The FBI’s takedown of the LockBit ransomware group final week got here as LockBit was making ready to launch delicate information stolen from authorities laptop methods in Fulton County, Ga. However LockBit is now regrouping, and the gang says it’s going to publish the stolen Fulton County information on March 2 until paid a ransom. LockBit claims the cache contains paperwork tied to the county’s ongoing felony prosecution of former President Trump, however courtroom watchers say teaser paperwork revealed by the crime gang recommend a complete leak of the Fulton County information might put lives in danger and jeopardize quite a lot of different felony trials.
A brand new LockBit web site itemizing a countdown timer till the promised launch of information stolen from Fulton County, Ga.
In early February, Fulton County leaders acknowledged they have been responding to an intrusion that brought on disruptions for its telephone, e mail and billing methods, in addition to a variety of county providers, together with courtroom methods.
On Feb. 13, the LockBit ransomware group posted on its sufferer shaming weblog a brand new entry for Fulton County, that includes a countdown timer saying the group would publish the info on Feb. 16 until county leaders agreed to barter a ransom.
“We are going to show how native constructions negligently dealt with data safety,” LockBit warned. “We are going to reveal lists of people answerable for confidentiality. Paperwork marked as confidential shall be made publicly accessible. We are going to present paperwork associated to entry to the state residents’ private information. We purpose to offer most publicity to this case; the paperwork shall be of curiosity to many. Conscientious residents will deliver order.”
But on Feb. 16, the entry for Fulton County was faraway from LockBit’s web site with out rationalization. This normally solely occurs after the sufferer in query agrees to pay a ransom demand and/or enters into negotiations with their extortionists.
Nonetheless, Fulton County Fee Chairman Robb Pitts mentioned the board determined it “couldn’t in good conscience use Fulton County taxpayer funds to make a fee.”
“We didn’t pay nor did anybody pay on our behalf,” Pitts mentioned at an incident briefing on Feb. 20.
Simply hours earlier than that press convention, LockBit’s varied web sites have been seized by the FBI and the U.Okay.’s Nationwide Crime Company (NCA), which changed the ransomware group’s homepage with a seizure discover and used the prevailing design of LockBit’s sufferer shaming weblog to publish press releases concerning the regulation enforcement motion.
The feds used the prevailing design on LockBit’s sufferer shaming web site to function press releases and free decryption instruments.
Dubbed “Operation Cronos,” the hassle concerned the seizure of practically three-dozen servers; the arrest of two alleged LockBit members; the discharge of a free LockBit decryption instrument; and the freezing of greater than 200 cryptocurrency accounts regarded as tied to the gang’s actions. The federal government says LockBit has claimed greater than 2,000 victims worldwide and extorted over $120 million in funds.
UNFOLDING DISASTER
In a prolonged, rambling letter revealed on Feb. 24 and addressed to the FBI, the ransomware group’s chief LockBitSupp introduced that their sufferer shaming web sites have been as soon as once more operational on the darkish net, with recent countdown timers for Fulton County and a half-dozen different latest victims.
“The FBI determined to hack now for one purpose solely, as a result of they didn’t need to leak data fultoncountyga.gov,” LockBitSupp wrote. “The stolen paperwork include plenty of fascinating issues and Donald Trump’s courtroom circumstances that would have an effect on the upcoming US election.”
A display shot launched by LockBit displaying varied Fulton County file shares that have been uncovered.
LockBit has already launched roughly two dozen information allegedly stolen from Fulton County authorities methods, though none of them contain Mr. Trump’s felony trial. However the paperwork do seem to incorporate courtroom data which are sealed and shielded from public viewing.
George Chidi writes The Atlanta Goal, a Substack publication on crime in Georgia’s capital metropolis. Chidi says the leaked information thus far features a sealed file associated to a toddler abuse case, and a sealed movement within the murder trial of Juwuan Gaston demanding the state flip over confidential informant identities.
Chidi cites studies from a Fulton County worker who mentioned the confidential materials contains the identities of jurors serving on the trial of the rapper Jeffery “Young Thug” Williams, who’s charged together with 5 different defendants in a racketeering and gang conspiracy.
“The screenshots recommend that hackers will be capable to give any legal professional defending a felony case within the county a beginning place to argue that proof has been tainted or witnesses intimidated, and that the discharge of confidential data has compromised circumstances,” Chidi wrote. “Choose Ural Glanville has, I’m advised by employees, been working feverishly behind the scenes during the last two weeks to handle the unfolding catastrophe.”
LockBitSupp additionally denied assertions made by the U.Okay.’s NCA that LockBit did not delete stolen data as promised when victims agreed to pay a ransom. The accusation is an explosive one as a result of no one can pay a ransom in the event that they don’t consider the ransomware group will maintain up its finish of the cut price.
The ransomware group chief additionally confirmed data first reported right here final week, that federal investigators managed to hack LockBit by exploiting a known vulnerability in PHP, a scripting language that’s extensively utilized in Internet growth.
“Attributable to my private negligence and irresponsibility I relaxed and didn’t replace PHP in time,” LockBitSupp wrote. “Because of which entry was gained to the 2 important servers the place this model of PHP was put in.”
LockBitSupp’s FBI letter mentioned the group saved copies of its stolen sufferer information on servers that didn’t use PHP, and that consequently it was in a position to retain copies of information stolen from victims. The letter additionally listed hyperlinks to a number of new situations of LockBit darkish web web sites, together with the leak web page itemizing Fulton County’s new countdown timer.
