The FBI’s takedown of the LockBit ransomware group final week got here as LockBit was getting ready to launch delicate information stolen from authorities laptop methods in Fulton County, Ga. However LockBit is now regrouping, and the gang says it is going to publish the stolen Fulton County information on March 2 except paid a ransom. LockBit claims the cache consists of paperwork tied to the county’s ongoing prison prosecution of former President Trump, however courtroom watchers say teaser paperwork revealed by the crime gang counsel a complete leak of the Fulton County information might put lives in danger and jeopardize quite a lot of different prison trials.
In early February, Fulton County leaders acknowledged they had been responding to an intrusion that brought on disruptions for its cellphone, e mail and billing methods, in addition to a variety of county companies, together with courtroom methods.
On Feb. 13, the LockBit ransomware group posted on its sufferer shaming weblog a brand new entry for Fulton County, that includes a countdown timer saying the group would publish the information on Feb. 16 except county leaders agreed to barter a ransom.
“We are going to show how native buildings negligently dealt with data safety,” LockBit warned. “We are going to reveal lists of people liable for confidentiality. Paperwork marked as confidential will likely be made publicly obtainable. We are going to present paperwork associated to entry to the state residents’ private information. We goal to offer most publicity to this example; the paperwork will likely be of curiosity to many. Conscientious residents will convey order.”
But on Feb. 16, the entry for Fulton County was faraway from LockBit’s web site with out rationalization. This often solely occurs after the sufferer in query agrees to pay a ransom demand and/or enters into negotiations with their extortionists.
Nonetheless, Fulton County Fee Chairman Robb Pitts stated the board determined it “couldn’t in good conscience use Fulton County taxpayer funds to make a cost.”
“We didn’t pay nor did anybody pay on our behalf,” Pitts stated at an incident briefing on Feb. 20.
Simply hours earlier than that press convention, LockBit’s varied web sites had been seized by the FBI and the U.Ok.’s Nationwide Crime Company (NCA), which changed the ransomware group’s homepage with a seizure discover and used the prevailing design of LockBit’s sufferer shaming weblog to publish press releases in regards to the legislation enforcement motion.
Dubbed “Operation Cronos,” the trouble concerned the seizure of almost three-dozen servers; the arrest of two alleged LockBit members; the discharge of a free LockBit decryption instrument; and the freezing of greater than 200 cryptocurrency accounts considered tied to the gang’s actions. The federal government says LockBit has claimed greater than 2,000 victims worldwide and extorted over $120 million in funds.
UNFOLDING DISASTER
In a prolonged, rambling letter revealed on Feb. 24 and addressed to the FBI, the ransomware group’s chief LockBitSupp introduced that their sufferer shaming web sites had been as soon as once more operational on the darkish internet, with recent countdown timers for Fulton County and a half-dozen different current victims.
“The FBI determined to hack now for one motive solely, as a result of they didn’t need to leak data fultoncountyga.gov,” LockBitSupp wrote. “The stolen paperwork include quite a lot of fascinating issues and Donald Trump’s courtroom instances that would have an effect on the upcoming US election.”
LockBit has already launched roughly two dozen information allegedly stolen from Fulton County authorities methods, though none of them contain Mr. Trump’s prison trial. However the paperwork do seem to incorporate courtroom information which are sealed and shielded from public viewing.
George Chidi writes The Atlanta Goal, a Substack publication on crime in Georgia’s capital metropolis. Chidi says the leaked information to this point features a sealed document associated to a toddler abuse case, and a sealed movement within the homicide trial of Juwuan Gaston demanding the state flip over confidential informant identities.
Chidi cites experiences from a Fulton County worker who stated the confidential materials consists of the identities of jurors serving on the trial of the rapper Jeffery “Younger Thug” Williams, who’s charged together with 5 different defendants in a racketeering and gang conspiracy.
“The screenshots counsel that hackers will have the ability to give any lawyer defending a prison case within the county a beginning place to argue that proof has been tainted or witnesses intimidated, and that the discharge of confidential data has compromised instances,” Chidi wrote. “Decide Ural Glanville has, I’m advised by workers, been working feverishly behind the scenes during the last two weeks to handle the unfolding catastrophe.”
LockBitSupp additionally denied assertions made by the U.Ok.’s NCA that LockBit didn’t delete stolen information as promised when victims agreed to pay a ransom. The accusation is an explosive one as a result of no one can pay a ransom in the event that they don’t imagine the ransomware group will maintain up its finish of the discount.
The ransomware group chief additionally confirmed data first reported right here final week, that federal investigators managed to hack LockBit by exploiting a recognized vulnerability in PHP, a scripting language that’s broadly utilized in Net improvement.
“Because of my private negligence and irresponsibility I relaxed and didn’t replace PHP in time,” LockBitSupp wrote. “Because of which entry was gained to the 2 foremost servers the place this model of PHP was put in.”
LockBitSupp’s FBI letter stated the group saved copies of its stolen sufferer information on servers that didn’t use PHP, and that consequently it was capable of retain copies of information stolen from victims. The letter additionally listed hyperlinks to a number of new situations of LockBit darkish internet web sites, together with the leak web page itemizing Fulton County’s new countdown timer.
