Fulton County, Safety Consultants Name LockBit’s Bluff – Krebs on Safety

The ransomware group LockBit informed officers with Fulton County, Ga. they may count on to see their inside paperwork revealed on-line this morning except the county paid a ransom demand. LockBit eliminated Fulton County’s itemizing from its sufferer shaming web site this morning, claiming the county had paid. However county officers mentioned they didn’t pay, nor did anybody make cost on their behalf. Safety specialists say LockBit was probably bluffing and possibly misplaced many of the information when the gang’s servers had been seized this month by U.S. and U.Okay. legislation enforcement.

LockBit listed Fulton County as a sufferer on Feb. 13, saying that except it was paid a ransom the group would publish recordsdata stolen in a breach on the county final month. That assault disrupted county telephones, Web entry and even their court docket system. LockBit leaked a small variety of the county’s recordsdata as a teaser, which appeared to incorporate delicate and sealed court docket information in present and previous legal trials.

On Feb. 16, Fulton County’s entry — together with a countdown timer till the info could be revealed — was faraway from the LockBit web site with out clarification. The chief of LockBit informed KrebsOnSecurity this was as a result of Fulton County officers had engaged in last-minute negotiations with the group.

However on Feb. 19, investigators with the FBI and the U.Okay.’s Nationwide Crime Company (NCA) took over LockBit’s on-line infrastructure, changing the group’s homepage with a seizure discover and hyperlinks to LockBit ransomware decryption instruments.

In a press briefing on Feb. 20, Fulton County Fee Chairman Robb Pitts informed reporters the county didn’t pay a ransom demand, noting that the board “couldn’t in good conscience use Fulton County taxpayer funds to make a cost.”

Three days later, LockBit reemerged with new domains on the darkish net, and with Fulton County listed amongst a half-dozen different victims whose information was about to be leaked in the event that they refused to pay. Because it does with all victims, LockBit assigned Fulton County a countdown timer, saying officers had till late within the night on March 1 till their information was revealed.

LockBit quickly moved up the deadline to the morning of Feb. 29. As Fulton County’s LockBit timer was counting all the way down to zero this morning, its itemizing disappeared from LockBit’s web site. LockBit’s chief and spokesperson, who goes by the deal with “LockBitSupp,” informed KrebsOnSecurity as we speak that Fulton County’s information disappeared from their web site as a result of county officers paid a ransom.

“Fulton paid,” LockBitSupp mentioned. When requested for proof of cost, LockBitSupp claimed. “The proof is that we deleted their information and didn’t publish it.”

However at a press convention as we speak, Fulton County Chairman Robb Pitts mentioned the county doesn’t know why its information was faraway from LockBit’s web site.

“As I stand right here at 4:08 p.m., we aren’t conscious of any information being launched as we speak thus far,” Pitts mentioned. “That doesn’t imply the risk is over. They may launch no matter information they’ve at any time. We’ve no management over that. We’ve not paid any ransom. Nor has any ransom been paid on our behalf.”

Brett Callow, a risk analyst with the safety agency Emsisoft, mentioned LockBit probably misplaced all the sufferer information it stole earlier than the FBI/NCA seizure, and that it has been attempting madly since then to save lots of face throughout the cybercrime group.

“I feel it was a case of them attempting to persuade their associates that they had been nonetheless in fine condition,” Callow mentioned of LockBit’s latest actions. “I strongly suspect this would be the finish of the LockBit model.”

Others have come to the same conclusion. The safety agency RedSense posted an evaluation to Twitter/X that after the takedown, LockBit revealed a number of “new” sufferer profiles for firms that it had listed weeks earlier on its sufferer shaming web site. These sufferer corporations — a healthcare supplier and main securities lending platform — additionally had been unceremoniously faraway from LockBit’s new shaming web site, regardless of LockBit claiming their information could be leaked.

“We’re 99% positive the remainder of their ‘new victims’ are additionally pretend claims (previous information for brand spanking new breaches),” RedSense posted. “So the very best factor for them to do could be to delete all different entries from their weblog and cease defrauding trustworthy individuals.”

Callow mentioned there definitely have been loads of instances up to now the place ransomware gangs exaggerated their plunder from a sufferer group. However this time feels totally different, he mentioned.

“It’s a bit uncommon,” Callow mentioned. “That is about attempting to nonetheless associates’ nerves, and saying, ‘All is properly, we weren’t as badly compromised as legislation enforcement steered.’ However I feel you’d need to be a idiot to work with a corporation that has been so completely hacked as LockBit has.”