Full Report
The mayor of Saint Paul, Minnesota's capital city, has confirmed that the Interlock ransomware gang is responsible for a cyberattack that disrupted many of the city's systems and services in July. [...]
Analysis Summary
# Incident Report: Saint Paul City Ransomware Attack by Interlock Gang
## Executive Summary
The city of Saint Paul experienced a significant ransomware attack attributed to the Interlock ransomware group, a threat actor known for targeting critical infrastructure, particularly healthcare organizations. The attack resulted in the confirmed theft and partial publication of over 43 GB (66,000 files) of sensitive data, causing widespread damage to the city's infrastructure and negatively impacting city residents. Response efforts were immediately initiated following the public claim by the attackers.
## Incident Details
- **Discovery Date:** Shortly before the attackers published data on their leak site (Exact discovery date not specified in text, but known shortly before data publication).
- **Incident Date:** Unspecified, but recent relative to data publication.
- **Affected Organization:** City of Saint Paul
- **Sector:** Government/Municipal
- **Geography:** Saint Paul, USA (Implied)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown
- **Vector:** Not explicitly stated in the provided text, but context suggests a previous vulnerability exploitation leading to ransomware deployment.
- **Details:** The attack was part of an escalating campaign by the Interlock group against critical infrastructure entities.
### Lateral Movement
- **Details:** Not specified, but observed movement was sufficient to access and exfiltrate a significant volume of city data (43 GB).
### Data Exfiltration/Impact
- **Details:** Over 66,000 files or 43 GB of data were stolen. The attackers claimed significant damage to the city's infrastructure, creating losses and damaging data belonging to residents. Some stolen data has been published on the Interlock leak site.
### Detection & Response
- **Details:** The incident became publicly known when the Interlock gang posted Saint Paul on its dark web portal. Response actions were undertaken to manage the compromise and engage with the situation created by the data leak.
## Attack Methodology
- **Initial Access:** Unknown (Likely an exploitation or compromised credential method targeting critical infrastructure).
- **Persistence:** Unknown
- **Privilege Escalation:** Unknown
- **Defense Evasion:** Unknown
- **Credential Access:** Unknown
- **Discovery:** Unknown
- **Lateral Movement:** Attributed to Interlock's standard procedures, allowing movement to access sensitive network shares.
- **Collection:** 43 GB of data harvested from city systems.
- **Exfiltration:** Data was successfully exfiltrated prior to the ransomware deployment/public disclosure.
- **Impact:** Data theft (double extortion) and infrastructure damage.
## Impact Assessment
- **Financial:** Significant losses and damages reported by the attackers. Costs associated with remediation are implied.
- **Data Breach:** Over 43 GB of data (66,000 files) compromised, impacting city operations and residents' data.
- **Operational:** Large part of the infrastructure was damaged, leading to operational disruption.
- **Reputational:** Negative impact due to successful breach and data publication affecting residents.
## Indicators of Compromise
- **Network indicators:** *(None provided in the source material)*
- **File indicators:** *(None provided in the source material)*
- **Behavioral indicators:** Activity consistent with the Interlock ransomware group's known TTPs, possibly involving the use of the NodeSnake RAT in preliminary stages (based on prior Interlock activity).
## Response Actions
- **Containment measures:** *(Not explicitly detailed, but containment would have been required upon detection of the extent of the compromise.)*
- **Eradication steps:** *(Not explicitly detailed.)*
- **Recovery actions:** *(Implied need to restore damaged infrastructure and mandate data protection reviews.)*
## Lessons Learned
- The city was targeted during an escalation phase noted by CISA and the FBI, indicating a potential failure to implement specific mitigating controls against known threats targeting critical infrastructure.
- The attack utilized double extortion tactics, underscoring the reality that data protection is critical even if systems can be restored quickly.
## Recommendations
- Immediately review and enhance security posture against known TTPs associated with the Interlock ransomware operations, particularly focusing on vulnerabilities related to hybrid Exchange deployments (mentioned in adjacent articles) and perimeter defenses.
- Implement robust segmentation and zero-trust principles to limit the impact of any successful initial access, restricting lateral movement capability.
- Accelerate compliance with CISA/FBI advisories regarding Interlock ransomware defenses for critical infrastructure.