Hackers threaten to release Trump documents from Georgia case if they don't get a ransom by Thursday
The group that hacked the Atlanta-area government websites claims it has Trump documents that could affect the 2024 presidential election.
- Hackers set a ransom deadline of Thursday morning to release Fulton County court documents.
- They claim the documents include a cache of files related to the criminal case against Donald Trump.
- An international law enforcement raid took them down earlier this month, but they appeared to quickly recover.
The hacking group responsible for taking down Fulton County's websites in Georgia is threatening to publish documents from the government's court system — including ones related to the criminal case against Donald Trump — unless it gets paid a ransom.
In a message posted online Saturday, in both English and Russian, the hacking group called LockBit 3.0 said the stolen documents "contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election."
Initially, LockBit 3.0 set a Saturday, March 2 deadline for payment, according to the cybersecurity reporter Christopher Krebs.
It has since moved up that deadline to 8:49 a.m. Eastern time on Thursday, February 29, LockBit's 3.0's restored website shows.
It's not clear how much money the group is demanding. The hacking group's demands are often negotiated in private, according to Dan Schiappa, the chief product officer at the cybersecurity firm Arctic Wolf.
The group — led by a hacker using the pseudonym LockBitSupp — appeared to become operational again over the weekend after a February 20 law enforcement raid. A group of agencies, including the FBI and the United Kingdom's National Crime Agency, took down 34 of its servers and changed its website to a series of messages bragging about the law enforcement operation. The same day, the US Department of Justice unsealed an indictment accusing two Russian nationals of being involved in the group's hacking operations.
By Saturday, LockBit 3.0 was back.
On a new website, the group posted a new message claiming that it had backup copies of documents taken from the Fulton County government's website, and renewing ransom demands.
The post claimed that the FBI acted so quickly because the leak of documents in Trump's criminal case would affect the 2024 presidential election — although court documents show that the FBI's investigation into LockBit 3.0 and coordination with international law enforcement agencies has been ongoing for years. It characterized its relationship with the FBI as a sort of romantic rivalry, promising to hack more government websites in the future.
"Personally I will vote for Trump because the situation on the border with Mexico is some kind of nightmare, Biden should retire, he is a puppet," the message says.
LockBit works with affiliates to hack companies and government agencies
LockBit 3.0's targets go far beyond just the Fulton County government.
As of Wednesday, it had ongoing ransom demands for 11 different companies on its website in addition to the one for Fulton County. Over the years, the hacking group has targeted over 2,000 victims and obtained over $120 million in ransom funds, according to the Justice Department. Its targets in recent years include Boeing, the United Kingdom's mail service, Britain's nationalized healthcare system, and the state-owned Industrial and Commercial Bank of China.
The group doesn't always conduct hacks itself, according to law enforcement agencies. It operates on a service model, where it develops sophisticated ransomware hacking tools and leases them out to other hackers to deploy against targets, taking a cut of the ransom.
It's not clear which other affiliate organizations LockBit 3.0 is working with for the Fulton County hack. LockBit 3.0 has claimed to be "completely apolitical" in the past, according to Oz Alashe the CEO and founder of the cybersecurity firm CybSafe. But it is also deeply involved in the Russian cybercrime scene, according to Krebs on Security. Because it works with so many different affiliates, its own organization's motives are hard to discern, Alashe told Business Insider.
"Even if one could discern the organization's motives outside of the obvious financial one, the same cannot be said for all its partners and affiliates," Alashe said.
Alashe said that LockBit's more overt political messages — taking a shot at Biden and expressing support for Trump — shouldn't necessarily be taken literally.
"It's always difficult to discern the meaning of messages like the one published by LockBit on Saturday," he said. "Whether the declaration of support for Trump is genuine, posturing aimed at taunting what they see as 'strong competitors and the FBI,' or even an attempt to grab headlines, we don't know."
Authorities appeared to negotiate with hackers earlier
Fulton County's computer systems were taken down in a hack on January 27, leaving some of its services down for weeks. Its court website still isn't fully operational. Officials have put up a separate webpage with filings in the case for the public to access in lieu of the official court docket.
The hack has taken a national resonance in part because of the charges against Trump. Fulton County District Attorney Fani Willis has accused the former president of forming an illegal racketeering conspiracy with more than a dozen other allies to overturn the results of the 2020 election in Georgia. Trump has pleaded not guilty to the charges against him; several codefendants have pleaded guilty to their own charges.
It's not clear whether LockBit is in possession of any court documents in the Trump case that are not already part of the public record. George Chidi, an Atlanta-based independent journalist, reported earlier in February that a sampling of files published by LockBit includes sealed court records in other, unrelated cases.
A Fulton County court administration spokesperson declined to comment.
The earlier countdown timer, which had been set for February 16, disappeared from LockBit's site that day without offering a link to download files from the hack. Such removals normally happen when extortion targets pay ransom, or are in negotiations to pay it, according to Krebs.
Schiappa, the Arctic Wolf executive, told Business Insider that there was nothing usual about the situation. LockBit might be trying anything to keep its credibility with its hacking affiliate organizations in the wake of the law enforcement raid earlier this month, he said.
"Lockbit built its image on being loud and garnering the attention of other groups that wanted assurance that they could conduct business with them unhindered," Schiappa told Business Insider. "The law enforcement action presents a threat to that narrative. The more attention that the group can focus on anything other than the fact that their image was compromised by law enforcement, the more likely that they will be able to salvage their image with affiliates and continue operations."
At a press conference on February 20, Fulton County Commission Chair Robb Pitts said no ransom was paid.
"We did not pay, nor did anyone pay on our behalf," Pitts said during the briefing.
In Saturday's message, LockBit said its "partner" was in "negotiations" over the ransom, but that they had "stalled." Pitts didn't respond to Business Insider's requests for comment.
On Tuesday, county officials told the Atlanta Journal-Constitution that it would not pay a ransom.
"Our focus remains on safely restoring services for our citizens and we continue to work in close coordination with law enforcement," a county spokesperson said in a statement.
Representatives from the FBI did not respond to Business Insider's request for comment.
Although LockBit 3.0 appeared to recover from the law enforcement takedown earlier this month, its reputation has been severely damaged, Schiappa said. Its grandstanding messages about the FBI may be a way to shore that up.
"We expect that LockBit will suffer consequences from this law enforcement action," Schiappa said. "Their attempts to establish new partnerships will be challenging with the cloud of this takedown looming over them and tarnishing their reputation."
The renewed ransom threat comes as Willis's investigation is beleaguered by a series of heated hearings playing out in a Fulton County courtroom.
A judge is hearing testimony from several of her associates — and Willis herself — over the question of whether the district attorney had an improper relationship with a prosecutor she hired to work on the Trump case.
The judge may decide to remove Willis from the case, which would be a significant setback for the prosecution.
What's Your Reaction?