LockBit’s new information leak web site guarantees to launch stolen Fulton County information on March 2, 2024, until paid a ransom demand.
“Even after the FBI hack, the stolen information shall be revealed on the weblog, there isn’t any likelihood of destroying the stolen information with out fee,” LockBitSupp wrote. “All FBI actions are aimed toward destroying the repute of my associates program, my demoralization, they need me to go away and stop my job, they need to scare me as a result of they can’t discover and remove me, I can’t be stopped, you cannot even hope, so long as I’m alive I’ll proceed to do pentest with postpaid.”
DOX DODGING
In January 2024, LockBitSupp advised XSS discussion board members he was dissatisfied the FBI hadn’t supplied a reward for his doxing and/or arrest, and that in response he was inserting a bounty on his personal head — providing $10 million to anybody who might uncover his actual title.
After the NCA and FBI seized LockBit’s web site, the group’s homepage was retrofitted with a weblog entry titled, “Who’s LockBitSupp? The $10M query.” The teaser made use of LockBit’s personal countdown timer, and instructed the true identification of LockBitSupp would quickly be revealed.
Nonetheless, after the countdown timer expired the web page was changed with a taunting message from the feds, nevertheless it included no new details about LockBitSupp’s identification.
On Feb. 21, the U.S. Division of State announced rewards totaling as much as $15 million for data resulting in the arrest and/or conviction of anybody collaborating in LockBit ransomware assaults. The State Division mentioned $10 million of that’s for data on LockBit’s leaders, and as much as $5 million is obtainable for data on associates.
In an interview with the malware-focused Twitter/X account Vx-Underground, LockBit employees asserted that authorities had arrested a few small-time gamers of their operation, and that investigators nonetheless have no idea the real-life identities of the core LockBit members, or that of their chief.
“They assert the FBI / NCA UK / EUROPOL have no idea their data,” Vx-Underground wrote. “They state they’re keen to double the bounty of $10,000,000. They state they are going to place a $20,000,000 bounty of their very own head if anybody can dox them.”
TROUBLE ON THE HOMEFRONT?
Within the weeks main as much as the FBI/NCA takedown, LockBitSupp turned embroiled in quite a lot of high-profile private and enterprise disputes on the Russian cybercrime boards.
Earlier this 12 months, somebody used LockBit ransomware to contaminate the networks of AN-Safety, a commemorated 30-year-old safety and know-how firm based mostly in St. Petersburg, Russia. This violated the golden rule for cybercriminals based mostly in Russia and former soviet nations that make up the Commonwealth of Unbiased States, which is that attacking your personal residents in these nations is the surest option to get arrested and prosecuted by native authorities.
LockBitSupp later claimed the attacker had used a publicly leaked, older model of LockBit to compromise methods at AN-Safety, and mentioned the assault was an try to smear their repute by a rival ransomware group generally known as “Clop.” However the incident little doubt prompted nearer inspection of LockBitSupp’s actions by Russian authorities.
Then in early February, the administrator of the Russian-language cybercrime discussion board XSS mentioned LockBitSupp had threatened to have him killed after the ransomware group chief was banned by the neighborhood. LockBitSupp was excommunicated from XSS after he refused to pay an arbitration quantity ordered by the discussion board administrator. That dispute associated to a grievance from one other discussion board member who mentioned LockBitSupp not too long ago stiffed him on his promised share of an unusually giant ransomware payout.
A posted by the XSS administrator saying LockBitSupp wished him useless.
INTERVIEW WITH LOCKBITSUPP
KrebsOnSecurity sought remark from LockBitSupp on the ToX prompt messenger ID listed in his letter to the FBI. LockBitSupp declined to elaborate on the unreleased paperwork from Fulton County, saying the information shall be accessible for everybody to see in a couple of days.
LockBitSupp mentioned his group was nonetheless negotiating with Fulton County when the FBI seized their servers, which is why the county has been granted a time extension. He additionally denied threatening to kill the XSS administrator.
“I’ve not threatened to kill the XSS administrator, he’s blatantly mendacity, that is to trigger self-pity and harm my repute,” LockBitSupp advised KrebsOnSecurity. “It isn’t essential to kill him to punish him, there are extra humane strategies and he is aware of what they’re.”
Requested why he was so sure the FBI doesn’t know his real-life identification, LockBitSupp was extra exact.
“I’m unsure the FBI doesn’t know who I’m,” he mentioned. “I simply consider they are going to by no means discover me.”
It appears unlikely that the FBI’s seizure of LockBit’s infrastructure was one way or the other an effort to stave off the disclosure of Fulton County’s information, as LockBitSupp maintains. For one factor, Europol mentioned the takedown was the results of a months-long infiltration of the ransomware group.
Additionally, in reporting on the assault’s disruption to the workplace of Fulton County District Legal professional Fani Willis on Feb. 14, CNN reported that by then the intrusion by LockBit had persevered for practically two and a half weeks.
Lastly, if the NCA and FBI actually believed that LockBit by no means deleted sufferer information, they needed to assume LockBit would nonetheless have not less than one copy of all their stolen information hidden someplace secure.
Fulton County continues to be making an attempt to get better methods and restore providers affected by the ransomware assault. “Fulton County continues to make substantial progress in restoring its methods following the latest ransomware incident leading to service outages,” reads the latest statement from the county on Feb. 22. “Because the begin of this incident, our group has been working tirelessly to deliver providers again up.”
