This week, the notorious ransomware gang known as LockBit threatened a kind of disruption that would have been a first even for a criminal industry that’s crippled hospitals and triggered the shutdown of a gas pipeline: leaking documents from the criminal prosecution of a former president and presidential candidate.Then, without explanation, that threat evaporated, leaving plenty of unanswered questions behind.For the last five days, LockBit promised on its dark web site to publish data stolen from the Fulton County, Georgia, government, which it listed as one of its extortion victims, unless the county paid an unspecified ransom. One administrator for the group went so far as to post the specific threat of releasing documents related to Fulton County’s high-profile prosecution of Donald Trump: Fulton County’s Superior Court is the venue where Trump, the Republican presidential frontrunner, stands accused of a criminal conspiracy to interfere in the 2020 election.Yet when the hacker group’s own deadline for that leak arrived, no documents appeared. Instead, LockBit mysteriously removed any mention of it from their website, leaving unanswered whether the Fulton County government paid its ransom, whether it still holds any of the court’s documents—or whether it ever did in the first place. “This is an odd one,” says Jon Dimaggio, a ransomware-focused researcher at chief security strategist at cybersecurity firm Analyst1.The ransomware crew’s threat, before it vanished, had been dramatically timed: It followed a coordinated law enforcement takedown operation targeting LockBit just last week. Known as Operation Chronos and led by the UK’s National Crime Agency, the operation took control of much of LockBit’s infrastructure, seized hundreds of its cryptocurrency wallets, tore down the dark web sites it uses in its extortion campaigns, and even claimed to have compromised some of its members and partners. Just days later, however, LockBit managed to launch a new dark web site, where it posted a list of victims along with countdown timers for each representing their deadline to pay a ransom before the hackers leaked their stolen data. The deadline for the Fulton County documents had been set for February 29 at 1:49 pm UTC.On that relaunched site, one LockBit administrator also posted a lengthy screed accusing the FBI of timing the takedown specifically to prevent the release of the Trump-related Fulton County court documents—and promising to release them despite the bust if Fulton County didn’t pay.“The FBI decided to hack now for one reason only, because they didn’t want to leak information from [the Fulton County government website],” the LockBit administrator wrote. “The stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”The hacking-related paralysis of Fulton County’s government, at least, seems to be very real: By its own admission, the county government is facing a serious and ongoing network disruption that looks very much like a ransomware attack. The website for Fulton County’s government has noted in an alert on its homepage for nearly a week that it’s “experiencing an unexpected IT outage currently affecting multiple systems,” and that systems related to everything from phone lines to tax collection, to courts had been affected. An official who picked up the phone at the county’s publicly listed phone line tells WIRED the outage had begun as early as late January. But a county government spokesperson declined a request for more information on the attack.The LockBit hackers also posted some convincing sample documents that appeared to have been stolen from the Fulton County court systems prior to the takedown last week, according to Georgia-based reporter George Chidi, who wrote about the incident earlier this month. Chidi reported seeing documents that included court files and even documents under seal in specific cases, though none appeared to be related to Donald Trump’s prosecution.Then on Wednesday, just hours before LockBit’s deadline for the county to pay its ransom expired, the countdown timer for that leak on Lockbit’s website froze, with an added line of text that read, “Timer stopped.” At the promised time of 1:49 PM UTC Thursday, the leak failed to materialize. Instead, all mention of Fulton County was removed from LockBit’s extortion threat site.That mysterious disappearance leaves the looming question of whether Fulton County paid LockBit’s ransom. The Fulton County officials didn’t respond to multiple inquiries from WIRED asking whether it had paid the hackers, or how much.Just as likely, however, is that LockBit is bluffing in some sense—that it either doesn’t have the goods it claims or isn’t yet ready to give up on its extortion demand. Robert McArdle, a researcher who leads a cybercrime-focused research team at security firm Trend Micro and was involved in the law enforcement operation against LockBit, says the group’s thus-far empty threat is a sign that it was likely more disrupted by the bust than it wants to admit.“This appears to be further evidence of the difficulties facing LockBit ever since Op Chronos took place, and should be considered as a sign they are unable to reliably follow through on their statements,” says McArdle. He points out that the victims listed on the group’s new dark web site were all compromised prior to Operation Chronos, and that continuing to threaten them is the group’s attempt to “appear as if everything is normal when most evidence points very much to the contrary.”There remain other theories, however, that Lockbit might still possess the court’s data, but be seeking to use it in some other way. “They generally don’t lie about victims because they’re so worried about their reputation,” says Analyst1’s DiMaggio. He notes that the decision to take down the leak threat may have been the decision of the “affiliate” hackers who partner with LockBit to penetrate victims like Fulton County and may have different motivations from LockBit itself.If Fulton County documents do remain in the hands of hackers, and if any of them relate to the Trump case, they could further complicate an already deeply messy trial. The state’s case already been rocked by allegations that the prosecutor in the case, Fulton County district attorney Fanni Willis, had an improper affair with another prosecutor involved in Trump’s prosecution, which the defense has argued should require her dismissal. The compromise of non-public documents in the case could make the proceedings—and the upcoming US presidential elecion—even more chaotic.“We’re watching with interest to see how the Fulton leak develops,” McArdle’s Trend Micro says. So, no doubt, will the US political sphere—including a certain former president.Additional reporting by Matt Burgess.
Source: wired.com