“Even after the FBI hack, the stolen information will likely be revealed on the weblog, there isn’t any likelihood of destroying the stolen information with out cost,” LockBitSupp wrote. “All FBI actions are aimed toward destroying the fame of my associates program, my demoralization, they need me to go away and stop my job, they need to scare me as a result of they cannot discover and get rid of me, I cannot be stopped, you can’t even hope, so long as I’m alive I’ll proceed to do pentest with postpaid.”
DOX DODGING
In January 2024, LockBitSupp advised XSS discussion board members he was dissatisfied the FBI hadn’t supplied a reward for his doxing and/or arrest, and that in response he was inserting a bounty on his personal head — providing $10 million to anybody who might uncover his actual identify.
After the NCA and FBI seized LockBit’s web site, the group’s homepage was retrofitted with a weblog entry known as, “Who’s LockBitSupp? The $10M query.” The teaser made use of LockBit’s personal countdown timer, and urged the actual identification of LockBitSupp would quickly be revealed.
Nonetheless, after the countdown timer expired the web page was changed with a taunting message from the feds, but it surely included no new details about LockBitSupp’s identification.
On Feb. 21, the U.S. Division of State introduced rewards totaling as much as $15 million for data resulting in the arrest and/or conviction of anybody collaborating in LockBit ransomware assaults. The State Division stated $10 million of that’s for data on LockBit’s leaders, and as much as $5 million is obtainable for data on associates.
In an interview with the malware-focused Twitter/X account Vx-Underground, LockBit workers asserted that authorities had arrested a few small-time gamers of their operation, and that investigators nonetheless have no idea the real-life identities of the core LockBit members, or that of their chief.
“They assert the FBI / NCA UK / EUROPOL have no idea their data,” Vx-Underground wrote. “They state they’re prepared to double the bounty of $10,000,000. They state they’ll place a $20,000,000 bounty of their very own head if anybody can dox them.”
TROUBLE ON THE HOMEFRONT?
Within the weeks main as much as the FBI/NCA takedown, LockBitSupp grew to become embroiled in quite a lot of high-profile private and enterprise disputes on the Russian cybercrime boards.
Earlier this 12 months, somebody used LockBit ransomware to contaminate the networks of AN-Safety, a honored 30-year-old safety and expertise firm based mostly in St. Petersburg, Russia. This violated the golden rule for cybercriminals based mostly in Russia and former soviet nations that make up the Commonwealth of Unbiased States, which is that attacking your individual residents in these nations is the surest solution to get arrested and prosecuted by native authorities.
LockBitSupp later claimed the attacker had used a publicly leaked, older model of LockBit to compromise methods at AN-Safety, and stated the assault was an try to smear their fame by a rival ransomware group referred to as “Clop.” However the incident little question prompted nearer inspection of LockBitSupp’s actions by Russian authorities.
Then in early February, the administrator of the Russian-language cybercrime discussion board XSS stated LockBitSupp had threatened to have him killed after the ransomware group chief was banned by the group. LockBitSupp was excommunicated from XSS after he refused to pay an arbitration quantity ordered by the discussion board administrator. That dispute associated to a criticism from one other discussion board member who stated LockBitSupp just lately stiffed him on his promised share of an unusually giant ransomware payout.
INTERVIEW WITH LOCKBITSUPP
KrebsOnSecurity sought remark from LockBitSupp on the ToX immediate messenger ID listed in his letter to the FBI. LockBitSupp declined to elaborate on the unreleased paperwork from Fulton County, saying the information will likely be obtainable for everybody to see in just a few days.
LockBitSupp stated his staff was nonetheless negotiating with Fulton County when the FBI seized their servers, which is why the county has been granted a time extension. He additionally denied threatening to kill the XSS administrator.
“I’ve not threatened to kill the XSS administrator, he’s blatantly mendacity, that is to trigger self-pity and harm my fame,” LockBitSupp advised KrebsOnSecurity. “It isn’t essential to kill him to punish him, there are extra humane strategies and he is aware of what they’re.”
Requested why he was so sure the FBI doesn’t know his real-life identification, LockBitSupp was extra exact.
“I’m unsure the FBI doesn’t know who I’m,” he stated. “I simply imagine they’ll by no means discover me.”
It appears unlikely that the FBI’s seizure of LockBit’s infrastructure was someway an effort to stave off the disclosure of Fulton County’s information, as LockBitSupp maintains. For one factor, Europol stated the takedown was the results of a months-long infiltration of the ransomware group.
Additionally, in reporting on the assault’s disruption to the workplace of Fulton County District Lawyer Fanny Willis on Feb. 14, CNN reported that by then the intrusion by LockBit had continued for almost two and a half weeks.
Lastly, if the NCA and FBI actually believed that LockBit by no means deleted sufferer information, they needed to assume LockBit would nonetheless have no less than one copy of all their stolen information hidden someplace secure.