The Inc Ransom group has claimed responsibility for an attack on Leicester City Council in March that disrupted services, with the threat actors flashing details of the incident on its leak site.
This marks the second attack by Inc on a British public sector organization within a matter of weeks, having previously claimed responsibility for a breach at NHS Dumfries & Galloway.
Inc Ransom claimed they were behind the attack on Leicester City Council in a post to their leak site on 1 April, claiming to have stolen 3TB of sensitive data from the council’s internal systems.
Similar to the NHS attack last month, the post was paired with a ‘proof pack’ consisting of around 25 scanned documents including passports, rent and bank statements, and applications to purchase council housing, but the update was quickly deleted.
This process of briefly identifying a target publicly deleting the post is known as ‘flashing’, where attackers try to exert more pressure on victims who are refusing to pay a ransom.
According to an update from Richard Sword, the council’s strategic director of city developments and neighborhoods, the attack was first discovered on 7 March and the council is still working to notify all those who have been affected.
“We realize this will cause anxiety for those affected, and want to apologize for any distress caused. At this stage we are not able to say with certainty whether other documents have been extracted from our systems, however we believe it is very possible that they have,” Sword explained.
“We are continuing to work with the cyber crime team at Leicestershire Police and the National Cyber Security Centre as part of this ongoing criminal investigation. As this is a live investigation we are not able to comment in further detail, but will continue to give updates when we have news to share.”
The update stated that most of the council’s systems and phone lines are now operating as normal following the shutdown, and that the public can freely access other council services as usual.
A busy start to 2024, but who is Inc Ransom?
The Inc Ransom collective first appeared on the scene in July 2023, and since then it has gained a reputation for targeting corporate networks - particularly public sector institutions in the healthcare, education, and governmental sectors.
So far in 2024, the group has posted 20 victims on its leak site, with 30% of those being healthcare organizations and a further 20% coming from the education sector.
Known as a ‘double extortion’ ransomware specialist, Inc Ransom’s methods of gaining initial access vary from one attack campaign to the next, but the group has been observed using spear-phishing emails, as well as targeting software vulnerabilities.
Muhammad Yahya Patel, cyber security expert at Check Point Software, said the size and complexity of many public sector entities makes them harder to secure, and reduced investment in security postures makes them a prime target for group’s such as Inc.
“Public sector organizations manage vast and interconnected systems, which can be difficult to secure. These systems may include databases containing sensitive information, communication networks, and various software applications”, Yahya Patel noted.
“They are also under pressure to deliver services with reduced budgets and resources. This often means there is less investment in robust cyber security measures. This can include funding for advanced security tools, hiring cyber security experts, and implementing regular security audits and updates.”
Inc Ransom ‘flashing’ points toward stalled talks
Commenting on the flashing technique employed by the group, Rebecca Moody, head of research and data at Comparitech, said it is likely negotiations are stalling and the group is trying to ratchet up pressure on senior leaders at the council.
“Inc is known for its double-extortion technique (encrypting systems and stealing) data. Therefore, if Inc is responsible for this attack, its recent posting suggests negotiations with Leicester City have so far failed so it's increasing the pressure to try and secure a payment. Failing that, it'll look to sell the data on the dark web.”
Oliver Spence, CEO at security MSP Cybaverse, said the UK’s strong position on refusing to pay ransoms is probably impeding negotiations between the council and the attackers, speculating the group is aware of this and has ulterior motives.
“Given the UK government has very publicly voiced its commitment to never do business with ransomware actors, it’s hard to imagine INC would be expecting a payout from these attacks. This could suggest the gang is motivated by damage, rather than money, which means more public bodies could be on its target list.”
