LockBit, a notorious ransomware group, issued a warning to officials in Fulton County, Ga., threatening to release their internal documents online unless a ransom was paid. The county was listed as a victim on LockBit’s website on Feb. 13, with the group claiming to have stolen files during a breach the previous month. The attack caused disruptions to the county’s phones, Internet access, and court system.
In a bid to pressure the county into paying the ransom, LockBit leaked a small number of sensitive files as a teaser, including sealed court records from criminal trials. However, on Feb. 16, Fulton County’s listing and the countdown timer for data publication were suddenly removed from LockBit’s website without explanation. The leader of LockBit later claimed that this was due to last-minute negotiations with county officials.
Despite LockBit’s claims of receiving payment from Fulton County, the county’s officials vehemently denied making any payments. The FBI and the U.K.’s National Crime Agency then took over LockBit’s online infrastructure on Feb. 19, replacing their homepage with a seizure notice and decryption tools for victims.
Following this seizure, LockBit resurfaced with new domains on the dark web, listing Fulton County and several other victims whose data was threatened to be leaked if no ransom was paid. The group set a deadline for Fulton County’s data to be published, moving it forward to the morning of Feb. 29. However, as the countdown reached zero, Fulton County’s listing vanished from LockBit’s website.
LockBit’s spokesperson, known as “LockBitSupp,” claimed that Fulton County had paid the ransom, citing the deletion of their data as proof. County officials refuted these claims, stating that they were not aware of any data being released. Security experts, including threat analyst Brett Callow from Emsisoft, believe that LockBit likely lost the victim data before the seizure and have been attempting to save face within the cybercrime community.
RedSense, another security firm, pointed out inconsistencies in LockBit’s recent activities, including the removal of previously listed victim profiles and the publication of new ones. They expressed skepticism about the authenticity of these claims and urged LockBit to stop defrauding victims.
Despite the attempts by LockBit to maintain credibility among its affiliates, experts like Callow remain skeptical. They caution against working with a group that has been compromised to such a significant extent. The saga involving Fulton County and LockBit serves as a reminder of the high-stakes game played by ransomware groups and the potential consequences for their victims.