Glasgow conference delegates got an insight on Tuesday into an operation led by Britain’s National Crime Agency (NCA) to take down the world’s most prolific ransomware gang.

Attendees at Futurescot’s annual Cyber Security event for the public sector heard how the agency was able to penetrate the network of the feared LockBit gang during Operation Cronos, carried out in early 2024.

Paul Foster, deputy director of the NCA’s National Crime Unit, explained how there was a concerted effort to disrupt the Russian-speaking LockBit gang, which at their height of their global crime wave were responsible for around one in four ransomware attacks between 2021 and 2024.

“So, Lockbit presented a unique opportunity to law enforcement to have an impact on the threat landscape,” said Foster. “Because in any threat area, how often do you reasonably get the chance to say we can take potentially a quarter of it.”

Foster characterised Lockbit, whose UK victims included Royal Mail, the British Library, Capita and NHS suppliers, as a “slick” operation, akin to the “Rolls Royce” of ransomware gangs, who prided themselves on their work and built a global cybercrime brand. During its three-year spree, LockBit was estimated to have extorted over $1 billion from victims globally across thousands of attacks before law-enforcement disruption efforts.

Dmitry Khoroshev, the gang’s mastermind, who went by the name of LockBitSupp, even encouraged people online to try and unmask him, offering people a million dollars if they could prove his real identity, Foster said.

Describing Khoroshev as a “megalomaniac” and LockBit as an “evil operation”, Foster went on to say that the human impact of ransomware is not talked about enough, and that the NCA – along with the FBI and Europol – had been involved in a joint effort over three years to try and disrupt and ultimately take down the gang.

He said the NCA, initially, were not the lead agency, and that the French had taken an early lead to thwart LockBit. In the second year, the FBI gained an edge, gathering some “pivotal intelligence” on the gang. However, in the final 12 months of the operation, the NCA stepped forward and took a leading role with two critical advances.

Foster said: “One was we gained a unique technical insight that enabled us to effectively lock out LockBit bit. We were able to get into their infrastructure, get a really deep understanding of the back end, and then lock them out from their own site.

“But also, our senior investigator came up with a strategy to tackle the threat that was supported by every other organisation involved.”

Part of that strategy was to discredit the LockBit brand, and to sow distrust among the cybercriminals using the infrastructure, and finally reassure the victims of the gang – amplifying all all of that activity as much as possible.

Finally, in February two years ago, all the technical work that NCA had done behind the scenes came to fruition. They were able to lock LockBit out of their own network. As a splash page went up informing people who visited the LockBit site that it had been seized by law enforcement, a coordinated press campaign was launched to inform the world.

At the same time, arrests were made in various locations around the world, including in Ukraine and Poland, and later in Canada.

Amid a flurry of international media attention, the law enforcement agencies were able to demonstrate publicly how they had managed to infiltrate the LockBit network, supported by a series of articles and social media posts.

A limitation of the operation, in common with many efforts to combat ransomware, was jurisdiction. There are no effective means of bringing Russian citizens to justice, unless they travel to a country where international arrest warrants can be sought. Dmitry Khoroshev remains at large, and even though ransomware continues to disrupt businesses worldwide, the operation illustrated a growing confidence among law enforcement agencies to degrade their capabilities.

A new national cyber action plan for Scotland

Alan Gray, the Scottish Government’s head of national cyber security and resilience, announced at the publication of a new Cyber Action Plan for 2025-30 at the conference. The document puts flesh on the bones of the Strategic Framework for a Cyber Resilient Scotland, which was published in November, and comes at a time when the Scottish Government has been ramping up its incident response and threat intelligence monitoring capabilities through the Scottish Cyber Coordination Centre (SC3) and the new Cyber Observatory.

Gray said: “They offer a range of services to the public sector. So that’s everything from vulnerability management, threat intelligence, exercising….major Incident coordination and various other services wrapped around those as well.

“SC3 is a really small unit, so they have a big scope. They have a lot of work, so they have to be very careful and very intelligent in how they direct and target the efforts and resources that we do have in order to best protect the public sector and maximise our effectiveness.”

“And what that means is we need to be really well informed. And all this comes down to situational awareness,” Gray added.

In that sense the data-driven approach embedded at the core of the Cyber Observatory is key, he said.

“It comes down to understanding our environment from threats to exposures, deriving actionable insights from that, and then ultimately finding the right data that’s out there about the public sector, about organisations within the public sector, and exploiting that as much as we can,” Gray added.

He said: “Data is how we are going to win.”

