April 15, 2024

The ransomware group LockBit advised officers with Fulton County, Ga. they might count on to see their inner paperwork revealed on-line this morning except the county paid a ransom demand. LockBit eliminated Fulton County’s itemizing from its sufferer shaming web site this morning, claiming the county had paid. However county officers mentioned they didn’t pay, nor did anybody make fee on their behalf. Safety consultants say LockBit was seemingly bluffing and doubtless misplaced many of the knowledge when the gang’s servers have been seized this month by U.S. and U.Okay. regulation enforcement.

The LockBit web site included a countdown timer till the promised launch of information stolen from Fulton County, Ga. LockBit would later transfer this deadline as much as Feb. 29, 2024.

LockBit listed Fulton County as a sufferer on Feb. 13, saying that except it was paid a ransom the group would publish information stolen in a breach on the county final month. That assault disrupted county telephones, Web entry and even their courtroom system. LockBit leaked a small variety of the county’s information as a teaser, which appeared to incorporate delicate and sealed courtroom information in present and previous legal trials.

On Feb. 16, Fulton County’s entry — together with a countdown timer till the information can be revealed — was faraway from the LockBit web site with out rationalization. The chief of LockBit advised KrebsOnSecurity this was as a result of Fulton County officers had engaged in last-minute negotiations with the group.

However on Feb. 19, investigators with the FBI and the U.Okay.’s Nationwide Crime Company (NCA) took over LockBit’s on-line infrastructure, changing the group’s homepage with a seizure discover and hyperlinks to LockBit ransomware decryption instruments.

In a press briefing on Feb. 20, Fulton County Fee Chairman Robb Pitts advised reporters the county didn’t pay a ransom demand, noting that the board “couldn’t in good conscience use Fulton County taxpayer funds to make a fee.”

Three days later, LockBit reemerged with new domains on the darkish net, and with Fulton County listed amongst a half-dozen different victims whose knowledge was about to be leaked in the event that they refused to pay. Because it does with all victims, LockBit assigned Fulton County a countdown timer, saying officers had till late within the night on March 1 till their knowledge was revealed.

LockBit revised its deadline for Fulton County to Feb. 29.

LockBit quickly moved up the deadline to the morning of Feb. 29. As Fulton County’s LockBit timer was counting right down to zero this morning, its itemizing disappeared from LockBit’s website. LockBit’s chief and spokesperson, who goes by the deal with “LockBitSupp,” advised KrebsOnSecurity as we speak that Fulton County’s knowledge disappeared from their website as a result of county officers paid a ransom.

“Fulton paid,” LockBitSupp mentioned. When requested for proof of fee, LockBitSupp claimed. “The proof is that we deleted their knowledge and didn’t publish it.”

However at a press convention as we speak, Fulton County Chairman Robb Pitts mentioned the county doesn’t know why its knowledge was faraway from LockBit’s website.

“As I stand right here at 4:08 p.m., we aren’t conscious of any knowledge being launched as we speak up to now,” Pitts mentioned. “That doesn’t imply the risk is over. They may launch no matter knowledge they’ve at any time. We now have no management over that. We now have not paid any ransom. Nor has any ransom been paid on our behalf.”

Brett Callow, a risk analyst with the safety agency Emsisoft, mentioned LockBit seemingly misplaced all the sufferer knowledge it stole earlier than the FBI/NCA seizure, and that it has been making an attempt madly since then to avoid wasting face throughout the cybercrime group.

“I believe it was a case of them making an attempt to persuade their associates that they have been nonetheless in good condition,” Callow mentioned of LockBit’s current actions. “I strongly suspect this would be the finish of the LockBit model.”

Others have come to an identical conclusion. The safety agency RedSense posted an evaluation to Twitter/X that after the takedown, LockBit revealed a number of “new” sufferer profiles for firms that it had listed weeks earlier on its sufferer shaming website. These sufferer companies — a healthcare supplier and main securities lending platform — additionally have been unceremoniously faraway from LockBit’s new shaming web site, regardless of LockBit claiming their knowledge can be leaked.

“We’re 99% positive the remainder of their ‘new victims’ are additionally pretend claims (outdated knowledge for brand spanking new breaches),” RedSense posted. “So the most effective factor for them to do can be to delete all different entries from their weblog and cease defrauding sincere individuals.”

Callow mentioned there actually have been loads of circumstances prior to now the place ransomware gangs exaggerated their plunder from a sufferer group. However this time feels totally different, he mentioned.

“It’s a bit uncommon,” Callow mentioned. “That is about making an attempt to nonetheless associates’ nerves, and saying, ‘All is effectively, we weren’t as badly compromised as regulation enforcement prompt.’ However I believe you’d must be a idiot to work with a company that has been so completely hacked as LockBit has.”