The LockBit ransomware group re-established a site on the dark web and is again threatening to release data, officials said.
FULTON COUNTY, Ga. — A cybercrime group is back on the web threatening to release data from Fulton County for a second time, according to a spokesperson for the county.
The spokesperson said that the county became aware over the weekend that the LockBit ransomware group re-established a site on the dark web.
Once it was up, it again listed Fulton County and re-threatened to release data that it claimed it stole during a January cyberattack that caused widespread outages, officials said. At this time, the exact deadline the group set is not clear, but some cybersecurity experts have said it looks to be on Thursday. 11Alive is working to get clarity about the timeline.
That said, this news comes after The National Crime Agency, which is an international agency in the United Kingdom, announced last week that LockBit 3.0’s services were disrupted as a result of law enforcement action. The group previously claimed to have been holding sensitive information from Fulton County hostage for $1.2 billion.
RELATED: Services disrupted for group claiming responsibility for Fulton County cyberattack, National Crime Agency says
Rajiv Garg, a professor of information systems and operations management at Emory University’s Goizueta Business School, said it is not surprising the group is asking for a ransom again but that it is shocking that they were able to get back online quickly.
“If there is a thief who is trying to steal from people, a lot of times, if they’re successful, they’re not going to stash all their loot in one place. And that is exactly what happened,” Garg hypothesized. “They still probably are decentralized and have a server somewhere in a different country, different city, maybe a basement . . . and they are now using those.”
The original deadline was earlier this month, on Friday, Feb. 16. There was speculation for days on whether the county decided to pay the ransom, as the county looked to have been removed from the website before law enforcement took control of it on Feb. 19.
However, Fulton County Commission Chairman Robb Pitts stated last week that no ransom was ever paid and that officials do not know why LockBit removed them.
“After careful consideration and weighing many factors last week, the board of commissioners decided we could not in good conscience use Fulton County taxpayer funds to make a payment,” Pitts said. “We did not pay, nor did anyone pay on our behalf.”
Fulton County officials said Monday that they still do not know the contents of the data the group is threatening to release and whether any citizens’ personal information was involved.
“Our teams are actively working with leading cybersecurity experts to determine what data may have been stolen and gain a better understanding of what information may be involved, which includes an extensive review process,” officials said over email.
RELATED: Fulton County government says no ransom was paid to group claiming responsibility for cyberattack
A county spokesperson also stated the review may take time and that the county will make all legally required notifications and provide resources if it is determined that people’s personal information was involved in the incident. Officials added they are collaborating with internal and external agencies, including law enforcement.
“The safety of our citizens is our highest concern, and we are taking this situation seriously as we continue our investigation,” the spokesperson said.
Previous reporting by 11Alive said cybersecurity experts who have seen some of the data leaked online said it goes beyond financial information or social security numbers. They said it includes sensitive health information for residents in the county who have cancer or who are living with HIV.
Cybersecurity expert Rick Hudson agreed with this sentiment to 11Alive on Tuesday, stating that the list of potentially sensitive information involved in the Fulton County data breach could include anything — ranging from residents’ addresses to county health department medical records.
“It could bring people out that have HIV who may not want to divulge that,” Hudson said. “It could be other health records, it could be arrest records, it could be trial records, anything in the world that Fulton County has, and they were able to get into every system that stored data at Fulton County.”
Hudson said he wants people to understand that what occurred in Fulton County is not just another hack but a serious situation.
“If LockBit doesn’t get paid, then they are going to publish it to the world. Once it is published, there is no closing that door, so it could affect and damage many people’s lives,” Huson said.
Hudson recommends those who have concerns about their data start using a two-factor authentication process for online accounts.
In general, Fulton County officials have also been making progress on bringing back online services that were knocked out due to widespread outages created by this cybersecurity incident. The county said that its focus remains on safely restoring services as it continues to work with law enforcement.