In a technical sense, the Cyber Observatory, which went live at the end of 2025, ingests and processes data that provides early indicators of potential vulnerabilities to public sector bodies in Scotland. It can be used concurrently with other threat intelligence services, to “triangulate” threat analysis, and provide realtime reports to allow cyber security teams to take action.

“So by using this data intelligently, by algorithmically identifying and tracking maturity and risk levels, what we can do is we can drive up public sector resilience in a way that just would not have been possible before,” said Gray.

Gray shared some key metrics to show how the public sector is keeping up-to-date with cybersecurity best practice.

The latest figures show in January that 98% of public sector organisations have completed the annual cyber resilience assessment, which is conducted via the Cyber Observatory. According to Gray, cyber risk has now been inserted as a “defined” board-level responsibility across 100% of public sector organisations, which he said was a useful secondary indicator about culture and governance within organisations.

A further 98% of organisations are signed up to SC3 threat bulletins, and 70% have access to a cybersecurity incident response provider, up by 50% from the previous year. And 41% of organisations are registered on the MISP threat intelligence platform.

In terms of areas for improvement, Gray pointed out that 36% of organisations are yet to test or ‘exercise’ their cybersecurity response plans, a figure that has remained broadly “static”, according to Gray, and is “not where it should be”.

“There’s no credible reason for any organisation not exercising their incident response plans, including ones that involve a total loss of IT,” Gray said. Related to that 22% of organisations are needing to improve their incident response plans, and Gray encouraged leaders to regularly review the plans they have in place. And 46% of organisations need to improve their supply chain approach, which Gray said was one of the hardest aspects for cybersecurity.

However the Scottish Government is now working with Supply25, a CivTech winner, on securing public sector procurement. Going forward, Gray encouraged delegates to sign up for Cyber Essentials training, and for adoption of multi-factor authentication (MFA). A previous statistic shared at the conference by a senior representative from the National Cyber Security Centre (NCSC) illustrated that 60% of cyberattacks could be prevented if MFA is switched on.

The rise of AI agents

Professor Bill Buchanan, a cybersecurity expert from Edinburgh Napier University, warned in a later session that agentic AI poses a significant threat to society if not addressed.

“I’m so scared, unbelievably scared for the biggest tsunami that’s actually going to happen to our lives,” said Professor Buchanan. “We’ve talked about very traditional security point of views, but all that needs to change.”

Describing the emergence of the OpenClaw agentic AI tool as the “most powerful tool” he has ever seen in his entire career, Professor Buchanan said people need to prepare for huge disruption, especially in the knowledge-based economy. But in a more dystopian vision, he characterised the problem of AI agents starting to talk to each other – and operate independently of human oversight – as a potential “nightmare” for society.

In terms of keeping a lid on that, and especially in a cybersecurity context, Professor Buchanan recommended that people start thinking about how they consider deploying agentic AI: for instance, he said that AI agents should have a certificate of autonomy before they are allowed to act in place of a human, that we have to be clear-eyed about the risk of giving AI agents access to credentials including passwords and encryption keys.

He said OpenClaw, in that sense, is the “elephant in the room”. “So it’s here now, and it’s the most downloaded program ever,” Professor Buchanan said. “If you’ve not tried it, please try it honestly, and then within a single evening you will be able to control your whole life without requiring anyone else.”

Professor Buchanan quoted researchers from Cisco who described OpenClaw as an urgent “security nightmare”.

So, what can you do?

In a cybersecurity context, Professor Buchanan recommended implementing digital identity properly across society, including for access to the NHS, and that extends to agentic AI personas, ensuring they have an email address and HR records, and so on.

“If you can think you can get away with not giving your agents digital IDs, then you’re kidding yourself on,” he said.

“You’ll be run amuck by these agents doing things that you have no idea [about]. You really need a zero trust architecture properly for not only humans, but your agents too. And then what you need, and this is the coolest job brand, you need a kill switch engineer,” he added. “Be patient, know how to unplug things, and if you can throw buckets of water over the server, just in case, then that’s good.”

He added: “We’re at the cusp of something that is going to be so intelligent that it will be able to communicate with itself. These bots will create new cryptographic methods that we’ve never came across, new communication methods and so on. So what? So what? What we need is a new way of doing security.”

And finally he said always ensure that a human is in the loop.

“Agentic AI needs digital ID and a proper access control structure with zero trust,” he added. “Get your HR systems to start adding in agentic AI agents as part of your infrastructure, and we need completely different approach to security testing.”