In a concerning turn of events, the ransomware group Interlock declared that it has breached the city of St. Paul, Minnesota, claiming to have stolen 43 gigabytes of sensitive data. The attack has raised alarms regarding the vulnerability of municipal systems and the sensitivity of the data involved.
Interlock did not specify a ransom demand or deadline, yet the nature of the data appears to be predominantly sourced from employee computers. “The data mostly includes files from employees’ computers, including documents they work with. The impact can be hard to estimate as the sensitivity of data depends on every breached user or employee,” stated Aras Nazarovas, a senior information security researcher at Cybernews.
Ransomware attacks, where malicious software restricts access to crucial files until a ransom is paid, have surged in recent years. The FBI had issued a warning just a week prior to the St. Paul incident, flagging Interlock as a threat to critical infrastructure throughout North America and Europe.
Career Journey
Career Journey
Career Journey
The group was previously implicated in other significant attacks this year, including a notable breach of DaVita, a dialysis treatment provider, and Kettering Health, from which they allegedly exfiltrated nearly a terabyte of data. The city's troubles began on July 25th when suspicious activity led it to shut down its IT systems as a precaution, confirming shortly thereafter that it was indeed a ransomware attack.
As the situation unfolded, St. Paul officials emphasized that they had not paid a ransom despite being contacted by the perpetrators. “We’ve been contacted by the threat actor with a specific demand for a specific ransom amount. To be clear, we have not paid that, and their threat was that they would release some data if they weren’t able to get paid,” explained Mayor Melvin Carter.
City employees, approximately 3,500, have initiated the exhausting process of scrubbing their data, resetting passwords, and restoring their accounts manually, leading to a delay in the city's operations. “We are doing what I lovingly refer to as a grand control-alt-delete of all of our city systems. That’s our city servers; that’s all of our devices, putting upgraded cybersecurity software on them,” Carter added.
Despite the massive disruption, the availability of 911 and other emergency services has been maintained. However, the city's operational struggles are apparent and could last for some time. Cybersecurity expert Christopher Henderson, currently the chief information security officer at Huntress, observed, “Recovery from a large-scale cyberattack can be difficult given the complexities of their environments due to needing to support multiple municipal services such as police, clerical, fire, and emergency services.”
As the St. Paul government grapples with the aftermath of the attack, officials have alerted residents to the potential for phishing attacks, as hackers are allegedly targeting the community with fraudulent invoices. The city has advised individuals not to interact with suspicious links or email attachments to protect themselves from further scams.
The ongoing cyber incident in St. Paul serves as a stark reminder of the vulnerabilities faced by public sector entities and the critical need for robust cybersecurity measures. As municipal governments navigate the complexities of modern digital threats, the implications of such attacks on public trust and service delivery cannot be understated.