In what could be called a completely expected development, ransomware gang Interlock said it has stolen 43 gigabytes of data from the Minnesota city of St. Paul and added it to its leak site.
Interlock hasn’t listed any payment deadline or ransom demand, but the data batch seems genuine, even though resident data is held in a cloud-based application and thus is not presumed to have been impacted by the attack.
“The data mostly includes files from employees’ computers, including documents they work with. The impact can be hard to estimate as the sensitivity of data depends on every breached user or employee,” Aras Nazarovas, Cybernews Senior Information Security Researcher, said.
Ransomware is a type of malware that restricts access to files and computer operation unless the attacker is paid a specified cash amount.
The gang itself was mentioned in an FBI advisory just a week before the St. Paul attack. The warning said that Interlock has been targeting critical infrastructure and businesses across North America and Europe.
The gang was also behind this year’s hit on the dialysis treatment company DaVita. In June, Interlock claimed the ransomware attack on Kettering Health, along with the nearly 1TB of data it alleges to have exfiltrated from the healthcare conglomerate.
The city of St. Paul – which shut down its IT systems already on July 28th to isolate local infrastructure from potential damage after suspicious activity was detected – soon confirmed this indeed was a ransomware attack but said it hasn’t paid a ransom. The city has maintained a local state of emergency.
Instead, around 3,500 city employees are now beginning the process of scrubbing their data, resetting their passwords, and reestablishing their accounts. The reset needs to be done manually.
“We’ve been contacted by the threat actor with a specific demand for a specific ransom amount. To be clear, we have not paid that, and their threat was that they would release some data if they weren’t able to get paid,” St. Paul’s mayor Melvin Carter told reporters.
“We’ve maintained access to all of our data the entire time and control of all of our systems the entire time. We are doing what I lovingly refer to as a grand control-alt-delete of all of our city systems. That’s our city servers; that’s all of our devices, putting upgraded cybersecurity software on them.”
The initial security breach occurred on July 25th, crippling the city’s online services and internal systems, shutting down internet access in government buildings, and making online payments for garbage and water services unavailable.
911 and other emergency services are still available, but the city government has clearly struggled to function for weeks now.
Christopher Henderson, a cybersecurity expert currently serving as chief information security officer at cyber firm Huntress, isn’t surprised.
“Recovery from a large-scale cyberattack can be difficult given the complexities of their environments due to needing to support multiple municipal services such as police, clerical, fire, and emergency services,” said Henderson.
911 and other emergency services are still available, but the city government has clearly struggled to function for weeks now.
“Defending against these adversaries requires a layered approach, monitoring both identities used to log into systems as well as their endpoints.”
St. Paul officials already said last week that hackers were targeting the city’s more than 300,000 residents with fake government invoices. They urged people not to click on any links or email attachments if their origin isn’t clear.
Your email address will not be published. Required fields are markedmarked