Headline
The Mysterious Case of the Missing Trump Trial Ransomware Leak
The notorious LockBit gang promised a Georgia court leak "that could affect the upcoming US election.” It didn’t materialize—but the story may not be over yet.
This week, the notorious ransomware gang known as LockBit threatened a kind of disruption that would have been a first even for a criminal industry that has crippled hospitals and triggered the shutdown of a gas pipeline: leaking documents from the criminal prosecution of a former president and presidential candidate.
Then, without explanation, that threat evaporated, leaving plenty of unanswered questions behind.
For the past five days, LockBit promised on its dark-web site to publish data stolen from the Fulton County, Georgia, government, which it listed as one of its extortion victims, unless the county paid an unspecified ransom. One administrator for the group went so far as to post the specific threat of releasing documents related to Fulton County’s high-profile prosecution of Donald Trump: the Superior Court of Fulton County is the venue where Trump, the Republican presidential front-runner, stands accused of a criminal conspiracy to interfere in the 2020 election.
Yet when the hacker group’s own deadline for that leak arrived, no documents appeared. Instead, LockBit mysteriously removed any mention of it from its website. Fulton County officials have denied paying a ransom—which leaves unanswered why the leak disappeared, and whether LockBit still holds any of the court’s documents or ever did in the first place.
“We’re not aware of any data having been released today so far,” Fulton County Commission Chairman Robb Pitts said in a Thursday afternoon press conference. “Now that being said, that does not mean the threat is over by any means, and they could release whatever data they have at any time, today, tomorrow or any time in the future. We have no control over that."
The ransomware crew’s threat, before it vanished, had been dramatically timed: It followed a coordinated law enforcement takedown operation targeting LockBit just last week. Known as Operation Chronos and led by the UK’s National Crime Agency, the operation took control of much of LockBit’s infrastructure, seized hundreds of its cryptocurrency wallets, tore down the dark-web sites it uses in its extortion campaigns, and even claimed to have compromised some of its members and partners. Just days later, however, LockBit managed to launch a new dark-web site, where it posted a list of victims along with countdown timers for each representing their deadline to pay a ransom before the hackers leaked their stolen data. The deadline for the Fulton County documents had been set for February 29 at 1:49 pm UTC.
On that relaunched site, one LockBit administrator also posted a lengthy screed accusing the FBI of timing the takedown specifically to prevent the release of the Trump-related Fulton County court documents—and promising to release them despite the bust if Fulton County didn’t pay.
“The FBI decided to hack now for one reason only, because they didn’t want to leak information from [the Fulton County government website],” the LockBit administrator wrote. “The stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”
The hacking-related paralysis of Fulton County’s government, at least, seems to be very real: By its own admission, the county government is facing a serious and ongoing network disruption that looks very much like a ransomware attack. The website for Fulton County’s government has noted in an alert on its homepage for nearly a week that it’s “experiencing an unexpected IT outage currently affecting multiple systems” and that systems related to everything from phone lines to tax collection to courts had been affected. An official who answered the phone at the county’s publicly listed phone line tells WIRED the outage had begun as early as late January. But a county government spokesperson declined WIRED’s request for more information on the attack.
The LockBit hackers also posted some convincing sample documents that appeared to have been stolen from the Fulton County court systems prior to the takedown last week, according to Georgia-based reporter George Chidi, who wrote about the incident earlier this month. Chidi reported seeing documents that included court files and even documents under seal in specific cases, though none appeared to be related to Trump’s prosecution.
Then, on Wednesday, just hours before LockBit’s deadline for the county to pay its ransom expired, the countdown timer for that leak on Lockbit’s website froze, with an added line of text that read, “Timer stopped.” At the promised time of 1:49 PM UTC Thursday, the leak failed to materialize. Instead, all mention of Fulton County was removed from LockBit’s extortion threat site.
In Thursday’s press conference, Fulton County Chairman Rob Pitts denied that the county had paid Lockbit’s extortion fee. “We have not paid any ransom, nor has any ransom been paid on our behalf,” Pitts said.
LockBit instead may well be bluffing—either it doesn’t have the goods it claims or isn’t ready to give up on its extortion demand. Robert McArdle, a researcher who leads a cybercrime-focused research team at security firm Trend Micro and was involved in the law enforcement operation against LockBit, says the group’s thus-far empty threat is a sign that it was likely more disrupted by the bust than it wants to admit.
“This appears to be further evidence of the difficulties facing LockBit ever since Op Chronos took place, and should be considered as a sign they are unable to reliably follow through on their statements,” says McArdle. He points out that the victims listed on the group’s new dark-web site were all compromised prior to Operation Chronos and that continuing to threaten them is the group’s attempt to “appear as if everything is normal when most evidence points very much to the contrary.”
There remain other theories, however, that Lockbit might still possess the court’s data but is seeking to use it in some other way. “They generally don’t lie about victims, because they’re so worried about their reputation,” says Jon DiMaggio, the ransomware-focused chief security strategist at cybersecurity firm Analyst1. He notes that the decision to take down the leak threat may have been the decision of the “affiliate” hackers who partner with LockBit to penetrate victims like Fulton County and may have different motivations from LockBit itself.
If Fulton County documents do remain in the hands of hackers, and if any of them relate to the Trump case, they could further complicate an already deeply messy trial. The state’s case has been rocked by allegations that the prosecutor in the case, Fulton County district attorney Fanni Willis, had an improper affair with another prosecutor involved in Trump’s prosecution, which the defense has argued should require Willis’ dismissal. The compromise of non-public documents in the case could make the proceedings—and the upcoming US presidential election—even more chaotic.
“We’re watching with interest to see how the Fulton leak develops,” Trend Micro’s McArdle says. So, no doubt, will the US political sphere—including a certain former president.
Additional reporting by Matt Burgess.
Updated 2/29/2024, 4:15 pm EST with a statement from Fulton County Commission Chairman Robb Pitts.