February 25, 2024

The FBI’s takedown of the LockBit ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in Fulton County, Ga. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the county’s ongoing criminal prosecution of former President Trump, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials.

A new LockBit website listing a countdown timer until the promised release of data stolen from Fulton County, Ga.

In early February, Fulton County leaders acknowledged they were responding to an intrusion that caused disruptions for its phone, email and billing systems, as well as a range of county services, including court systems.

On Feb. 13, the LockBit ransomware group posted on its victim shaming blog a new entry for Fulton County, featuring a countdown timer saying the group would publish the data on Feb. 16 unless county leaders agreed to negotiate a ransom.

“We will demonstrate how local structures negligently handled information protection,” LockBit warned. “We will reveal lists of individuals responsible for confidentiality. Documents marked as confidential will be made publicly available. We will show documents related to access to the state citizens’ personal data. We aim to give maximum publicity to this situation; the documents will be of interest to many. Conscientious residents will bring order.”

Yet on Feb. 16, the entry for Fulton County was removed from LockBit’s site without explanation. This usually only happens after the victim in question agrees to pay a ransom demand and/or enters into negotiations with their extortionists.

However, Fulton County Commission Chairman Robb Pitts said the board decided it “could not in good conscience use Fulton County taxpayer funds to make a payment.”

“We did not pay nor did anyone pay on our behalf,” Pitts said at an incident briefing on Feb. 20.

Just hours before that press conference, LockBit’s various websites were seized by the FBI and the U.K.’s National Crime Agency (NCA), which replaced the ransomware group’s homepage with a seizure notice and used the existing design of LockBit’s victim shaming blog to publish press releases about the law enforcement action.

The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

Dubbed “Operation Cronos,” the effort involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gang’s activities. The government says LockBit has claimed more than 2,000 victims worldwide and extorted over $120 million in payments.

UNFOLDING DISASTER

In a lengthy, rambling letter published on Feb. 24 and addressed to the FBI, the ransomware group’s leader LockBitSupp announced that their victim shaming websites were once again operational on the dark web, with fresh countdown timers for Fulton County and a half-dozen other recent victims.

“The FBI decided to hack now for one reason only, because they didn’t want to leak information fultoncountyga.gov,” LockBitSupp wrote. “The stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”

A screen shot released by LockBit showing various Fulton County file shares that were exposed.

LockBit has already released roughly two dozen files allegedly stolen from Fulton County government systems, although none of them involve Mr. Trump’s criminal trial. But the documents do appear to include court records that are sealed and shielded from public viewing.

George Chidi writes The Atlanta Objective, a Substack publication on crime in Georgia’s capital city. Chidi says the leaked data so far includes a sealed record related to a child abuse case, and a sealed motion in the murder trial of Juwuan Gaston demanding the state turn over confidential informant identities.

Chidi cites reports from a Fulton County employee who said the confidential material includes the identities of jurors serving on the trial of the rapper Jeffery “Young Thug” Williams, who is charged along with five other defendants in a racketeering and gang conspiracy.

“The screenshots suggest that hackers will be able to give any attorney defending a criminal case in the county a starting place to argue that evidence has been tainted or witnesses intimidated, and that the release of confidential information has compromised cases,” Chidi wrote. “Judge Ural Glanville has, I am told by staff, been working feverishly behind the scenes over the last two weeks to manage the unfolding disaster.”

LockBitSupp also denied assertions made by the U.K.’s NCA that LockBit did not delete stolen data as promised when victims agreed to pay a ransom. The accusation is an explosive one because nobody will pay a ransom if they don’t believe the ransomware group will hold up its end of the bargain.

The ransomware group leader also confirmed information first reported here last week, that federal investigators managed to hack LockBit by exploiting a known vulnerability in PHP, a scripting language that is widely used in Web development.

“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time,” LockBitSupp wrote. “As a result of which access was gained to the two main servers where this version of PHP was installed.”

LockBitSupp’s FBI letter said the group kept copies of its stolen victim data on servers that did not use PHP, and that consequently it was able to retain copies of files stolen from victims. The letter also listed links to multiple new instances of LockBit dark net websites, including the leak page listing Fulton County’s new countdown timer.

