The Inc Ransom group claimed responsibility for an attack on Leicester City Hall in March that disrupted services, and the threat actors displayed details of the incident on their leak site.
This is Inc's second attack on a British public sector organization in a matter of weeks, having previously claimed responsibility for a breach at NHS Dumfries & Galloway.
Inc Ransom claimed they were behind the attack on Leicester City Council in a post on their leak site on April 1, claiming to have stolen 3TB of sensitive data from the council's internal systems.
Similar to last month's NHS attack, the post was combined with an “evidence pack” consisting of around 25 scanned documents, including passports, bank and rental statements, and applications to buy council housing, but the update It was quickly removed.
This process of briefly identifying a target and publicly deleting the post is known as “flashing,” where attackers attempt to put more pressure on victims who refuse to pay a ransom.
According to an update from Richard Sword, the council's strategic director of urban development and neighbourhoods, the attack was first discovered on March 7 and the council is still working to notify everyone affected.
“We are aware that this will cause anxiety to those affected and we would like to apologize for any distress caused. At this time we cannot say with certainty if any other documents have been removed from our systems, however, we believe it is very possible that this has been the case,” Sword explained.
“We continue to work with Leicestershire Police’s cybercrime team and the National Cyber Security Center as part of this ongoing criminal investigation. As this is a live investigation, we cannot comment in further detail, but we will continue to provide updates when we have news to share.”
The update states that most of the council's systems and phone lines are now operating as normal following lockdown and that the public can freely access other council services as usual.
Busy start to 2024, but who is Inc Ransom?
The Inc Ransom collective first appeared on the scene in July 2023 and has since gained a reputation for attacking corporate networks, particularly public sector institutions in the healthcare, education, and government sectors.
So far in 2024, the group has published 20 victims on its leak site, of which 30% are healthcare organizations and another 20% come from the education sector.
Known as a 'double extortion' ransomware specialist, Inc Ransom's methods of gaining initial access vary from attack campaign to attack campaign, but the group has been observed using phishing emails, as well as targeting software vulnerabilities .
Muhammad Yahya Patel, a cybersecurity expert at Check Point Software, said the size and complexity of many public sector entities makes them more difficult to protect, and reduced investment in security postures makes them a prime target for groups like Inc.
“Public sector organizations manage vast, interconnected systems, which can be difficult to protect. These systems may include databases containing sensitive information, communication networks and various software applications,” said Yahya Patel.
“They are also under pressure to deliver services with reduced budgets and resources. This often means there is less investment in robust cybersecurity measures. This may include funding for advanced security tools, hiring cybersecurity experts, and implementing regular security audits and updates.”
Inc Ransom 'Flashing' Points to Stalled Talks
Commenting on the flashing technique employed by the group, Rebecca Moody, head of research and data at Comparitech, said it is likely that negotiations are stalling and that the group is trying to increase pressure on senior council leaders.
“Inc is known for its double extortion technique (system encryption and data theft). Therefore, if Inc is responsible for this attack, its recent publication suggests that negotiations with Leicester City have so far failed, so pressure is mounting to try to secure a payment. Otherwise, it will try to sell the data on the dark web.”
Oliver Spence, chief executive of security MSP Cybaverse, said the UK's strong position on refusing to pay ransoms is likely impeding negotiations between the council and the attackers, speculating that the group is aware of this and has ulterior motives.
“Given that the UK government has publicly expressed its commitment to never do business with ransomware actors, it is difficult to imagine INC expecting payment for these attacks. “This could suggest that the gang is motivated by harm, rather than money, meaning more public bodies could be on their target list.”