Ransomware group says it took files from French Ministry of Justice

A ransomware group claimed Thursday that it stole thousands of files from the French Ministry of Justice, threatening to post “all available data” if the ransom isn’t paid by Feb. 10.

The announcement appeared on the leak site of LockBit 2.0, a known ransomware-as-a-service operation that’s been active since at least September 2019, according to cybersecurity firm Emsisoft.

Neither the French Ministry of Justice or the country’s main cybersecurity agency responded to a CyberScoop request for comment about the situation. A ministry spokesperson told Politico that the agency was “aware of the alert and immediately took steps to carry out the necessary checks,” but did not elaborate.

The post viewed by CyberScoop on the leak site — where victim files are publicized either to pressure payments or punish victims if ransoms aren’t paid — indicates that the group may have 9,856 files, but nothing has been posted yet.

Brett Callow, a threat analyst at Emsisoft, said Thursday that the group may not end up posting any files, “as some of their past claims have been bogus.” For example, he said, there have been cases “where information stolen from organization A included information about organization B, they claim to have hit both A and B.”

Originally known as ABCD ransomware based on the file extension of the files it would encrypt on a target’s system, the ransomware evolved to LockBit and then LockBit 2.0 by June 2021, racking up perhaps tens of thousands of victims globally, Emsisoft reported.

LockBit was reportedly used in the July 2021 ransomware attack on global IT consultant firm Accenture that reportedly came with a $50 million ransom demand, CyberScoop reported at the time.

The site currently lists dozens of purported victims from around the world.