Did hackers get a ransom payment to refrain from releasing data they stole from Fulton County?
Ever since Fulton County data disappeared from a hackers’ site on the dark web early Friday morning, county officials have remained silent on whether cyberattackers were paid a ransom.
But outside cybersecurity experts tell The Atlanta Journal-Constitution that, while it is not known if a ransom was paid, it looks likely that the attackers were paid off, probably through the county’s security insurance.
Fulton’s External Affairs department did not respond to questions about the possible ransom payment Friday. On Monday, county offices were closed for Presidents’ Day.
Public announcements of such ransom payments are rare and often low-key, but that doesn’t mean they’re uncommon, said Doug Milburn, founder and president of Canadian security software firm 45Drives.
“Paying up is what happens,” he said. “It’s really the only option.”
A payment through cybersecurity insurance doesn’t require further formal action by the government, since it involves no appropriation of funds beyond the regular insurance premium, Milburn said.
Payments in Bitcoin are now the standard for ransomware attacks, he said.
Notorious hacking group LockBit claimed responsibility for the attack, which took down many county systems the weekend of Jan. 27.
In a posting on the dark web, LockBit hackers set a deadline of 12:47 a.m. Friday for the county to prevent release of sensitive data. No ransom was specified, but county officials confirmed last week that the attack was ransomware, meaning a demand may have been sent privately to the county.
The hackers posted more than two dozen screen shots of apparently stolen data; some of it was of documents available to the public, but other posts seemed to be from the inner workings of county computer systems.
As the deadline passed Friday, the countdown clock disappeared followed by the disappearance of the screenshots. Yet LockBit hackers posted deadlines for new targets, and expired posts on other previous victims remained up.
Jack Danahy, vice president of Strategy & Innovation for Vermont-based cybersecurity firm NuHarbor Security, said it looks like to him that “some agreement” was reached with the attackers, judging by county officials’ vague but shifting descriptions of the situation over the past three weeks. Commissioners twice went into closed-door executive sessions recently, only to come out without taking any official action or answering questions.
“Given that the LockBit group’s threat to reveal information has been taken down, and that there has been no broad publication of stolen data, to me it seems more probable that the ransom has been paid,” he said. “Since the attack, the county has struggled to bring services back to residents, and given the vital nature of county government, it could be argued that drastic measures were called for.
“The coming weeks will show whether that’s the case and will also show the county’s plan for ensuring that it won’t happen this way again.”
The payment could have been made through insurance coverage, and so would not represent a direct county expenditure, Danahy said.
Fulton County is far from alone in being victimized by hackers. Cybersecurity experts say local governments are often targets of ransomware attacks, as holders of substantial personal information and suppliers of vital public services.
The city of Atlanta suffered a major ransomware attack in 2018 that cost taxpayers millions of dollars. Two Iranian citizens were eventually charged for that crime.
“I feel for Fulton,” Atlanta Mayor Andre Dickens said Friday.
“It’s important to have that (insurance) and we found that out,” he said of the 2018 attack. “We were able to buy things quickly that are very expensive. You have to make a decision: are you going to pay these folks (hackers) or rebuild the systems. It is very expensive to rebuild the systems.”
The week before Fulton County was attacked, hackers took down many government systems in Washington County, Pennsylvania, near Pittsburgh. Commissioners there paid nearly $350,000 in cryptocurrency to Russian hackers, according to local media. Officials agreed to the ransom Feb. 6 and publicly ratified their decision in a 2-1 vote Thursday.
Washington County’s population is about one-fifth of Fulton County’s.
LockBit’s ransomware tools emerged in Russian-language hacking forums in January 2020, according to the U.S Cybersecurity & Infrastructure Security Agency. Since then, affiliates have used those tools to attack infrastructure worldwide.
Between January 2020 and June 2023, LockBit software was used in about 1,700 U.S. ransomware attacks, with victims paying a combined $91 million, according to CISA. In 2022, LockBit made up 16% of ransomware attacks in this country.
Fulton County Commission Chair Robb Pitts confirmed Wednesday that the hack was a ransomware attack and that some personal information may have been leaked. Until that afternoon’s brief news conference, he had maintained there was no evidence of a personal data breach.
If personal information is exposed, the county will notify anyone affected and offer services to help protect them, Pitts said.
State and federal law enforcement agencies are involved in the investigation, and county officials have cited that process in limiting details released about the cyberattack.
All county offices have reopened but many continue to use work-arounds to compensate for computer systems that are still down. The attack took down the county’s phone system, which runs over the internet; the internal financial system; online court and law enforcement systems; tax offices; and public-use computers at libraries.
It’s likely that experts have now “closed all the holes” to prevent further leaks from the same attack, but that doesn’t mean the risk is gone, Milburn said.
“The game here is about the data that the bad guys already have,” he said.
Atlanta Journal-Constitution editors Dan Klepal and Charles Minshew contributed to this report.
About the Author
