A countdown timer for the threatened release of Trump court documents disappeared from hacker website before it ticked down to zero
- The ransom countdown timer for Fulton County disappeared from a hacking group's website.
- It was set to expire Thursday morning.
The countdown timer hackers used to threaten the release of Fulton County government documents — including what they claimed were documents from former President Donald Trump's criminal case in Georgia — disappeared from the group's website before it expired.
The hacking group, LockBit 3.0, had a timer set for 8:49 a.m. ET Thursday to publish the documents on its website — a deadline it had jumped forward, after previously setting a March 2 deadline.
Sometime on Wednesday afternoon, the timer disappeared.
LockBit 3.0's website still lists ransom timers for its other hacks. As of Thursday morning, it had 12 other timers counting down simultaneously. The timer for Fulton County was no longer among them.
Rob Pitts, the chairman of Fulton County's board of commissioners, acknowledged the passed deadline during a press conference in Atlanta Thursday afternoon.
"We are not aware of any data having been released today — so far," Pitts said.
But he warned that the hacking group could wreak chaos at any moment by publishing the "purportedly stolen data."
"That does not mean the threat is over, by any means," Pitts said. "And they can still release the data they have at any time. Today, tomorrow, or sometime in the future. We simply have no control over that."
Lockbit 3.0 took down Fulton County services in a ransomware attack in January. It threatened to release sensitive files from multiple government services, including its court system.
But the group was disrupted on February 20 as part of a series of coordinated raids involving law enforcement agencies from more than 10 different countries. The FBI took over LockBit's website and bragged about taking them down. The same day, the Justice Department unsealed indictments against two Russian nationals it alleges worked for the group.
On Saturday, LockBit 3.0 returned. It posted a new countdown timer for the Fulton County documents initially set for March 2. It later jumped the timer forward, leaving it to expire on Thursday.
In a message trumpeting its return, the group claimed the FBI snapped into action because "the stolen documents contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election."
Court filings show that the FBI's investigation into LockBit — a notorious and long-running hacking group — and coordination with international law-enforcement agencies has been ongoing for years.
Before the raid, the group claimed, they had been in negotiations over a ransom for the Fulton County documents.
"Personally I will vote for Trump because the situation on the border with Mexico is some kind of nightmare, Biden should retire, he is a puppet," the group said in the message.
LockBit 3.0's website does not show any new messages since then.
The disappearance may signal ransom negotiations
Although the February 20 raid disrupted the group, many of Fulton County's services still aren't fully operational, including its court website.
The hack has taken national significance because of Fulton County District Attorney Fani Willis's criminal case against Trump. In a grand jury indictment, prosecutors accused Trump and more than a dozen of his allies of illegally conspiring to overturn the results of the 2020 presidential election in Georgia. Trump, the frontrunner for the Republican nomination in the 2024 presidential election, has pleaded not guilty. Several of his co-defendants have already entered guilty pleas and are expected to testify against him at trial.
LockBit 3.0 works on a leasing model, where it develops sophisticated hacking tools and then allows other hacking groups to use it in exchange for a cut of the ransom. It has been fantastically successful in the hacking world, garnering over 2,000 victims and $120 million in ransom funds over the past several years, according to the Department of Justice. It's not clear which group it's working with for the Fulton County hack and ransom.
The timer for Fulton County had previously disappeared from LockBit 3.0's site ahead of the February 20 raid. Such removals normally happen when extortion targets pay a ransom or are in negotiations to pay it, according to cybersecurity journalist Brian Krebs.
But Pitts said at a February 20 press conference that no ransom was paid. And on Thursday afternoon, he reiterated that message.
"Again, we have not paid any ransom, nor has any ransom been paid on our behalf," Pitts said at Thursday's press conference.
It's also possible that LockBit 3.0 may just be blustering about ransom negotiations to shore up credibility with its affiliates, according to Dan Schiappa, the chief product officer of cybersecurity firm Arctic Wolf."Lockbit built its image on being loud and garnering the attention of other groups that wanted assurance that they could conduct business with them unhindered," Schiappa said. "The law enforcement action presents a threat to that narrative."It's not clear if LockBit 3.0 is in possession of any court records in the Trump case that have not already been made public. Atlanta-based independent journalist George Chidi reported that sealed records in unrelated cases were included in a sampling of files published by LockBit.It's also not clear how much money — or what else — LockBit 3.0's affiliate in the hack wants. The amounts are often negotiated in private, Schiappa told Business Insider.
This story has been updated.