. Endgame resulted in the takedown of 100 servers and over 2,000 domains linked to the illicit dropper market. Four individuals were also arrested, one of whom was discovered to have earned at least USD 70 million through renting out infrastructure for ransomware attacks.
In early December 2024, the NCA and US Office of Foreign Asset Control (OFAC) announced Operation Destabilise, a sweeping investigation that exposed an international money laundering network facilitating a cash-for-crypto trading scheme between Western organised crime groups and cybercriminals. Law enforcement agencies arrested 84 individuals at the heart of the scheme and seized over USD 25 million in illicit funds. Officials claimed that more several years the network had been responsible for laundering profits from ransomware attacks, including for the notorious RaaS outfit Ryuk in 2021.
In recent months law enforcement agencies have arrested or sanctioned individual gang members associated with RaaS operations. In mid-November the US Justice Department oversaw the extradition of Evgenii Ptitsyn, a Russian national alleged to have been a senior figure within the Phobos ransomware gang.
2024
Key law enforcement actions
OFAC also sanctioned a number of individuals associated with RaaS groups, including Dmitry Khoroshev – aka ‘LockBitSupp’ – a senior LockBit administrator unmasked as part of Operation Cronos. Sanctions remain an important tool for US law enforcement agencies to target criminal activities that fall outside their jurisdiction, even if they tend to have little impact on limiting ransom payments themselves.
Perhaps more surprisingly, the latter half of 2024 saw a spate of crackdowns by Russian authorities. In October, four members of the now-defunct REvil gang were sentenced to several years in prison. In late November, Russian law enforcement arrested Mikhail Matveev, wanted by the FBI since 2023 for his involvement in the Hive and LockBit RaaS operations. Both events were important reminders that the relationship between Russia and cybercriminals - often assumed to be mutually supportive – is not always straightforward.
The bottom line
Headline-grabbing takedowns of major RaaS players should be celebrated. Through public exposure they sow distrust and discord amongst criminal syndicates that trade on their reputation for security and anonymity.
Better still, these operations may be squeezing ransomware revenues. The number of threat actors almost doubled compared to 2023, likely a direct consequence of law enforcement takedowns. But leak site postings and blockchain payment data showed ransom payments actually slowed. Other factors may play a role – better backups, less concern over data leaks on dark web infrastructure already hosting hundreds of victims – but the cumulative impact of law enforcement operations should not be underestimated.
Nonetheless takedown operations alone will not put an end the ransomware threat. Doing so will require a broader toolkit. Periodic takedowns targeting the larger RaaS operators have a place, but alongside wider operations targeting the support systems ransomware gangs rely on to perpetuate and fund their operations. The new approach requires persistence and patience to fully pay off. But the longer law enforcement agencies can stay the course, the greater the chance of putting a serious dent in the global ransomware market.
2025 might not bring a decisive victory in the battle against ransomware. But if law enforcement agencies can stay the course, they may yet win the war.
