The FBI’s takedown of the LockBit ransomware group final week got here as LockBit was making ready to launch delicate knowledge stolen from authorities laptop techniques in Fulton County, Ga. However LockBit is now regrouping, and the gang says it’ll publish the stolen Fulton County knowledge on March 2 except paid a ransom. LockBit claims the cache consists of paperwork tied to the county’s ongoing felony prosecution of former President Trump, however courtroom watchers say teaser paperwork revealed by the crime gang counsel a complete leak of the Fulton County knowledge might put lives in danger and jeopardize quite a few different felony trials.
In early February, Fulton County leaders acknowledged they have been responding to an intrusion that brought on disruptions for its telephone, e-mail and billing techniques, in addition to a spread of county providers, together with courtroom techniques.
On Feb. 13, the LockBit ransomware group posted on its sufferer shaming weblog a brand new entry for Fulton County, that includes a countdown timer saying the group would publish the information on Feb. 16 except county leaders agreed to barter a ransom.
“We are going to reveal how native buildings negligently dealt with info safety,” LockBit warned. “We are going to reveal lists of people answerable for confidentiality. Paperwork marked as confidential can be made publicly obtainable. We are going to present paperwork associated to entry to the state residents’ private knowledge. We intention to present most publicity to this example; the paperwork can be of curiosity to many. Conscientious residents will convey order.”
But on Feb. 16, the entry for Fulton County was faraway from LockBit’s website with out rationalization. This normally solely occurs after the sufferer in query agrees to pay a ransom demand and/or enters into negotiations with their extortionists.
Nonetheless, Fulton County Fee Chairman Robb Pitts mentioned the board determined it “couldn’t in good conscience use Fulton County taxpayer funds to make a fee.”
“We didn’t pay nor did anybody pay on our behalf,” Pitts mentioned at an incident briefing on Feb. 20.
Simply hours earlier than that press convention, LockBit’s numerous web sites have been seized by the FBI and the U.Okay.’s Nationwide Crime Company (NCA), which changed the ransomware group’s homepage with a seizure discover and used the prevailing design of LockBit’s sufferer shaming weblog to publish press releases concerning the legislation enforcement motion.
Dubbed “Operation Cronos,” the trouble concerned the seizure of almost three-dozen servers; the arrest of two alleged LockBit members; the discharge of a free LockBit decryption instrument; and the freezing of greater than 200 cryptocurrency accounts considered tied to the gang’s actions. The federal government says LockBit has claimed greater than 2,000 victims worldwide and extorted over $120 million in funds.
UNFOLDING DISASTER
In a prolonged, rambling letter revealed on Feb. 24 and addressed to the FBI, the ransomware group’s chief LockBitSupp introduced that their sufferer shaming web sites have been as soon as once more operational on the darkish internet, with contemporary countdown timers for Fulton County and a half-dozen different latest victims.
“The FBI determined to hack now for one cause solely, as a result of they didn’t wish to leak info fultoncountyga.gov,” LockBitSupp wrote. “The stolen paperwork include loads of fascinating issues and Donald Trump’s courtroom instances that might have an effect on the upcoming US election.”
LockBit has already launched roughly two dozen recordsdata allegedly stolen from Fulton County authorities techniques, though none of them contain Mr. Trump’s felony trial. However the paperwork do seem to incorporate courtroom information which are sealed and shielded from public viewing.
George Chidi writes The Atlanta Goal, a Substack publication on crime in Georgia’s capital metropolis. Chidi says the leaked knowledge to this point features a sealed file associated to a toddler abuse case, and a sealed movement within the homicide trial of Juwuan Gaston demanding the state flip over confidential informant identities.
Chidi cites reviews from a Fulton County worker who mentioned the confidential materials consists of the identities of jurors serving on the trial of the rapper Jeffery “Younger Thug” Williams, who’s charged together with 5 different defendants in a racketeering and gang conspiracy.
“The screenshots counsel that hackers will be capable to give any lawyer defending a felony case within the county a beginning place to argue that proof has been tainted or witnesses intimidated, and that the discharge of confidential info has compromised instances,” Chidi wrote. “Decide Ural Glanville has, I’m advised by workers, been working feverishly behind the scenes during the last two weeks to handle the unfolding catastrophe.”
LockBitSupp additionally denied assertions made by the U.Okay.’s NCA that LockBit didn’t delete stolen knowledge as promised when victims agreed to pay a ransom. The accusation is an explosive one as a result of no person can pay a ransom in the event that they don’t imagine the ransomware group will maintain up its finish of the discount.
The ransomware group chief additionally confirmed info first reported right here final week, that federal investigators managed to hack LockBit by exploiting a identified vulnerability in PHP, a scripting language that’s broadly utilized in Internet growth.
“Attributable to my private negligence and irresponsibility I relaxed and didn’t replace PHP in time,” LockBitSupp wrote. “On account of which entry was gained to the 2 foremost servers the place this model of PHP was put in.”
