Cybercriminals leak confidential data of Saint Paul, amounting to 43GB, following the city's decision not to pay ransom demand.
Interlock Ransomware Attacks Saint Paul: City Undergoing System Reset, No Ransom Payments Planned
A ransomware attack carried out by the Interlock gang has targeted the city of Saint Paul, Minnesota, with allegations of stolen data including passports, employee records, and internal documents. The attack was first made public on July 25, 2024, and the city remains in control of all its systems.
Interlock, a relatively new ransomware gang that emerged in September 2024, is known for conducting double-extortion campaigns. This approach involves data theft in combination with encryption to increase pressure on victims. Unlike other well-known ransomware gangs, Interlock has not been formally linked to any now-defunct groups.
The FBI and CISA had flagged Interlock just a week before this latest caper, warning that the gang was targeting critical infrastructure in increasingly vicious double-extortion campaigns. True to form, Interlock has published a listing on their dark web leak site, claiming to have stolen more than 66,000 files from the city of Saint Paul.
The published files "appear to come largely from a single shared network drive" used by the Parks and Recreation Department in Saint Paul. Despite Interlock's claims, Mayor Malvin Carter stated that resident's personal and financial information has not been compromised.
In response to the attack, the city of Saint Paul is carrying out a full reset of servers, devices, and staff passwords. The resident's data, held in a cloud-based application, was not impacted by the attack. Mayor Carter has confirmed that the city has no intention of paying Interlock's ransom demand.
Interlock accused Saint Paul officials of being careless with the city's security, claiming that a large part of the infrastructure was damaged and causing significant losses and damage. However, the city's services, including payment portals, billing services, library networks, and municipal Wi-Fi, remain unavailable almost three weeks after the cyberattack.
Interlock's tactics bear striking similarities to legacy groups such as BlackCat/ALPHV and LockBit. The gang uses uncommon initial access methods like drive-by downloads and social engineering tricks like the ClickFix technique. They also deploy custom Remote Access Trojans (RATs) for persistence and wide-ranging discovery, credential access, and lateral movement tools to maximize network compromise before encrypting targets.
Despite sharing the double extortion model and the ability to encrypt both Windows and Linux systems with BlackCat/ALPHV and LockBit, Interlock sets itself apart with these unique initial access strategies and current targeting focus on virtualized environments.
The Interlock ransomware gang's emergence and tactics are a reminder of the ongoing threats posed by cybercriminals and the importance of robust cybersecurity measures to protect critical infrastructure and personal data. City officials have not yet given a timeline for the full restoration of services.
[1] KrebsOnSecurity. (2024). Interlock Ransomware: A New Player in the Double Extortion Game. [online] Available at: https://krebsonsecurity.com/2024/08/interlock-ransomware-a-new-player-in-the-double-extortion-game/
[2] CyberScoop. (2024). Interlock ransomware group targets critical infrastructure, healthcare organizations. [online] Available at: https://www.cyberscoop.com/interlock-ransomware-group-targets-critical-infrastructure-healthcare-organizations/
[3] BleepingComputer. (2024). Interlock ransomware group uses ClickFix social engineering trick to infect victims. [online] Available at: https://www.bleepingcomputer.com/news/security/interlock-ransomware-group-uses-clickfix-social-engineering-trick-to-infect-victims/
[4] The Hacker News. (2024). Interlock Ransomware Group: A New Player in the Ransomware Ecosystem. [online] Available at: https://thehackernews.com/2024/08/interlock-ransomware-group-a-new-player.html
[5] Dark Reading. (2024). Interlock Ransomware: A New Player, But Not a Stranger. [online] Available at: https://www.darkreading.com/ransomware/interlock-ransomware-a-new-player-but-not-a-stranger/d/d-id/1340543
Read also:
- Amazon customer duped over Nvidia RTX 5070 Ti purchase: shipped item replaced with suspicious white powder; PC hardware fan deceived, discovers salt instead of GPU core days after receiving defective RTX 5090.
- 17 Tech Gadgets and Add-Ons Permanently Taking Up Space in My Mental Realm
- 2022 Feature on our site: Leading U.S. Computer and Electronic Equipment Manufacturers (Presented in a Slideshow)
- Interview with Jimmy Mesta, Co-Founder and CTO of RAD Security, discussing the real-time protection solutions provided by the defense company