LockBit’s new data leak site promises to release stolen Fulton County data on March 2, 2024, unless paid a ransom demand.

“Even after the FBI hack, the stolen data will be published on the blog, there is no chance of destroying the stolen data without payment,” LockBitSupp wrote. “All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid.”

DOX DODGING

In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head — offering $10 million to anyone who could discover his real name.

After the NCA and FBI seized LockBit’s site, the group’s homepage was retrofitted with a blog entry titled, “Who is LockBitSupp? The $10M question.” The teaser made use of LockBit’s own countdown timer, and suggested the real identity of LockBitSupp would soon be revealed.

However, after the countdown timer expired the page was replaced with a taunting message from the feds, but it included no new information about LockBitSupp’s identity.

On Feb. 21, the U.S. Department of State announced rewards totaling up to $15 million for information leading to the arrest and/or conviction of anyone participating in LockBit ransomware attacks. The State Department said $10 million of that is for information on LockBit’s leaders, and up to $5 million is offered for information on affiliates.

In an interview with the malware-focused Twitter/X account Vx-Underground, LockBit staff asserted that authorities had arrested a couple of small-time players in their operation, and that investigators still do not know the real-life identities of the core LockBit members, or that of their leader.

“They assert the FBI / NCA UK / EUROPOL do not know their information,” Vx-Underground wrote. “They state they are willing to double the bounty of $10,000,000. They state they will place a $20,000,000 bounty of their own head if anyone can dox them.”

TROUBLE ON THE HOMEFRONT?

In the weeks leading up to the FBI/NCA takedown, LockBitSupp became embroiled in a number of high-profile personal and business disputes on the Russian cybercrime forums.

Earlier this year, someone used LockBit ransomware to infect the networks of AN-Security, a venerated 30-year-old security and technology company based in St. Petersburg, Russia. This violated the golden rule for cybercriminals based in Russia and former soviet nations that make up the Commonwealth of Independent States, which is that attacking your own citizens in those countries is the surest way to get arrested and prosecuted by local authorities.

LockBitSupp later claimed the attacker had used a publicly leaked, older version of LockBit to compromise systems at AN-Security, and said the attack was an attempt to smear their reputation by a rival ransomware group known as “Clop.” But the incident no doubt prompted closer inspection of LockBitSupp’s activities by Russian authorities.

Then in early February, the administrator of the Russian-language cybercrime forum XSS said LockBitSupp had threatened to have him killed after the ransomware group leader was banned by the community. LockBitSupp was excommunicated from XSS after he refused to pay an arbitration amount ordered by the forum administrator. That dispute related to a complaint from another forum member who said LockBitSupp recently stiffed him on his promised share of an unusually large ransomware payout.

A posted by the XSS administrator saying LockBitSupp wanted him dead.

INTERVIEW WITH LOCKBITSUPP

KrebsOnSecurity sought comment from LockBitSupp at the ToX instant messenger ID listed in his letter to the FBI. LockBitSupp declined to elaborate on the unreleased documents from Fulton County, saying the files will be available for everyone to see in a few days.

LockBitSupp said his team was still negotiating with Fulton County when the FBI seized their servers, which is why the county has been granted a time extension. He also denied threatening to kill the XSS administrator.

“I have not threatened to kill the XSS administrator, he is blatantly lying, this is to cause self-pity and damage my reputation,” LockBitSupp told KrebsOnSecurity. “It is not necessary to kill him to punish him, there are more humane methods and he knows what they are.”

Asked why he was so certain the FBI doesn’t know his real-life identity, LockBitSupp was more precise.

“I’m not sure the FBI doesn’t know who I am,” he said. “I just believe they will never find me.”

It seems unlikely that the FBI’s seizure of LockBit’s infrastructure was somehow an effort to stave off the disclosure of Fulton County’s data, as LockBitSupp maintains. For one thing, Europol said the takedown was the result of a months-long infiltration of the ransomware group.

Also, in reporting on the attack’s disruption to the office of Fulton County District Attorney Fani Willis on Feb. 14, CNN reported that by then the intrusion by LockBit had persisted for nearly two and a half weeks.

Finally, if the NCA and FBI really believed that LockBit never deleted victim data, they had to assume LockBit would still have at least one copy of all their stolen data hidden somewhere safe.