LockBitSupp’s FBI letter mentioned the group saved copies of its stolen sufferer knowledge on servers that didn’t use PHP, and that consequently it was capable of retain copies of recordsdata stolen from victims. The letter additionally listed hyperlinks to a number of new situations of LockBit darkish internet web sites, together with the leak web page itemizing Fulton County’s new countdown timer.
“Even after the FBI hack, the stolen knowledge can be revealed on the weblog, there isn’t a probability of destroying the stolen knowledge with out fee,” LockBitSupp wrote. “All FBI actions are aimed toward destroying the repute of my associates program, my demoralization, they need me to go away and give up my job, they wish to scare me as a result of they can’t discover and eradicate me, I can’t be stopped, you can’t even hope, so long as I’m alive I’ll proceed to do pentest with postpaid.”
DOX DODGING
In January 2024, LockBitSupp advised XSS discussion board members he was disenchanted the FBI hadn’t supplied a reward for his doxing and/or arrest, and that in response he was putting a bounty on his personal head — providing $10 million to anybody who might uncover his actual title.
After the NCA and FBI seized LockBit’s website, the group’s homepage was retrofitted with a weblog entry known as, “Who’s LockBitSupp? The $10M query.” The teaser made use of LockBit’s personal countdown timer, and instructed the actual id of LockBitSupp would quickly be revealed.
Nonetheless, after the countdown timer expired the web page was changed with a taunting message from the feds, but it surely included no new details about LockBitSupp’s id.
On Feb. 21, the U.S. Division of State introduced rewards totaling as much as $15 million for info resulting in the arrest and/or conviction of anybody taking part in LockBit ransomware assaults. The State Division mentioned $10 million of that’s for info on LockBit’s leaders, and as much as $5 million is obtainable for info on associates.
In an interview with the malware-focused Twitter/X account Vx-Underground, LockBit workers asserted that authorities had arrested a few small-time gamers of their operation, and that investigators nonetheless have no idea the real-life identities of the core LockBit members, or that of their chief.
“They assert the FBI / NCA UK / EUROPOL have no idea their info,” Vx-Underground wrote. “They state they’re keen to double the bounty of $10,000,000. They state they may place a $20,000,000 bounty of their very own head if anybody can dox them.”
TROUBLE ON THE HOMEFRONT?
Within the weeks main as much as the FBI/NCA takedown, LockBitSupp turned embroiled in quite a few high-profile private and enterprise disputes on the Russian cybercrime boards.
Earlier this yr, somebody used LockBit ransomware to contaminate the networks of AN-Safety, a honored 30-year-old safety and expertise firm primarily based in St. Petersburg, Russia. This violated the golden rule for cybercriminals primarily based in Russia and former soviet nations that make up the Commonwealth of Impartial States, which is that attacking your individual residents in these international locations is the surest approach to get arrested and prosecuted by native authorities.
LockBitSupp later claimed the attacker had used a publicly leaked, older model of LockBit to compromise techniques at AN-Safety, and mentioned the assault was an try and smear their repute by a rival ransomware group referred to as “Clop.” However the incident little doubt prompted nearer inspection of LockBitSupp’s actions by Russian authorities.
Then in early February, the administrator of the Russian-language cybercrime discussion board XSS mentioned LockBitSupp had threatened to have him killed after the ransomware group chief was banned by the group. LockBitSupp was excommunicated from XSS after he refused to pay an arbitration quantity ordered by the discussion board administrator. That dispute associated to a criticism from one other discussion board member who mentioned LockBitSupp just lately stiffed him on his promised share of an unusually giant ransomware payout.
INTERVIEW WITH LOCKBITSUPP
KrebsOnSecurity sought remark from LockBitSupp on the ToX on the spot messenger ID listed in his letter to the FBI. LockBitSupp declined to elaborate on the unreleased paperwork from Fulton County, saying the recordsdata can be obtainable for everybody to see in just a few days.
LockBitSupp mentioned his crew was nonetheless negotiating with Fulton County when the FBI seized their servers, which is why the county has been granted a time extension. He additionally denied threatening to kill the XSS administrator.
“I’ve not threatened to kill the XSS administrator, he’s blatantly mendacity, that is to trigger self-pity and harm my repute,” LockBitSupp advised KrebsOnSecurity. “It isn’t essential to kill him to punish him, there are extra humane strategies and he is aware of what they’re.”
Requested why he was so sure the FBI doesn’t know his real-life id, LockBitSupp was extra exact.
“I’m unsure the FBI doesn’t know who I’m,” he mentioned. “I simply imagine they may by no means discover me.”
It appears unlikely that the FBI’s seizure of LockBit’s infrastructure was by some means an effort to stave off the disclosure of Fulton County’s knowledge, as LockBitSupp maintains. For one factor, Europol mentioned the takedown was the results of a months-long infiltration of the ransomware group.
Additionally, in reporting on the assault’s disruption to the workplace of Fulton County District Lawyer Fanny Willis on Feb. 14, CNN reported that by then the intrusion by LockBit had persevered for almost two and a half weeks.
Lastly, if the NCA and FBI actually believed that LockBit by no means deleted sufferer knowledge, they needed to assume LockBit would nonetheless have a minimum of one copy of all their stolen knowledge hidden someplace protected.