Connect with us

Hi, what are you looking for?



Georgia’s Largest County Is Still Repairing Damage From January Cyberattack

Georgia’s largest county is still repairing damage inflicted on its government offices by a cyberattack in January 2024.


Georgia’s largest county is still repairing damage inflicted on its government a month ago by hackers who shut down office phone lines, left clerks unable to issue vehicle registrations or marriage licenses and threatened to publicly release sensitive data they claimed to have stolen unless officials paid ransom.

The ransomware syndicate LockBit took credit for the cyberattack in late January that temporarily crippled government services in Fulton County, which includes most of Atlanta. The group demanded payment, threatening to dump data online, including residents’ personal information. It also claimed to have stolen records related to the county’s pending criminal case against former President Donald Trump.

To boost the odds of getting paid, ransomware groups routinely steal data before activating network-encrypting malware. Some cybersecurity analysts questioned whether the Fulton County hackers actually possessed Trump-related files.

The hackers’ deadline passed Thursday, less than two weeks after law enforcement agencies in Europe and the U.S. announced they had disrupted LockBit’s operations, seized the group’s systems and arrested two people overseas.

Soon after the takedown, LockBit resurfaced on the dark web and renewed its threat against Fulton County. But no stolen data was released after the deadline lapsed, and county officials refused to pay.

“We are not aware of any data having been released today so far,” Fulton County Commission Chairman Robb Pitts told reporters Thursday afternoon. “That does not mean the threat is over by any means. And they could release whatever data they have at any time — today, tomorrow or sometime in the future.”

Pitts said county officials are still working to restore phone service and online systems still down more than a month later, though all county offices have reopened and resumed serving residents to at least some degree.

“We have not paid any ransom nor has any ransom been paid on our behalf,” said Pitts, who declined to answer questions following his brief statement.

Advertisement. Scroll to continue reading.

A Fulton County spokesperson did not immediately respond to an email message Friday seeking further updates.

The cyberattack hit as Fulton County District Attorney Fani Willis is prosecuting a racketeering case against Trump and others for their efforts to overturn the results of Georgia’s presidential election in 2020.

While the hackers disrupted courthouse services, namely taking down its online system for filing legal documents, Willis said the case against Trump was unaffected.

“All material related to the election case is kept in a separate, highly secure system that was not hacked and is designed to make any unauthorized access extremely difficult if not impossible,” Willis’ office said in a statement Jan. 30.

LockBit had been among the world’s most prolific ransomware syndicates when it was badly disrupted in late February by an international law enforcement consortium that included the FBI. Following the takedown, which many cybersecurity experts think spells the end of LockBit, a group spokesman issued a rambling statement claiming not to have been as seriously affected as authorities had said.

The LockBit spokesman claimed the takedown was motivated by the FBI’s desire to prevent the leak of information stolen from Fulton County that included “a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”

One cybersecurity expert said that claim was likely unfounded and that LockBit, a Russian-speaking operation condoned by the Kremlin, may never have had any such documents.

“I think the claims are bogus,” said Yelisey Bohuslavskiy, chief research officer at the cybersecurity firm Red Sense.

He said LockBit had been faking and exaggerating data theft claims for the last three years, even publishing data that others had obtained as if it was their doing.

Another possibility is that LockBit lost access to stolen data in the disruption by law enforcement, ransomware analyst Brett Callow of the cybersecurity firm Emsisoft said in a post on X, formerly Twitter.

LockBit is believed to have extracted $120 million from thousands of victims since it began operating in 2019. It accounted for 23% of the nearly 4,000 attacks globally last year in which ransomware gangs posted stolen data to extort payment, according to cybersecurity firm Palo Alto Networks.

Cybersecurity experts believe LockBit as a brand may now be in its death throes — but could easily re-emerge rebranded under a new name with the same core members, as happened with previous ransomware groups that came under intense law enforcement pressure.

LockBit and other ransomware syndicates are compartmentalized operations. Outside the core group that rents out the malware and maintains the infection infrastructure are so-called affiliates who manage the hacking, malware activation and negotiations and get the bulk of the profits.

In Fulton County, officials reported widespread disruptions following the cyberattack the weekend of Jan. 27. County police couldn’t produce incident reports and the sheriff’s office had to fall back on paper forms to process jail detainees. Residents couldn’t pay county utility bills online or use the internet to access property records. Clerks were unable to issue marriage certificates and firearm permits.

“We are working to restore all Fulton County systems and making some progress,” Pitts, the county chairman, said Thursday.

County officials said last week that their online system for paying water bills had been restored, but not for property tax payments. County email systems were back online and more than half of the phone lines in county offices were working.

Written By


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.


Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.