Georgia’s largest county is still repairing damage from January cyberattack

Georgia’s largest county is still repairing damage inflicted on its government a month ago by hackers who shut down office phone lines, left clerks unable to issue vehicle registrations or marriage licenses and threatened to publicly release sensitive data they claimed to have stolen unless officials paid ransom.

The ransomware syndicate LockBit took credit for the cyberattack in late January that temporarily crippled government services in Fulton County, which includes most of Atlanta. The group demanded payment, threatening to dump data online, including residents’ personal information. It also claimed to have stolen records related to the county’s pending criminal case against former President Donald Trump.

To boost the odds of getting paid, ransomware groups routinely steal data before activating network-encrypting malware. Some cybersecurity analysts questioned whether the Fulton County hackers actually possessed Trump-related files.

The hackers’ deadline passed Thursday, less than two weeks after law enforcement agencies in Europe and the U.S. announced they had disrupted LockBit’s operations, seized the group’s systems and arrested two people overseas.

READ MORE The Chinese government carefully watches those it deems a threat. Here’s a glimpse into how Biden is boosting cybersecurity at US ports, where online attacks can be more ravaging than storms Cyberattacks on hospitals are likely to increase, putting lives at risk, experts warn

Soon after the takedown, LockBit resurfaced on the dark web and renewed its threat against Fulton County. But no stolen data was released after the deadline lapsed, and county officials refused to pay.

“We are not aware of any data having been released today so far,” Fulton County Commission Chairman Robb Pitts told reporters Thursday afternoon. “That does not mean the threat is over by any means. And they could release whatever data they have at any time — today, tomorrow or sometime in the future.”

Pitts said county officials are still working to restore phone service and online systems still down more than a month later, though all county offices have reopened and resumed serving residents to at least some degree.

“We have not paid any ransom nor has any ransom been paid on our behalf,” said Pitts, who declined to answer questions following his brief statement.

A Fulton County spokesperson did not immediately respond to an email message Friday seeking further updates.

The cyberattack hit as Fulton County District Attorney Fani Willis is prosecuting a racketeering case against Trump and others for their efforts to overturn the results of Georgia’s presidential election in 2020.

While the hackers disrupted courthouse services, namely taking down its online system for filing legal documents, Willis said the case against Trump was unaffected.

“All material related to the election case is kept in a separate, highly secure system that was not hacked and is designed to make any unauthorized access extremely difficult if not impossible,” Willis’ office said in a statement Jan. 30.

LockBit had been among the world’s most prolific ransomware syndicates when it was badly disrupted in late February by an international law enforcement consortium that included the FBI. Following the takedown, which many cybersecurity experts think spells the end of LockBit, a group spokesman issued a rambling statement claiming not to have been as seriously affected as authorities had said.

The LockBit spokesman claimed the takedown was motivated by the FBI’s desire to prevent the leak of information stolen from Fulton County that included “a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”

One cybersecurity expert said that claim was likely unfounded and that LockBit, a Russian-speaking operation condoned by the Kremlin, may never have had any such documents.

“I think the claims are bogus,” said Yelisey Bohuslavskiy, chief research officer at the cybersecurity firm Red Sense.

He said LockBit had been faking and exaggerating data theft claims for the last three years, even publishing data that others had obtained as if it was their doing.

Another possibility is that LockBit lost access to stolen data in the disruption by law enforcement, ransomware analyst Brett Callow of the cybersecurity firm Emsisoft said in a post on X, formerly Twitter.

LockBit is believed to have extracted $120 million from thousands of victims since it began operating in 2019. It accounted for 23% of the nearly 4,000 attacks globally last year in which ransomware gangs posted stolen data to extort payment, according to cybersecurity firm Palo Alto Networks.

Cybersecurity experts believe LockBit as a brand may now be in its death throes -- but could easily re-emerge rebranded under a new name with the same core members, as happened with previous ransomware groups that came under intense law enforcement pressure.

LockBit and other ransomware syndicates are compartmentalized operations. Outside the core group that rents out the malware and maintains the infection infrastructure are so-called affiliates who manage the hacking, malware activation and negotiations and get the bulk of the profits.

In Fulton County, officials reported widespread disruptions following the cyberattack the weekend of Jan. 27. County police couldn’t produce incident reports and the sheriff’s office had to fall back on paper forms to process jail detainees. Residents couldn’t pay county utility bills online or use the internet to access property records. Clerks were unable to issue marriage certificates and firearm permits.

“We are working to restore all Fulton County systems and making some progress,” Pitts, the county chairman, said Thursday.

County officials said last week that their online system for paying water bills had been restored, but not for property tax payments. County email systems were back online and more than half of the phone lines in county offices were working.

___ Bynum reported from Savannah, Georgia. Bajak reported from Boston.