LockBit is still the story everyone watches, but the narrative is more complicated than ‘dead or alive’. Law enforcement actions earlier in 2024 dealt a major blow to LockBit’s infrastructure, but affiliates and copycats have kept the pressure on organizations worldwide. That disruption has reduced LockBit’s operational capacity and exposed parts of its toolset, yet the group and its variants continue to appear in fresh ransom claims and leak sites.

A few threads to follow in the LockBit story. First, international takedowns in February disrupted the gang’s central infrastructure and yielded material that investigators used to help victims. That action changed the economics and reputation of the operation, which matters for an affiliate-driven ransomware-as-a-service model. Second, naming and sanctioning of alleged leadership has increased operational pressure and public exposure of the group. At the same time, LockBit-branded postings continued to surface in mid 2024 claiming new victims — some of those claims are credible while others remain unverified — illustrating how a fractured ransomware ecosystem can persist after a structural disruption.

In early July, LockBit-linked claims targeted healthcare and industrial organizations in Europe and Southeast Asia. Croatian authorities and the national hospital system handled a disruptive incident at the University Hospital Centre Zagreb that was publicly discussed as possibly tied to LockBit 3.0, though investigators were still validating the extent of any data theft. This is a reminder that healthcare remains an attractive target because outages immediately affect patient care and force rapid, expensive responses. Treat public claims from leak sites as intelligence leads to be validated, not as definitive proof of compromise.

Closer to home for many US readers was the late June ransomware incident that shut down Patelco Credit Union’s customer-facing systems on June 29. Members experienced outages to online banking and payment functions while the institution engaged third-party forensic teams and law enforcement. Financial-sector incidents with broad customer impact expose two fault lines: dependence on legacy banking stacks and the downstream friction customers face when core services go offline. The immediate defensive priorities in that context are containment, alternate customer channels, and clear remediation timelines.

There was also welcome operational progress on the tools criminals use. A coordinated international operation known as MORPHEUS targeted the criminal abuse of older, unlicensed instances of the Cobalt Strike red teaming framework. Authorities flagged hundreds of IPs and took down the majority during a concentrated week of action, depriving attackers of turnkey command-and-control infrastructure. Disrupting tooling like Cobalt Strike raises the bar for would-be intruders and reduces the speed and scale at which ransomware campaigns can be assembled. It does not eliminate the threat, but it forces more bespoke and detectable tradecraft.

What this cluster of stories means for defenders

  • Assume disruption, not cessation. Takedowns and arrests change adversary economics and logistics, but they do not instantly stop attacks. Expect copycats, splinter groups, and opportunistic affiliates to test the gap. Prioritize detection and resilience over relying on law enforcement to stop every campaign.

  • Harden the post-exploitation phase. Because frameworks like Cobalt Strike are the common post-exploit workhorse, focus detection on lateral movement, credential harvesting, and abnormal beaconing. If you cannot block every exploit, make it hard to move and persist. The MORPHEUS action shows that taking away easy infrastructure buys defenders time.

  • Segment, backup, and practice. Incidents that impact core banking or hospital systems are frequently aggravated by flat networks, single points of failure, and untested recovery plans. Immutable, offline backups and routine restore exercises matter more than reactive purchases after an incident.

  • Treat leak-site claims as indicators, not conclusions. When a ransomware group posts a victim, use that intelligence to drive rapid validation: logs, EDR telemetry, authentication history, and data-centric forensics. Public leak posts can be false positives, staged, or recycled. Verify before you escalate or concede.

Operational takeaways for teams with limited resources

1) Prioritize detection rules and playbooks that cover Cobalt Strike indicators, credential abuse, and lateral execution. These yield high defensive leverage. 2) Run weekly backups validation for business-critical systems and a quarterly tabletop for incident communications and customer-facing contingency processes. Patelco-style outages show how quickly customer trust and operations are strained. 3) Reduce blast radius: implement network segmentation where possible and require tighter controls on admin and service accounts. The fewer the lateral pathways, the more time you have to detect and isolate intrusions.

Looking ahead

Expect more law enforcement operations and more public claims from ransomware groups. Both are signals: takedowns increase scrutiny and degrade some criminal capabilities, while leak-site activity highlights opportunistic targeting and reputational attacks on victims. For practitioners the constant remains the same: invest in resilience, instrument your environment for early detection, and rehearse recovery so that when the next campaign hits you are not starting from zero.