LockBit Threatens to Release Fulton County Court Docs on Trump Case


February 29, 2024

World map

LockBit, the ransomware operators who recently withstood a law enforcement disruption operation, is threatening to release exfiltrated documents that "contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election" if a ransom demand is not met.

Officials from Fulton County, Georgia, disclosed in mid-February that “financially motivated” threat actors associated with the LockBit ransomware gang were behind a January ransomware attack that disrupted critical county services for several weeks.

Earlier this week, LockBit, the most prolific of all the Ransomware-as-a-Service (RaaS) gangs, announced it had restored operations just days after a highly publicized law enforcement takedown attempt.

Authorities disrupted LockBit’s infrastructure on February 19, but the group said they were back in action less than a week later, vowing to increase attacks against the public sector as retribution.

“On a new website, the group posted a message claiming it had backup copies of documents taken from the Fulton County government's website. It also renewed its ransom demands,” Business Insider reported.  

“The post claimed that the FBI acted quickly because the leak of documents in Trump's criminal case could affect the 2024 presidential election.”

Fulton County officials said they have no intention of paying the ransom demand.

Takeaway: Just how brazen can these ransomware operators get?  

In a matter of just a few weeks, LockBit has managed to carry out an attack that they claim could influence the upcoming U.S. presidential elections and could also have implications for the very serious legal case against the former President.

And if that’s not enough, they managed to do so while being aggressively targeted by an international coalition of law enforcement agencies led by the FBI that saw them back in action in a matter of days.

Why would a LockBit be so cocky while they are in the crosshairs of law enforcement? Because even after years of being attacked relentlessly by ransomware operators, there has been little in the way of any real consequences.

There have been a handful of arrests of low-level affiliates, and law enforcement has managed to disrupt a few RaaS operations, but for the most part law enforcement actions have had zero impact on the scourge of ransomware attacks – in fact, 2023 was a banner year for the attackers.

The recent takedown attempt targeting LockBit is incredibly revealing about what law enforcement actions can and can’t do against these well-organized and well-funded ransomware operations.

And the fact that LockBit seems almost completely unphased by law enforcement, doubling down on an attack threat could have such serious implications, is further evidence that our collective response to ransomware attacks is completely inadequate.

Even more concerning is the dual nature of many of today's ransomware attacks: they make money for the attackers while also furthering the geopolitical interests of adversarial nations.

Ransomware operators try to elicit as much pain, frustration, and publicity as possible because it translates into revenue. But in attacks like those in Fulton County, there is another motivation beyond financial gain.

We cannot discount the dual nature of many of today’s ransomware attacks, where the attackers may be serving themselves from a financial perspective but are also furthering a larger geopolitical strategy that favors the interests of an adversarial nation.

The fact that ransomware attacks are only addressed as being cybercriminal acts provides convenient plausible deniability when those attacks also serve the larger geopolitical goals of rogue regimes like Russia, Iran and North Korea.

This is why it is imperative that the U.S. government and allied nations differentiate at least some of the attacks and classify them as threats to our national security – specifically those attacks that target healthcare, utilities, elections and other critical infrastructure functions.

It’s not just a name-game. Designating some of these attacks as terrorism or threats to national security brings a whole new set of options to the table that range from flexing our offensive cyber capabilities to more traditional kinetic military response options.

This would mean instead of just investigating attacks and indicting low level attackers, the government would have the option to take proportional actions against not just the ransomware operators, but against nation-states known to provide safe harbor and in many cases are actively influencing the attacker’s targeting choices.

There needs to be real consequences not just for those who are orchestrating the attacks and benefitting financially, but also for the nation-states who are benefitting geopolitically from these attacks.

Until there are real consequences on the table, we will see these attackers continue to brazenly act with impunity and the fallout from the attacks get ever more serious, and we will see adversaries continue to glean a geopolitical advantage while enjoying plausible deniability.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.