Analyst1 > Resources > Blog > Unfinished Business
Dark Mode
Unfinished Business

Unfinished Business

Written by Jon DiMaggio.


LET’S GET READY TO RUMBLE!!!

The rematch between the Cronos gang and the LockBit ransomware gang has officially begun! On Sunday, May 5th, near 3 p.m. EST, the previously seized LockBit data leak site returned online with a vengeance, continuing this larger-than-life rivalry! The last time the two organizations exchanged blows, in round one, was in February 2024, when Op Cronos which is comprised of the NCA, FBI and Europol, seized the LockBit data leak site as part of a law enforcement (LE) effort dubbed “Operation Cronos”, which you can read about here. Law enforcement executed the operation intending to disrupt the ransomware group and its criminal activities.

While law enforcement achieved its goal, the most damaging blow to LockBit came from the operation’s use of psychological tactics designed to diminish trust between LockBit and its criminal partners who support the operation. Law enforcement did not get the career-ending knockout punch it hoped for. LockBit was down but not out, but more significantly, Cronos significantly damaged LockBit’s reputation. After the fight, LockBit vowed to make a comeback, return to its former glory, and reclaim the title of the world’s most notorious ransomware gang.

Over the next two months, LockBit trained for this long-awaited rematch. The gang’s leader, who goes by the moniker “LockBitSupp” quickly rebuilt the data leak site using new infrastructure and began attacking and extorting victims. LockBit put on a good show to demonstrate business was continuing as usual, and in a way, it was, but not at the volume it had been prior to the law enforcement beatdown. One thing was clear, the disruption was effective.

The Rematch: Round One

Today, Cronos stepped into the ring representing law enforcement and delivered the first blow in this epic rematch. Both fighters stood in their corners, staring one another down. The fight card’s announcer yelled into the microphone:

Introducing your special guest referee for this bout, Bratva! The notorious, but fair, administrator from the world’s greatest underground hacking forum, XSS!”, the announcer said excitedly.

Bratva stepped between the fighters, telling both sides to touch gloves, AND THIS FIGHT WAS ON!!!

The crowd roared as the bell rang, signaling the start of the fight. The fighters circled the ring, sizing one another up. LockBit looked the Feds dead in the eye and stated, in a thick Russian accent, “I will break you“. But as Mike Tyson once said “Everybody has a plan until they get punched in the mouth”.

The NCA struck first, coming out swinging with a fast right hook, stunning LockBit, who clearly did not see the punch coming. As it turns out, it was the NCA who revived the old data leak site, not LockBit. LockBit stumbled from the punch, and Cronos moved in, hoping to finish its opponent off by creating a new victim leak site post for LockBitSupp himself. For the second time in two months, LockBit was now the latest victim on its own extortion site!

Millions of fans watching the fight could see LockBit was hurt and at this point, not even the bell could save him. LockBit began to show signs of exhaustion, and the fight’s commentators noticed LockBit looking up at the clock, hoping the round would end and prevent a shameful loss. Looking closer, LockBit suddenly realized the clock did not display the remaining time left in the round. Instead, the clock displayed the time remaining until Cronos told the entire world exactly who he was.

Figure 1: Tick Tock… Tick Tock…

Suddenly, LockBit realized that Cronos had created a countdown timer on the leak site post for its leader, LockBitsupp, similar to what the gang did to thousands of its victims during ransomware attacks. Seeing the hurt fighter’s championship dream slipping away, the crowd chanted “Time To Pay” ,”Time To Pay“!

As punches flew, LockBit felt time stand still. Everything was moving in slow motion, LockBit thought. It was torturous for LockBit, riddled with dread that he would be exposed to the world if he lost and the clock struck zero. Tick, tock… tick tock, was all LockBit could hear as the Cronos gang hit him so hard his mouthpiece flew out. The clocks ticks were deafening. LockBit’s mind drifted, filled with anxiety remembering a comment the FBI made at the fights weigh-in days earlier, warning him he would be the FBI’s next victim! No, LockBit thought, this couldn’t actually be happeningThis can’t be real. It must be a nightmare!

Beaten up and flashing in and out of consciousness, reality began to set in for LockBit. The real-world person who invented and created the LockBit ransomware operation realized for the first time that his ransomware career might be coming to an end. In desperation, he looked over at his corner men, Wazawaka and Bassterlord, for help to survive the round. However, instead of advice, all he heard was, “All your data is encrypted…” and everything went dark. LockBit hit the mat. LockBit could barely hear Bratva, the referee, over the screaming of the audience. As Bratva counted up towards ten, LockBit tried to stand up, but was “caught cold” falling back to the mat. This fight was over. LockBit had lost. Never underestimate your opponent, LockBit heard the commentator say.

Obviously, I had some creative fun with this post. But the events outside the ring involving the NCA, FBI, Europol, and LockBit, its data leak site, and the timer counting down as I write these words are actually happening. The FBI made this threat previously when they first took down LockBit’s infrastructure in Feb 2024 and decided not to reveal LockBitSupp’s identity, alleging he was cooperating with law enforcement. It would appear this relationship has soured, and based on today’s events, they likely do know who LockBitSupp really is and intend to make an announcement when the timer expires.

I do not believe the FBI would execute an empty threat at such a public level unless it really intended to out ransomware’s favorite villain. I can only imagine what LockBitSupp must be feeling and thinking. The stress of knowing the whole world will soon know who you are, where you live, and what you have done must be paralyzing. Especially when you have enemies around every corner, both law enforcement and criminals waiting to take you down. However, I can’t say I know what that is like as I don’t hide behind a mask or keyboard. Some people think I am crazy for doing the head-on research I have conducted into LockBit’s operation over the past several years, and maybe I am, but I have worked hard trying to stop LockBit. While I can’t stop him, I am glad someone or something, like Operation Cronos, might have a chance. Soon, I think we will all know exactly who the man behind the mask really is. I know I will be watching and waiting for the unmasking of my old friend, the infamous “Mr. Grumpypants” himself.

Until then, Прощай.

-JonBit3.0

Request a Demo Today
Request a Demo

Blog

Related Articles

Attribution Matters!? Eight Names of Ransomware Actors Revealed, So What?
Attribution Matters!? Eight Names of Ransomware Actors Revealed, So What?
Read Full Article
The Evolving Cyber Threat Landscape
The Evolving Cyber Threat Landscape
Read Full Article
LockBit Takedown & Operation Cronos: A Long-Awaited PsyOps Against Ransomware
LockBit Takedown & Operation Cronos: A Long-Awaited PsyOps Against Ransomware
Read Full Article