Number of Ransomware Operations Disrupted in 2024: Nearly Zero

The war on ransomware escalated in 2024 as international law enforcement agencies ramped up their efforts, delivering key blows to some of the most notorious cybercriminal networks.  

From coordinated takedowns to high-profile arrests, authorities managed to dismantle infrastructure, disrupt operations, and hold critical players accountable. However, while these actions mark significant progress, the overall ransomware landscape continues to grow in both scale and impact.

Despite a small handful of high-profile arrests, ransomware operators remain as adaptive and resilient as ever, leveraging cutting-edge innovation to maintain their dominance.  

Attackers are increasingly sophisticated, employing advanced encryption techniques, exploiting zero-day vulnerabilities, and diversifying their extortion methods to maximize profits. As a result, ransomware attacks are not only rising in frequency but also causing greater harm to victim organizations, their customers, and the broader economy.

The ripple effects of these attacks extend far beyond the initial breach. Victim organizations face skyrocketing costs for incident response, legal fees, and regulatory compliance as governments worldwide impose stricter reporting requirements and penalties.  

Meanwhile, downstream organizations—those reliant on the impacted entities—suffer from supply chain disruptions, loss of revenue, and reputational damage. The economic toll is staggering, with recovery efforts often stretching into months and costing millions.

The following represent the only significant law enforcement actions against ransomware operators over the course of 2024, and when measured against the number and severity of reported attacks during the year, they don’t even represent a drop in the proverbial bucket:

LockBit Targeted in “Operation Cronos”

In February, a joint law enforcement operation known as “Operation Cronos” set its sights on the prolific LockBit ransomware group. Authorities in Ukraine, Poland, and the United States executed simultaneous actions, taking control of key darknet infrastructure and arresting several affiliates.  

Most notably, the operation resulted in the release of a decryptor for LockBit 3.0, providing a lifeline for victims to recover their encrypted data without succumbing to ransom demands.  

This marked a significant blow to one of the most dominant ransomware-as-a-service (RaaS) operations, which has been responsible for thousands of attacks globally.  

LockBit’s continued evolution—from LockBit 2.0 to 3.0—has made it one of the most aggressive and technically sophisticated ransomware families. While Operation Cronos disrupted LockBit’s momentum, its decentralized affiliate structure poses challenges for long-term suppression.  

Operation Endgame Disrupts Botnets Fueling Ransomware

By May, Europol escalated efforts further with “Operation Endgame” targeting the foundational infrastructure supporting ransomware campaigns.  

Four suspects were arrested across Ukraine and Armenia, and over 100 servers were seized or disrupted. The operation zeroed in on malware loaders and botnets—IcedID, Smokeloader, SystemBC, Pikabot, and Bumblebee—which have long served as the first stage in deploying ransomware payloads.  

This unprecedented takedown dealt a direct hit to the ransomware-as-a-service (RaaS) ecosystem, which fuels ransomware operations by facilitating initial compromise, lateral movement, and payload delivery. By crippling these platforms, Europol temporarily weakened ransomware groups' ability to scale attacks.  

Ransomware Cartel Leader Arrested in Spain

‍In August, Spanish authorities, working alongside global partners, apprehended the suspected leader of the Ransom Cartel in Estepona, Málaga.

The individual allegedly orchestrated a sprawling cybercrime operation specializing in ransomware and malvertising, with annual fraud estimates reaching $34 million. The Ransom Cartel is believed to share operational ties with former REvil/Sodinokibi affiliates, leveraging similar tools and tactics.  

This arrest highlights the enduring trend of threat actors pivoting and rebranding after major takedowns to continue operations under new banners.  

Phobos Ransomware Operator Indicted in the U.S.:

In November, U.S. authorities indicted Evgenii Ptitsyn, a 42-year-old Russian national linked to the Phobos ransomware operation. Operating under pseudonyms like “derxan” and “zimmermanx”, Ptitsyn is accused of designing and distributing Phobos on darknet forums.  

Phobos primarily targets small-to-midsize businesses (SMBs), exploiting weaker cybersecurity defenses to maximize success. To date, Phobos operators have victimized over 1,000 entities globally, extorting more than $16 million.  

Despite Ptitsyn’s indictment, Phobos remains a persistent threat, with its affiliate-driven model ensuring continued proliferation.  

Takeaway: The ransomware economy continues to grow at a pace that far outstrips current mitigation efforts.  

Ransomware operators have gained significant momentum, weaponizing double extortion tactics by exfiltrating data before encryption. This strategy intensifies pressure on victims to pay ransoms under the dual threat of inaccessible systems and the public exposure of sensitive information. Such tactics highlight the operators’ adaptability and ability to refine their strategies for maximum profitability.

Global crackdowns, such as Operations Cronos and Endgame, have showcased the critical importance of cross-border collaboration to dismantle ransomware infrastructure and disrupt key players. Yet these actions, while necessary, have proven insufficient to stem the tide.  

Ransomware groups continuously innovate, reemerging under new aliases and brands, often with enhanced offensive capabilities. Many of these adversaries benefit from the backing of rogue nation-states, which provide resources, safe havens, and even direct operational support to further their agendas.

While governments have ramped up efforts to issue alerts, guidelines, and frameworks, these measures alone fall woefully short of addressing the enormity of the problem. It is increasingly untenable to leave individual organizations—many of which lack the resources or expertise—to fend for themselves against highly sophisticated adversaries.  

The growing complexity and impact of ransomware demands not only greater international cooperation but also a paradigm shift in how governments and private sectors share responsibility for combating this threat.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.