Ransomware gang did steal residents' confidential data, UK city council admits

INC Ransom emerges as a growing threat as some ex-LockBit/ALPHV affiliates get new gigs

Leicester City Council is finally admitting its "cyber incident" was carried out by a ransomware gang and that data was stolen, hours after the criminals forced its hand.

The attack began nearly a month ago on March 7 and since then, the English city council has continually refused to say whether ransomware was involved or if data was compromised.

That all changed yesterday when INC Ransom, which mentioned the council attack earlier in the week, hinting at its role in the incident, leaked a cache of documents that appeared to be sourced from council servers.

"We have downloaded about 3 TB of private information," the gang's website claims, alongside what it calls a "proof pack" – a 32-file snippet of the data it claims to have stolen. 

The leaked files include scans of residents' identification documents such as passports and driving licenses, bank statements, and various official council forms for matters regarding rent, social housing, and more.

Within hours of the leak, Richard Sword, Leicester City Council's strategic director of city developments and neighborhoods, released an updated statement acknowledging that fact.

"We have today been made aware that a small number of documents held on our servers have been published by a known ransomware group," said Sword. 

"This group is known to have attacked a number of government, education, and healthcare organizations.

"The breach of confidential information is a very serious matter and its publication is a criminal act. We are in the process of trying to contact all of those affected by this breach, and have also notified the Information Commissioner.

"We realize this will cause anxiety for those affected, and want to apologize for any distress caused."

Sword went on to say that the council, at this current stage, couldn't say if any other files had been stolen, but "it is very possible" that the criminals do indeed have more.

The UK's National Cyber Security Centre (NCSC) and the cybercrime team at Leicestershire Police are working together on the criminal case, the nature of which was cited as the reason for so few details coming to light thus far.

Residents have been urged to remain vigilant about any attempts to access their accounts, and of people claiming to have data relating to them. They've also been reassured that engaging with the council and carrying out normal functions like paying council tax bills is safe.

The council has largely recovered from the incident, it confirmed last week, with most of its systems, email access, and phone lines back up, running as normal. Council-run services such as recreation centers and public internet at libraries are also now operational once again.

The attack on Leicester City Council was carried out by the same criminals at INC Ransom who were behind the recent attack at NHS Dumfries and Galloway, a regional healthcare organization in Scotland.

INC Ransom is believed to be one of the beneficiaries of the recent law enforcement efforts to disrupt LockBit and ALPHV/BlackCat, which were until recently the two heavy hitters of the ransomware industry.

Cybersecurity analyst and researcher Dominic Alvieri said three ransomware groups appear to have benefited the most, picking up the affiliates who left LockBit and ALPHV after law enforcement's intervention efforts.

INC Ransom registered 23 new victims in the past month, whereas the other beneficiaries – Medusa and Hunters International – have registered 24 and 18 respectively.

For INC and Medusa, these numbers aren't far off LockBit's when it was arguably at its peak last year. According to the US authorities, LockBit carried out at least 340 attacks in 2023 – an average of around 28 per month. ®

Send us news

Frontier Communications: 750k people's data stolen in April attack on systems

Company says just names and SSNs affected, watering down RansomHub’s claims

White House report dishes deets on all 11 major government breaches from 2023

The MOVEit breach and ransomware weren’t kind to the Feds last year

Christie's stolen data sold to highest bidder rather than leaked, RansomHub claims

Experts say auctioning the auctioneer’s data is unlikely to have been genuinely successful

Cops cuff 22-year-old Brit suspected of being Scattered Spider leader

Spanish plod make arrest at airport before he jetted off to Italy

US senator claims UnitedHealth's CEO, board appointed 'unqualified' CISO

Similar cases have resulted in serious sanctions, and they were on a far smaller scale

What is RansomHub? Looks like a Knight ransomware reboot

Malware code potentially sold off, tweaked, back at it infecting victims

Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin

28-year-old accused of major ransomware attacks across Europe

FBI encourages LockBit victims to step right up for free decryption keys

The bad news? Gang wasn't deleting victim data after payments

Cylance clarifies data breach details, except where the data came from

Customers, partners, operations remain uncompromised, BlackBerry says

UK and Canada's data chiefs join forces to investigate 23andMe mega-breach

Three-pronged approach aims to uncover any malpractice at the Silicon Valley biotech biz

Christie's confirms RansomHub crooks stole data on 45K clients

A far cry from the half-million claim that crims originally boasted

Pure Storage pwned, claims data plundered by crims who broke into Snowflake workspace

Secure storage company hasn't spilled details on how they got in