Fulton County faces renewed ransomware threat

Fulton County released a statement Monday afternoon acknowledging the new countdown and renewed threat — and indicating that the county will not pay the unspecified ransom.

“Our focus remains on safely restoring services for our citizens and we continue to work in close coordination with law enforcement,” the statement says.

County commissioners met several times in closed session to discuss the ransom demand, but ultimately decided they “could not in good conscience” use taxpayer dollars for that purpose, Commission Chair Robb Pitts said Feb. 20.

The latest county statement says “we still don’t know” whether citizens’ personal data is included in the stolen documents. Figuring that out with cybersecurity experts “may take some time.”

“If we determine that peoples’ personal information was involved in this incident, we will make all legally required notifications and provide them with resources to help protect their personal information,” the county statement said.

The attack on Fulton County crippled many systems, including hundreds of phone lines. County services were unavailable for several days, and many offices are still using offline work-arounds. Officials have said about half of the county’s phones are working again, and early voting started Monday for the state’s March 12 presidential primary.

Before the takedown, LockBit posted on its dark web site images of several dozen Fulton County documents — many already publicly available, but some which appeared to contain internal system information or individuals’ personal data.

Police in 10 countries, including the FBI in the U.S. and the National Crime Agency in the United Kingdom, on Feb. 19 froze 200 cryptocurrency accounts tied to LockBit and the site on the dark web that it used to threaten victims and publish data. Europol announced the action took down 34 computer servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom.

The FBI has announced charges against five Russian nationals so far related to LockBit, with two of the suspects in custody. None of those suspects appears to have any connection with the Fulton County hack.

Separate from the charges in the U.S., Europol said two LockBit actors have been arrested in Poland and Ukraine at the request of the French judicial authorities.

LockBit released a rambling statement, apparently from one of the group’s leaders, blaming the international law enforcement action on the imminent Fulton County leak.

“The stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election,” it says.

The statement claims “negotiations stalled,” mistakenly identifying Fulton County as a city. It denounces the FBI and threatens more attacks on government entities.

LockBit’s tools to steal and encrypt data emerged from Russian-language hacking forums in 2020. By 2022, it became the most widely used ransomware, according to police.

“The group provided ransomware-as-a-service to a global network of hackers or ‘affiliates,’ supplying them with the tools and infrastructure required to carry out attacks,” the NCA said.

LockBit has targeted more than 2,000 victims worldwide, demanded hundreds of millions of dollars and received more than $120 million, according to the FBI. The group attacked more than 1,000 targets in the U.S. during 2023, FBI Deputy Director Paul Abbate said.

Europol said LockBit would normally take one-quarter of the ransom collected by affiliated hackers.

AJC staff writers Charles Minshew and Rahul Deshpande contributed to this report.

Credit: ArLuther Lee

Credit: ArLuther Lee