Officials in Georgia’s Fulton County, which includes parts of Atlanta, said Wednesday that “financially motivated” hackers appeared to be behind a ransomware attack that has disrupted key county services for weeks.
“Early today, we became aware that cybercriminals claiming responsibility for this incident listed Fulton County as a victim on their dark website and posted screen shots of information claimed to have been accessed,”?Fulton?County Board of Commissioners Chairman Robb Pitts?said at a press conference.
The revelation comes nearly two and half weeks after the county first acknowledged a “cybersecurity incident” was?causing disruptions throughout county systems.?Hours before Pitts’ comments,?a notorious, multinational cybercrime group claimed responsibility for the hack and posted online what appeared to be internal Fulton County documents, including a police report and a retirement statement.
Cybercriminal groups often publicly list victims in an attempt to pressure them into paying a ransom to recover their data. The leak will only up the stakes for Fulton County to get a handle on a cyberattack that has hobbled services for weeks.
The group that claimed Fulton County as a victim is a prolific group known as LockBit. Their malware was used in ransomware attacks on hundreds of victims the first half of last year alone — more than any other group,?according?to cybersecurity researchers.
Pitts?said the county is working with law enforcement and cybersecurity experts on the investigation and to?assess the validity of the hackers’ claims.?It’s unclear if there has been any communication between Fulton County and the hackers. Pitts declined to take questions, citing an investigation was ongoing.
The ransomware attack has been an ongoing headache for Fulton County, where District Attorney Fani Willis is pursing a case against?former President?Donald Trump and 18 co-defendants?for allegedly trying to subvert the 2020 election.
Willis’s office previously lost access to its phones, internet and the court system website because of the hack, CNN has reported. But county officials have stressed that there is “no evidence or reason to believe that this incident is related to the election process or other current events.”
About two-thirds of the county phone lines are still down, and county officials still can’t process property tax and water bill payments electronically, Pitts?said on Wednesday.
There was progress in other areas of the recovery. Phones and IT systems would come back online “on a rolling basis,” Pitts said.?He acknowledged that thousands of county residents have been affected by the hack.
All election offices are open and the county is prepared to start early voting in 36 locations on Monday, ahead of next month’s primary elections, the commission chairman said.
Fulton County joins a list of high-profile victims claimed by LockBit. In November, someone associated with LockBit?claimed?responsibility for a ransomware attack on the US unit of the powerful Industrial and Commercial Bank of China.
LockBit has Russian-speaking members, according to experts, but it also has “affiliates,” or criminal partners, in multiple countries, that rent the ransomware and use it in attacks.
Fulton County’s ransomware attack comes amid a years-long effort by the US government to limit the damage of ransomware attacks on local governments, hospitals and other critical infrastructure. While there have been notable arrests and law enforcement seizures of millions of dollars’ worth of ransom payments, the ransomware economy continues to thrive.
Cybercriminals?extorted?a record $1.1 billion in ransom payments from victim organizations around the world last year despite US government efforts to cut off their money flows, crypto-tracking firm Chainalysis estimated.
“The ransomware attack on Fulton County, Georgia underscores the importance of framing cybercrime as a national security issue,” Alexander Leslie, a Russian-speaking analyst with cybersecurity firm Recorded Future, told CNN. “Financially motivated groups like LockBit possess the capabilities to disrupt critical services at a local, state, and federal level.”