Ransomware gang did steal residents' confidential data, UK city council admits
INC Ransom emerges as a growing threat as some ex-LockBit/ALPHV affiliates get new gigs
Leicester City Council is finally admitting its "cyber incident" was carried out by a ransomware gang and that data was stolen, hours after the criminals forced its hand.
The attack began nearly a month ago on March 7 and since then, the English city council has continually refused to say whether ransomware was involved or if data was compromised.
That all changed yesterday when INC Ransom, which mentioned the council attack earlier in the week, hinting at its role in the incident, leaked a cache of documents that appeared to be sourced from council servers.
"We have downloaded about 3 TB of private information," the gang's website claims, alongside what it calls a "proof pack" – a 32-file snippet of the data it claims to have stolen.
The leaked files include scans of residents' identification documents such as passports and driving licenses, bank statements, and various official council forms for matters regarding rent, social housing, and more.
Within hours of the leak, Richard Sword, Leicester City Council's strategic director of city developments and neighborhoods, released an updated statement acknowledging that fact.
"We have today been made aware that a small number of documents held on our servers have been published by a known ransomware group," said Sword.
"This group is known to have attacked a number of government, education, and healthcare organizations.
"The breach of confidential information is a very serious matter and its publication is a criminal act. We are in the process of trying to contact all of those affected by this breach, and have also notified the Information Commissioner.
"We realize this will cause anxiety for those affected, and want to apologize for any distress caused."
Sword went on to say that the council, at this current stage, couldn't say if any other files had been stolen, but "it is very possible" that the criminals do indeed have more.
The UK's National Cyber Security Centre (NCSC) and the cybercrime team at Leicestershire Police are working together on the criminal case, the nature of which was cited as the reason for so few details coming to light thus far.
Residents have been urged to remain vigilant about any attempts to access their accounts, and of people claiming to have data relating to them. They've also been reassured that engaging with the council and carrying out normal functions like paying council tax bills is safe.
The council has largely recovered from the incident, it confirmed last week, with most of its systems, email access, and phone lines back up, running as normal. Council-run services such as recreation centers and public internet at libraries are also now operational once again.
The attack on Leicester City Council was carried out by the same criminals at INC Ransom who were behind the recent attack at NHS Dumfries and Galloway, a regional healthcare organization in Scotland.
- Nearly 1M medical records feared stolen from City of Hope cancer centers
- Cyberattack hits Omni Hotels systems, taking out bookings, payments, door locks
- INC Ransom claims to be behind 'cyber incident' at UK city council
- JetBrains keeps mum on 26 'security problems' fixed after Rapid7 spat
INC Ransom is believed to be one of the beneficiaries of the recent law enforcement efforts to disrupt LockBit and ALPHV/BlackCat, which were until recently the two heavy hitters of the ransomware industry.
Cybersecurity analyst and researcher Dominic Alvieri said three ransomware groups appear to have benefited the most, picking up the affiliates who left LockBit and ALPHV after law enforcement's intervention efforts.
INC Ransom registered 23 new victims in the past month, whereas the other beneficiaries – Medusa and Hunters International – have registered 24 and 18 respectively.
For INC and Medusa, these numbers aren't far off LockBit's when it was arguably at its peak last year. According to the US authorities, LockBit carried out at least 340 attacks in 2023 – an average of around 28 per month. ®