Fulton County is still trying to recover systems and restore services affected by the ransomware attack. “Fulton County continues to make substantial progress in restoring its systems following the recent ransomware incident resulting in service outages,” reads the latest statement from the county on Feb. 22. “Since the start of this incident, our team has been working tirelessly to bring services back up.”

Update, Feb. 29, 3:22 p.m. ET: Just hours after this story ran, LockBit changed its countdown timer for Fulton County saying they had until the morning of Feb. 29 (today) to pay a ransonm demand. When the official deadline neared today, Fulton County’s listing was removed from LockBit’s victim shaming website. Asked about the removal of the listing, LockBit’s leader “LockBitSupp” told KrebsOnSecurity that Fulton County paid a ransom demand. County officials have scheduled a press conference on the ransomware attack at 4:15 p.m. ET today.


53 thoughts on “FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga.

  1. justsayin

    Release every bit of it. Every file, every photo, everything.

    1. mealy

      How will you personally determine what of it is legit, versus added by xyz party?
      Or does the subreddit do the thinking.

  2. Professor Obvious

    Amazing how fast the FBI acted to try and stop the release of data from this particular county, yet gangs that target hospitals, veterans, or other places not involved in persecuting one candidate are still operating and thriving.

    Almost like the FBI is invested in the opposing candidate, ain’t it?

    1. Fred Blair

      Release it all the American people deserve to know the truth the whole truth

      1. mealy

        There is a difference between being told the truth and putting people’s lives directly at risk.

    2. R.Cake

      Par-leaze.
      As Brian states above, it is super unlikely that there is any causality here (correlation yes, causality no).
      You cannot possibly believe that the FBI and Europol can just “decide” to take down a malware service more or less from one day to the other. If that were possible, this would mean either the authorities had effectively infinite hacking powers at their disposal, or the miscreants would have to be very easy to attack. Neither of the two is the case, as we are seeing from history.
      This is not about US politics. Also remember that neither LockBit (the malware service) is something that only relates to the US, nor are exclusively US authorities at work here.
      Of course you can always try and draw magical conclusions, and assert that “everything is related to everything”, but it does not help understand the real world. If you can really believe that LockBit was taken down “because of US elections in 2024” then you can also believe in the Evil Eye. Good luck then.

      1. Catwhisperer

        Though you argument is sound, it lacks the point of the known connectivity between entities of such nature in the ex-USSR and known Russian alphabet agencies, like the KGB and GRU. The idea of the trade-craft is, after all, plausible deniability, is it not? I say ex-USSR because nobody knows where the operators reside.

      2. Dr. Funk

        The FBI is more politicized now than it was during J. Edgar Hoover’s tenure.

      3. Nacker

        Very true. Lockbit had gotten cocky and was attacking so many targets that eventually they were leaving enough of a trail to follow. The takedown was obviously not related to U.S. politics. Some people will believe anything, as long as it fits the story they want to believe.

    3. STookey

      Yet, we still don’t know who killed Epstein or who’s cocaine was in the White House!

      1. Just ... stop

        It’s almost like those are two completely separate things.

      2. mealy

        Whose cocaine. Who’s cocaine = Who is cocaine, or Mr. Who’s personal stash.
        If you get busted for poor grammar don’t let them search.

    4. Stanley Bojangles

      Looks a lot more like Russia is particularly invested in disrupting the trials of their favored candidate.

        1. mealy

          vanityfair dot com/news/2022/03/john-bolton-donald-trump-ukraine-finland-russia

          John Bolton: Trump Is a Putin-Loving Moron Who Thought Finland Was Part of Russia
          ¯\_(ツ)_/¯

  3. Ashley Ott

    All of this sounds stupid. First off why doesn’t Fulton County (every county) pay to upgrade online security? Surely cell phones can change with every passing moment. Upgrading citizen’s information should be just as important. Outdated computers, and still using inferior systems that need to be updated regularly. I say Filton County reeks what tell sow. The whoe County is corrupt.

  4. neoconartist

    Fulton Cty- corrupt
    Willis and Wade- corrupt
    FBI- corrupt
    White House- corrupt

    any questions?

