Georgia’s largest county is still trying to repair the damage done to the government a month ago by hackers who cut off office phone lines, prevented clerks from issuing vehicle registrations or marriage licenses and threatened to publicly release sensitive data they claimed to have stolen unless officials paid a ransom.
The ransomware syndicate LockBit claimed credit in late January for the cyberattack that temporarily crippled government services in Fulton County, which includes most of Atlanta. The group demanded payment and threatened to dump data online, including personal details of residents. It also claimed to have stolen data related to the county’s ongoing criminal case against former President Donald Trump.
To increase the likelihood of payment, ransomware groups routinely steal data before activating network-encrypting malware. Some cybersecurity analysts wondered whether the Fulton County hackers actually had Trump-related files.
The hackers’ deadline expired Thursday, less than two weeks after law enforcement agencies in Europe and the U.S. announced they had disrupted LockBit’s operations, seized the group’s systems and arrested two people abroad.
Shortly after its takedown, LockBit resurfaced on the dark web and renewed its threat against Fulton County. But after the deadline passed, no stolen data was released and county officials refused to pay.
“We are not aware of any data being released today as of yet,” Fulton County Commission Chairman Robb Pitts told reporters Thursday afternoon. “That doesn’t mean the threat is over by any means. And they can release any data they have at any time. time – today, tomorrow or sometime in the future.”
Pitts said county officials are still working to restore phone service and online systems that are still not working more than a month later, although all county offices have reopened and resumed service to residents at least to some extent.
“We paid no ransom and no ransom was paid on our behalf,” said Pitts, who declined to answer questions after his brief statement.
A Fulton County spokesperson did not immediately respond to an email message Friday seeking further updates.
The cyberattack occurred as Fulton County District Attorney Fani Willis prosecuted a racketeering case against Trump and others for their efforts to overturn the results of Georgia’s 2020 presidential election.
While the hackers disrupted courthouse services by taking the online legal filing system offline, Willis said the case against Trump remained unaffected.
“All materials related to the election case are maintained in a separate, highly secure system that has not been compromised and is designed to make unauthorized access extremely difficult, if not impossible,” Willis’ office said in a statement on Jan. 30 .
LockBit was among the most prolific ransomware syndicates in the world when it was seriously disrupted in late February by an international law enforcement consortium that included the FBI. Following the takedown, which many cybersecurity experts believe marks the end of LockBit, a spokesperson for the group issued a lengthy statement claiming it had not been as seriously affected as authorities had said.
LockBit’s spokesperson claimed the takedown was motivated by the FBI’s desire to prevent the leak of information stolen from Fulton County, including “many interesting things and Donald Trump’s lawsuits that could impact the upcoming US elections .”
One cybersecurity expert said that claim was likely unfounded and that LockBit, a Russian-speaking operation tolerated by the Kremlin, may never have had such documents.
“I think the claims are fake,” said Yelisey Bohuslavskiy, chief research officer at cybersecurity firm Red Sense.
He said that over the past three years, LockBit has falsified and exaggerated claims of data theft, even publishing data obtained by others as if it was their work.
Another possibility is that LockBit lost access to stolen data due to the disruption by law enforcement, ransomware analyst Brett Callow of the cybersecurity firm Emsisoft said in a post on X, formerly Twitter.
LockBit is said to have extracted $120 million from thousands of victims since it launched in 2019. It was responsible for 23% of the nearly 4,000 attacks worldwide last year in which ransomware gangs posted stolen data to extort payment, according to cybersecurity firm Palo Alto Networks. .
Cybersecurity experts believe that LockBit as a brand may now be in its death throes, but could easily reemerge under a new name with the same core members, as happened with previous ransomware groups that came under heavy pressure from law enforcement.
LockBit and other ransomware syndicates are compartmentalized operations. Outside of the core group that rents out the malware and maintains the infection infrastructure, there are so-called affiliates that manage the hacking, malware activation, and negotiations and rake in the majority of the profits.
In Fulton County, officials reported widespread disruptions following the cyberattack over the weekend of January 27. County police were unable to file incident reports and the sheriff’s office had to rely on paper forms to process inmates. Residents were unable to pay county utility bills online or use the internet to access property records. Clerks could not issue marriage certificates and firearms permits.
“We are working to restore all of Fulton County’s systems and make some progress,” Pitts, the county chairman, said Thursday.
County officials said last week that their online system for paying water bills had been restored, but not for paying property taxes. County email systems were back online and more than half of the phone lines in county offices were working.
___ Bynum reported from Savannah, Georgia. Bajak reported from Boston.
