INC Ransom claims to be behind 'cyber incident' at UK city council
This follows attack on NHS services in Scotland last week
The cyber skids at INC Ransom are claiming responsbility for the ongoing cybersecurity incident at Leicester City Council, according to a post caught by eagle-eyed infosec watchers.
A post made to INC Ransom's leak blog in the late hours of April 1 mentioned Leicester City Council as a victim of the ransomware group – the first indication that the local authority's IT incident involves an established cybercrime gang.
The note also mentioned that the attackers claimed to have stolen 3 TB worth of council data, before it was deleted soon after going live.
Posting a victim to a leak site and swiftly removing it is a process known as "flashing," and is commonly used to get a response out of leadership teams that may have gone silent during the ransom negotiation phase.
Leicester City Council's most recent incident update came on March 28, the last working day before the UK's long bank holiday weekend. Based on how its recovery efforts are going, it's likely that it won't have paid a ransom, and the latest flashing by INC Ransom is a last-gasp attempt to extort the council.
The Register approached the local authority and INC Ransom for more details but neither immediately responded.
Nearly a month after the council's widespread system shutdown on March 7, which was only supposed to last for a few days, it said most systems and service portals are back online.
Residents' online services for waste and recycling, schooling, birth registrations, social housing, planning, and parking were reinstated late last week.
Council-run recreation centers are now back open as usual, and computer and Wi-Fi services at public libraries were also brought back online. Council staff have regained access to emails and phone lines too.
"We're pleased that most of our online service portals and customer service lines are now up and running again," said Andrew Shilliam, director of corporate services at Leicester City Council.
"Next week, I hope to report that the remaining phone lines have been restored and that we're making progress on dealing with a backlog of emails and requests.
"We're very sorry for the inconvenience caused by the cyber incident and want to thank people for their patience while we restore our systems. I'd also like to thank all of our partners in the city who have supported us as we deal with this incident."
The council still refuses to comment on whether any data was compromised during the epsiode due to ongoing criminal investigations.
- AT&T admits massive 70M+ mid-March customer data dump is real though old
- Malicious SSH backdoor sneaks into xz, Linux world's data compression library
- INC Ransom claims responsibility for attack on NHS Scotland
- Miscreants are exploiting enterprise tech zero days more and more, Google warns
INC Ransom is known for operating on a double extortion model, so if it was indeed behind the attack, it's likely that at least some data was stolen before affiliates deployed the locker.
Looking at recent attacks claimed by the group, the nature of the data it targets can be highly sensitive.
INC stain on the UK
INC Ransom also recently claimed responsibility for an attack on NHS Dumfries and Galloway, one of 14 regional National Health Service branches of Scotland.
After posting "NHS Scotland" last week, El Reg confirmed the attack was actually contained to just the Dumfries and Galloway branch, which had reported a cybersecurity incident weeks prior.
The criminals also allegedly stole 3 TB worth of data from the healthcare organization. A quick browse of the taster data dump it posted revealed sensitive data throughout, including medical test results tied to patients' real names and home addresses.
If the attackers had access to information typically assumed to be held only by official sources, such as Leicester City Council itself, the potential for attackers to use that data in convincing phishing attacks is high.
Most UK residents would assume that their unique council tax number, for example, is only known by the council. Most constituencies usually include the number in official correspondence to show the communication was meant for the intended recipient.
If attackers had access to this information, as well as full names, email addresses, and other data types, they could feasibly target residents with convincing campaigns that fraudulently request urgent "council tax" payments. ®