A notorious and prolific ransomware operation claimed on Monday to have stolen 76 gigabytes of data from the California Department of Finance.
In a statement on its website posted early Monday, LockBit — a group the U.S. Department of Justice describes as one of the “most active and destructive ransomware variants in the world” — announced that it targeted systems belonging to the California Department of Finance and gave the agency a Dec. 24 deadline, when the group is threatening that it will publish the stolen files.
LockBit claims that its haul of stolen data includes “databases, confidential data, financial documents” and, curiously, “sexual proceedings in court.” The group posted seven screenshots of what appear to be mundane budget documents, an old contract, and a screenshot from a file directory showing multiple other document folders — dated Dec. 7 and Dec. 8 — totaling 75.7 gigabytes. The group’s ransom demands are not clear.
The California Governor’s Office of Emergency Services said in a statement that the California Cybersecurity Integration Center (Cal-CSIC) is “actively responding to a cybersecurity incident involving the California Department of Finance.” The statement noted that “no state funds have been compromised,” but did not address whether records were accessed and, if so, which ones.
LockBit’s claims regarding what it has stolen should be taken with a grain of salt. “It should be noted that not all of LockBit’s past claims have been true,” Brett Callow, a threat analyst at Emsisoft, tweeted Monday.
In June, LockBit claimed to have successfully breached cybersecurity firm Mandiant, only to later say it was trying to draw attention to a Mandiant analysis it disagreed with. Callow previously told CyberScoop that there have been cases “where information stolen from organization A included information about organization B, they claim to have hit both A and B.”
Canadian authorities arrested a dual Russian and Canadian national in October and accused him of participating in LockBit ransomware attacks. The man, Mikhail Vasiliev, 33, is awaiting extradition to the U.S. to face federal charges in a New Jersey court, according to the U.S. Department of Justice.
The agency noted that since first appearing, the LockBit ransomware variant has been deployed against at least 1,000 victims in the U.S. and around the world, earning its operators and their affiliates at least $100 million in ransomware payments since the group emerged in either late 2019 or early 2020.