From Lamborghinis to Ladas: Empirical Analysis of LockBit’s Business Operations

Abstract

Since 2020, LockBit has operated as a ransomware-as-a-service (RaaS) platform, leasing their malware to affiliates who conducted attacks on their behalf. LockBit emerged as one of the most prolific ransomware groups globally. However, the operation faced significant law enforcement disruptions on February 20, 2024, and May 7, 2024, during Operation Cronos. On May 7, 2025, an affiliate panel database from LockBit 4.0 leaked, providing an opportunity to better understand the latest iteration of the ransomware operation. The leak occurred one year after the second phase of the law enforcement disruption, Operation Cronos, which included a seizure of servers and infrastructure from LockBit 3.0.In this paper, we present an empirical analysis of LockBit 4.0 business operations observed through the compromised affiliate panel data. Based on the leaked data, we construct an operational workflow of LockBit 4.0. Our financial analysis found that post-Cronos interventions LockBit 4.0 was operating in a degraded state. LockBit 3.0 affiliates achieved a 54% compromise-to-payment rate while LockBit 4.0 had an 11.5% rate, which represents a 4.7-fold decline.The leaked LockBit 4.0 affiliate panel offers empirical insights into a major ransomware operation’s post-disruption phase, highlighting both the effectiveness of coordinated law enforcement action and the challenges facing cybercriminal groups attempting to rebuild after takedown operations. Our analysis reveals that while LockBit appeared to resume their operations unabated, it was severely hampered by Operation Cronos. Given their downscaled operation, LockBit 4.0’s affiliate recruitment slogan, "Want a Lamborghini" is more appropriately "Want a Lada," a cheaper Russian brand of Soviet-era automobiles.