Hackers threaten to release Trump documents from Georgia case if they don't get a ransom by Thursday
Hackers set a ransom deadline of Thursday morning to release Fulton County court documents.
They claim the documents include files related to the criminal case against Donald Trump.
The hacking group was shut down by law enforcement earlier this month, but they appear to be back up.
The hacking group responsible for taking down Fulton County's websites in Georgia is threatening to publish documents from the state's court system — including ones related to the criminal case against Donald Trump — unless it gets paid a ransom.
In a message posted online Saturday, in both English and Russian, the hacking group called LockBit said the stolen documents "contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election."
Initially, LockBit set a Saturday, March 2, deadline for the payment, according to the cybersecurity reporter Brian Krebs.
It has since moved up that deadline to 8:49 a.m. ET on Thursday, February 29, LockBit's restored website shows.
It's not clear how much money the group is demanding. The hacking group's demands are often negotiated in private, Dan Schiappa, the chief product officer at the cybersecurity firm Arctic Wolf, said.
The group — led by a hacker using the pseudonym LockBitSupp — appeared to become operational again over the weekend after a February 20 law-enforcement raid. A group of agencies, including the FBI and the United Kingdom's National Crime Agency, took down 34 of its servers and changed its website to a series of messages bragging about the law-enforcement operation. The same day, the US Department of Justice unsealed an indictment accusing two Russian nationals of being involved in the group's hacking operations.
By Saturday, LockBit was back.
On a new website, the group posted a message claiming it had backup copies of documents taken from the Fulton County government's website. It also renewed its ransom demands.
The post claimed that the FBI acted quickly because the leak of documents in Trump's criminal case could affect the 2024 presidential election — although court documents show that the FBI's investigation into LockBit and coordination with international law-enforcement agencies has been ongoing for years. It characterized LockBit's relationship with the FBI as a sort of romantic rivalry and promised that the group would hack more government websites in the future.
"Personally I will vote for Trump because the situation on the border with Mexico is some kind of nightmare, Biden should retire, he is a puppet," the message said.
LockBit works with affiliates to hack companies and government agencies
LockBit's targets go far beyond just the Fulton County government.
As of Wednesday, it had ongoing ransom demands for 11 different companies on its website in addition to the one for Fulton County. Over the years, the hacking group has targeted over 2,000 victims and obtained over $120 million in ransom funds, according to the Justice Department. Its targets in recent years include Boeing, the UK's National Health Service and Royal Mail, and the state-owned Industrial and Commercial Bank of China.
The group doesn't always conduct hacks itself, according to law-enforcement agencies. It operates on a service model, in which it develops sophisticated ransomware hacking tools and leases them out to other hackers to deploy against targets, taking a cut of the ransom.
It's not clear which other organizations may be working with LockBit on the Fulton County hack. LockBit has claimed to be "completely apolitical" in the past, Oz Alashe, the CEO and founder of the cybersecurity firm CybSafe, said. But it is also deeply involved in the Russian cybercrime scene, Krebs said. Because it works with so many different affiliates, its motives are hard to discern, Alashe told Business Insider.
"Even if one could discern the organization's motives outside of the obvious financial one, the same cannot be said for all its partners and affiliates," Alashe said.
Alashe said that LockBit's more overt political messages — taking a shot at Biden and expressing support for Trump — shouldn't necessarily be taken literally.
"It's always difficult to discern the meaning of messages like the one published by LockBit on Saturday," he said. "Whether the declaration of support for Trump is genuine, posturing aimed at taunting what they see as 'strong competitors and the FBI,' or even an attempt to grab headlines, we don't know."
Authorities appeared to negotiate with hackers earlier
Fulton County's computer systems were taken down in a hack on January 27, leaving some of its services down for weeks. Its court website still isn't fully operational. Officials have put up a separate web page with filings in the case for the public to access in lieu of the official court docket.
The hack has resonated nationally because of the charges against Trump. Fulton County District Attorney Fani Willis has charged the former president and more than a dozen of his allies with racketeering in connection to the attempt to overturn the results of the 2020 federal election in Georgia. Trump has pleaded not guilty to the charges against him; several codefendants have pleaded guilty to their own charges.
It's not clear whether LockBit is in possession of any court documents in the Trump case that are not already part of the public record. George Chidi, an Atlanta-based independent journalist, reported earlier this month that a sampling of files published by LockBit includes sealed court records in other unrelated cases.
A Fulton County court administration spokesperson declined to comment.
The earlier countdown timer, which had been set for February 16, disappeared from LockBit's site that day without offering a link to download files from the hack. Such removals normally happen when extortion targets pay ransom or are in negotiations to pay it, Krebs said.
Schiappa, the Arctic Wolf executive, told Business Insider that there was nothing usual about the situation. LockBit might be attempting to maintain its credibility with its hacking affiliate organizations in the wake of the law-enforcement raid earlier this month, he said.
"LockBit built its image on being loud and garnering the attention of other groups that wanted assurance that they could conduct business with them unhindered," Schiappa told Business Insider. "The law-enforcement action presents a threat to that narrative. The more attention that the group can focus on anything other than the fact that their image was compromised by law enforcement, the more likely that they will be able to salvage their image with affiliates and continue operations."
At a press conference on February 20, Robb Pitts, the Fulton County commission chair, said no ransom was paid.
"We did not pay, nor did anyone pay on our behalf," Pitts said during the briefing.
In Saturday's message, LockBit said its "partner" was in "negotiations" over the ransom, but they had "stalled." Pitts didn't respond to requests for comment from Business Insider.
On Tuesday, county officials told the Atlanta Journal-Constitution that it would not pay a ransom.
"Our focus remains on safely restoring services for our citizens and we continue to work in close coordination with law enforcement," a county spokesperson said in a statement.
An FBI representative declined to comment.
Although LockBit appeared to recover from the law-enforcement takedown earlier this month, its reputation has been severely damaged, Schiappa said. Its grandstanding messages about the FBI may be a way to shore that up.
"We expect that LockBit will suffer consequences from this law-enforcement action," Schiappa said. "Their attempts to establish new partnerships will be challenging with the cloud of this takedown looming over them and tarnishing their reputation."
The renewed ransom threat comes as Willis' investigation is beleaguered by a series of hearings playing out in a Fulton County courtroom.
A judge is hearing testimony from several of her associates — and Willis herself — over the question of whether the district attorney had an improper relationship with a prosecutor she hired to work on the Trump case.
The judge may decide to remove Willis from the case, which would be a significant setback for the prosecution.
This story has been updated.
Correction: February 28, 2024 — An earlier version of this story misidentified a cybersecurity reporter in the story. His name is Brian Krebs, not Christopher Krebs.
Read the original article on Business Insider