The February 2024 Operation Cronos law enforcement action — coordinated by the UK National Crime Agency with FBI, Europol, and partners across ten countries — seized LockBit’s infrastructure, published decryption keys, and arrested several affiliates. The criminal indictment of LockBit’s administrator, Dmitry Khoroshev, followed in May 2024.
Despite this, LockBit-affiliated activity did not stop. The core RaaS infrastructure was rebuilt within weeks, and affiliates continued operating under the LockBit brand through 2025 and into 2026. LockBit remains, by victim count, one of the most active ransomware brands — a demonstration of the structural resilience that the RaaS model confers on criminal operations even when law enforcement achieves significant disruptions.
Current Activity Profile
LockBit 3.0 (also called LockBit Black) continues to be used in active deployments. Observed victim sectors in UK-linked incidents over the past six months include NHS-adjacent healthcare providers, mid-market law firms, local government bodies, and manufacturing firms.
The operational profile is consistent with affiliate activity rather than a centralised campaign — different affiliates use different initial access techniques, different negotiation approaches, and different extortion timelines. What they share is the LockBit encryptor and the leak site infrastructure.
Initial access vectors in recent UK incidents:
- VPN credential compromise via credential stuffing and brute force against unpatched SSL-VPN devices
- Phishing delivering Phorpiex loader → LockBit deployment
- Exploited internet-facing RDP instances (particularly on legacy infrastructure in healthcare and local government)
Double extortion model: LockBit affiliates exfiltrate data before encrypting. Victims refusing to pay face both operational disruption and the public release of sensitive data on the LockBit leak site.
NHS and Healthcare Targeting
Healthcare remains a priority target sector for LockBit affiliates. The combination of time-sensitive operational dependency (patient care cannot pause for an extended recovery), large volumes of sensitive personal data, and historically underfunded IT security creates high leverage for attackers.
Following the 2024 NHS Synnovis attack — attributed to a different group but demonstrating the catastrophic operational impact of healthcare ransomware — LockBit affiliates have continued to probe NHS-adjacent organisations. Independent healthcare providers, dental networks, and care home chains are particularly targeted given their smaller security teams.
The Resilience Problem
LockBit’s survival after Operation Cronos is consistent with the broader pattern described in our ransomware ecosystem analysis: law enforcement actions against RaaS operations are significant but rarely terminal. The administrator is indicted but operating from Russia; the affiliates are distributed globally and individually replaceable; the encryptor source code, once leaked, can be rebuilt.
For defenders, the lesson is that LockBit is not a problem that will be solved by a law enforcement action. It is a persistent threat requiring persistent defensive posture.
Recommended Actions
- Patch internet-facing VPN and RDP. A disproportionate share of LockBit initial access comes through known vulnerabilities in Fortinet, Citrix, and legacy RDP configurations. These are not novel techniques — they succeed because patching is incomplete.
- Enable MFA on all remote access. Credential stuffing against VPN endpoints is only viable without MFA. This is a basic control that eliminates a primary initial access vector.
- Test backup integrity and recovery time. Many organisations discover during a ransomware incident that their backups are either encrypted alongside production data, out of date, or recoverable only on a timescale that makes paying the ransom rational. Test recovery now.
- Healthcare organisations: implement network segmentation between clinical and administrative systems. LockBit affiliates targeting NHS-adjacent organisations actively attempt to reach systems with patient data. Segmentation limits lateral movement and data exfiltration scope.