  5. Jon H.

    The Alphabet agencies in America, have and have had their own ‘agenda’ and rule-of-law, for quite a while. Not always aligned with the interests of we, American citizens.

  6. Arlyn

    Praise the Lord for this dats breach! I pray that the Lord will bless America by releasing every bit of information held by Fulton County that pertains to their illegal unwarranted and un-American prosecution of the greatest president in American history.

    1. Niwand

      I love the thought process of the right, everything illegal and immoral is okay with you, so long as it serves the cult of Trump. There’s actual cults that are jealous of your followers.

  7. Gohan

    It’s all lame boring news until I read about a scammer being slow roasted to death.
    Please cook a ransomware group and put it on display.

  8. Catwhisperer

    Please, what more do we need to see that Russia is in kahoots with Trump and vice-a-versa. May both countries be blessed to have an Erwin Rommel with better luck…

    1. Dr. Funk

      Seriously? You can’t be serious. That’s a good troll.

    2. Lotsa dummies round here today ...

      Correlation does not imply causation, does it?

      1. Catwhisperer

        No correlation doesn’t imply causation taken alone. However, it would be foolish to take the one hack “alone”. What correlation does, as in statistics, increase the weight of certain hypotheses. None can argue that the history is there of connection between certain criminal cyber-groups and Russian clandestine services. And who gains the most here if proceedings are disrupted in this jurisdiction. Do you think LockBit wins here? And all very plausibly deniable. After all, what rational government would want the release of records in CHMO cases?

        1. Big Al

          “Russia is in kahoots with Trump”
          lol There was an investigation. Conspiracies die hard with TDS victims.

          1. mealy

            Maybe you should actually read the findings of the investigation for the first time?
            washingtonpost.com/politics/2023/05/17/truth-about-russia-trump-2016-election/

            “Russia tried to swing the 2016 election to Trump”
            “The Trump campaign welcomed help from Russia”

            “The investigation established that the Russian government perceived it would benefit from a Trump presidency and worked to secure that outcome, and that the Campaign expected it would benefit electorally from information stolen and released through Russian efforts,” Mueller’s report said, even as it stated that it “did not establish that members of the Trump Campaign conspired or coordinated with the Russian government in its election interference activities.” (“Did not establish” is a lawyerly way of saying the claim could not be ruled out.)

            politico.eu/article/mueller-refutes-trumps-no-collusion-no-obstruction-line/

            “The president was not exculpated for the acts that he allegedly committed,” Mueller told the House judiciary committee, adding that Trump could theoretically be indicted after he leaves office.

            “We did not address ‘collusion,’ which is not a legal term,” Mueller added. “Rather, we focused on whether the evidence was sufficient to charge any member of the campaign with taking part in a criminal conspiracy. It was not.”

            Big Al, if you’re listening, I just need you to find 30,000 unused gray cells and read a bit:
            Trump was not at all exonerated for colluding with Russia. Praising Putin doesn’t help.
            (Take a break, cheerleading is thirsty work.)

  9. James Schumaker

    It’s amazing how many commenters on this blog would sooner climb into bed with the Putin regime than shut down a blog that is aimed at hurting innocent people and sowing chaos in the Trump trial. We may not know exactly where the operators of LockBit ransomware currently reside, but it is very likely that this group could not operate without the support of Russian intelligence agencies, like so many similar hacker groups. Those who would sell out their own country for a cult leader need to reevaluate their choices.

    1. JonnySize

      Has your President Joe Biden gone senile, and do you still support the Democrats? look at the world from the outside, and Vladimir Putin the best, your country is mired in hypocrisy

  10. Charles Jacobs

    There is no proof whatsoever that this FBI takedown is just a coincidence.

    1. R.Cake

      There also is no proof that all “this” (you pick what you like) is not just caused by the Evil Eye. Correlation yes, causality no.

  11. R.Lowe

    If there was widespread voting fraud in the 2020 election, wouldn’t states that Trump won also had voting fraud?

  12. A M

    It would seem it’s time to up the game and place a bounty for their heads on a pike.
    Let’s say $ 5 million dollars for the heads of each of these disrupters…

  13. Hopium is a hell of a drug

    Given the cesspool of corruption that is now American justice, I wouldn’t doubt the cia dhs nsa wef ect. Is the source of the extortion. Everyone knows Fulton co won’t pay because the WH has the most to lose if 2020 voting details are made public.

