- Fulton County's ransom countdown timer has disappeared from the hacking group's website.
- The expiration date was set for Thursday morning.
- The ransom documents included court records from Trump's criminal case in Georgia.
Countdown Timer hackers were threatening to release Fulton County government documents, including documents they claimed were from former President Donald Trump's criminal case in Georgia, before they expired. It disappeared from the group's website.
The hacking group LockBit 3.0 had set a timer for the publication of the document on its website for 8:49 a.m. ET Thursday. The deadline previously set for March 2nd has been moved up.
Sometime Wednesday afternoon, the timer went off.
The LockBit 3.0 website still lists ransom timers for other hacks. As of Thursday morning, 12 other timers were counting down simultaneously. The Fulton County timer was no longer among them.
Fulton County Commission Chairman Rob Pitts acknowledged the deadline had passed at a news conference in Atlanta Thursday afternoon.
“To date, there is no information that data has been released,” Pitts said.
But he warned that hacker groups could cause chaos at any time by releasing “allegedly stolen data.”
“That doesn't mean the threat is over by any means,” Pitts said. “And they can release the data they have at any time. Today, tomorrow, or sometime in the future. We have no control over that.”
Lockbit 3.0 disrupted services in Fulton County in a ransomware attack in January. Threatened to release confidential files from multiple government services, including the court system.
However, the group was suspended on February 20 as part of a series of coordinated raids involving law enforcement agencies from more than 10 countries. The FBI bragged about taking over and deleting his LockBit girlfriend's website. On the same day, the Justice Department lifted charges against two Russian nationals who allegedly worked for the group.
On Saturday, LockBit 3.0 was back. A new countdown timer for Fulton County's filing of documents was originally set for March 2, but the timer was later moved up and left to expire on Thursday.
In a message promoting the return, the group said, “The stolen documents contain many interesting details and lawsuits against Donald Trump that could affect the next U.S. presidential election.” , claimed that the FBI took immediate action.
According to court filings, the FBI's investigation into the notorious hacker group Rockbit and its collaboration with international law enforcement agencies have continued for years.
The group claimed to have been negotiating for a ransom for Fulton County documents before the attack.
“Personally, I'm voting for Trump. The situation at the Mexican border is some kind of nightmare. Biden should retire. He's a puppet,” the group said in a message.
Since then, no new messages have appeared on the LockBit 3.0 website.
Disappearance could be a sign of ransom negotiation
The Feb. 20 raid threw the group into disarray, but many Fulton County services remain not fully operational, including the courthouse website.
The hack took on national significance after Fulton County District Attorney Fani Willis filed criminal charges against Trump. In a grand jury indictment, prosecutors accused President Trump and more than a dozen of his allies of illegally conspiring to overturn the results of Georgia's 2020 presidential election. Trump, a front-runner for the Republican nomination for the 2024 presidential election, has maintained his innocence. Several of his co-defendants have already entered guilty pleas and are expected to testify against him at trial.
LockBit 3.0 operates on a leasing model, developing advanced hacking tools and making them available to other hacking groups in exchange for a portion of the ransom. According to the Department of Justice, it has been incredibly successful in the world of hacking, racking up more than 2,000 victims and $120 million in ransoms over the past few years. It's unclear which groups are working with the Fulton County hack and ransom demands.
The Fulton County timer had previously disappeared from LockBit 3.0's site prior to the Feb. 20 attack. Cybersecurity journalist Brian Krebs said such takedowns typically occur when the extortionee has paid a ransom or is in the process of negotiating a ransom payment.
However, Pitts said in a press conference on February 20 that no ransom was paid. And on Thursday afternoon, he reiterated that message.
“Again, we have not paid the ransom and no ransom has been paid on our behalf,” Pitts said at a press conference Thursday.
Dan Schappa, chief product officer at cybersecurity firm Arctic Wolf, said it's also possible that Rockbit 3.0 is just being loud about ransom negotiations to improve its credibility with its affiliates.
“Rockbit has built an image where it advertises loudly and attracts the attention of other groups looking for assurance that they can trade without hindrance,” Schiappa said. “This law enforcement action threatens that narrative.”
It is unclear whether LockBit 3.0 has court records from the Trump case that have not yet been made public. George Chidi, an independent journalist based in Atlanta, reported that the sample of files released by Rockbit included sealed records in unrelated cases.
It's also not clear how much money, or what else, the LockBit 3.0 affiliates involved in the hack might want. Schippa told Business Insider that the amount is often negotiated privately.
This story has been updated.
