Back from the dead: LockBit taunts cops, threatens to leak Trump docs
Officials have until March 2 to cough up or stolen data gets leaked
Updated LockBit claims it's back in action just days after an international law enforcement effort seized the ransomware gang's servers and websites, and retrieved more than 1,000 decryption keys to assist victims.
The crew's latest leak site, which debuted on Saturday, listed more than a dozen alleged victims including the FBI itself, hospitals, and Georgia's Fulton County, which is still struggling to recover from the intrusion that disrupted its phone, email and other IT systems in late January.
LockBit claimed to be responsible for the Fulton County break-in before the UK's National Crime Agency (NCA) and US FBI took down its infrastructure last week. The Georgia county, however, has reappeared on the crew's Tor site, with a countdown clock set to expire on March 2 unless government officials pay the ransom demand.
The criminal gang claims to have a trove of Fulton confidential data such as the identities of jurors serving on a murder trial that "could put lives at risk and jeopardize a number of other criminal trials," according to Krebs on Security.
The crew also claimed the stolen Fulton collection includes documents related to Donald Trump's court cases, which will be released unless the ransom is paid. Fulton County did not immediately respond to The Register's request for comment.
I am very pleased that the FBI has cheered me up
After confiscating LockBit's infrastructure on February 20, arresting members of the ransomware gang and using its website to leak secrets about the crew's operations, law enforcement promised its big reveal would happen on Friday with the identity of LockBitSupp, the group's public spokesperson.
That turned out to be a big dud, and on Saturday LockBitSupp posed a long, rambling response to the FBI, later clarifying that by "FBI," they mean all law enforcement, and continuing to taunt the federal cops:
"I am very pleased that the FBI has cheered me up, energized me and made me get away from entertainment and spending money, it is very hard to sit at the computer with hundreds of millions of dollars, the only thing that motivates me to work is strong competitors and the FBI, there is a sporting interest and desire to compete," LockBitSupp opined.
The character also claimed that Operation Cronos hacked the gang's servers by exploiting a PHP vulnerability: "Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time."
- LockBit extorted billions of dollars from victims, fresh leaks suggest
- LockBit identity reveal a bigger letdown than Game of Thrones Season 8
- Authorities dismantled LockBit before it could unleash revamped variant
- LockBit leaks expose nearly 200 affiliates and bespoke data-stealing malware
The site admin also alleges that law enforcement took down LockBit specifically to prevent the release of stolen documents containing "a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election."
Additionally, LockBitSupp claims the decryptors seized "are of little use," and says there were almost 20,000 on the hacked server, "most of which were protected and cannot be used by the FBI." ®
Updated to add
"The FBI and its partners anticipated Lockbit threat actors would attempt to regroup and rebuild, however, the opportunity to offer over a thousand victims the ability to decrypt their networks is our focus and we will continue to provide assistance to those who have been impacted," the agency told us.
"While a subject can stand up new infrastructure, we made it more difficult for them to operate, prevented countless new victims, and tarnished its reputation as the most prolific ransomware in existence. The FBI continues to maintain our disruptive activities against cyber actors threatening security for any organization or individual."