    Last act of a decaying empire is robbing the treasury and everyone wants their pallet of cash.

  14. Ronald Cross

    Trump want back down I pray for him but I never had faith in Cia are fbi I can’t say to much I have learned a lot

    1. R.Cake

      Grammar sometimes really helps.
      “Trump want back down” = you want Trump to back down?
      “I pray for him but I never had faith” = you know that he is fundamentally not worth your prayers, or you have a suspicion that the LOrd may not answer your prayer?
      “in CIA are FBI” = you claim that the FBI has infiltrated the CIA?
      “I can’t say to much” = here, I would agree. There is in fact such a thing as saying too much, assuming that is what you meant.
      All the best and have a good day. My recommendation: enjoy daylight, take a walk through nature if you have a chance. It really helps one wind down and look at things more calmly.

  15. NLMasterrace

    Being from outside of USA it really amazes me how easy the Trump people fall for Russian propaganda.
    There 100% will be fabricated documents in the leak that will support Trump one way or another, because Trump and Putin are buddybuddy with eachother.

    How can a big part of the USA slide off so easily to rat out their own for Russia, really says something about the average IQ of the Trump supporters.

    1. mealy

      thehill.com/homenews/3785645-sean-hannity-admits-in-deposition-he-didnt-believe-trump-voter-fraud-claims/

      It’s because their gatekeepers saw profit in pushing false narratives for money/power,
      or they’d be fired and ostracized for telling the real truth in public, the inverse version.
      Once you’ve lied for the mob it’s not a great idea to suddenly try to stop.

        1. mealy

          You linked a non-vetted and non-comprehensive website with a hit counter showing hardly any traffic as evidence of what exactly? “Startling Vote Spikes” is not anything but an unfounded claim with an op-ed headline tacked on. Entirely missing the point is entirely missing the point (and perhaps demonstrating the point ironically at the same time, sadly) that the majority of the GOP lives in an information-free bubble run by liars for profit, and (you?) seem to prefer it that way – over and over and over, to their collective mental deficit. Yes, Hannity was one of THOUSANDS of people pushing a known lie as hard as they possibly could to support a known criminal and fraud’s bogus claims, which they believed would lead to their personal enrichment or sustaining of a demographically waning influence. Other GOP information sources took the lies and ran with them even further, Italian satellites, deceased South American strongmen, the entire conspiracy theory gamut.

          Face it, you have so little comprehensive coverage “allowed” into your Republican news feed that you have literally become captive of any single new lie that comes along, basely plausible or not, foreign-invented or not, and have given up any basic common sense investigatory vetting gray matter over to known and admitted liars – and you prefer that. Why should anyone attempt to change your mind when you’ve already sold it so cheaply into such a life-long BS lease administrated by criminal enterprise? Give my regards to the space lasers, BTW.

  16. Red Fummoxed

    The only conspiracy here is Russia trying to affect the outcome of the election in order to win in Ukraine. Get your heads out of your asses and into the open air, Trumpies.

  17. Duane

    A few points, fellow trolls:
    1. “Fulton County should have upgraded IT.” IT budget competes for funding with many other priorities. No one has run for office by promising to upgrade IT.
    2. “All the data should be released.” Sure, let’s make the property tax records with home addresses of police officers available to violent criminals. Only one example of many.
    3. “Trump is responsible for the hack.” If you want a conspiracy theory, this is among the better ones. Probably not, but if it came to the attention of the Russian authorities, they might have smiled and demanded a cut of the ransom.
    4. “Hackers have to maintain their credibility.” Trolls, not so much. Thanks for reading and my Zelle account is….

  18. Lars

    “pentest with postpaid”? There’s an euphemism if I ever saw one.

  19. William Kazak

    People who want to hide truth have something to hide. Release it all. We will sort it out in the public forums. Truth or lies? Let the American people decide.

    1. mealy

      Please. That’s nonsense. “The American People” couldn’t collectively tie their shoes in forums.
      See Reddit / Twitter / Etc. They argue about blue/gold dresses and space laser vaccine lizards.

Comments are closed.