Article Details

Ransomware crew spills Saint Paul's 43GB of secrets after city refuses to cough up cash. Minnesota’s capital is the latest to feature on Interlock’s leak blog after late-July cyberattack. The Interlock ransomware gang has flaunted a 43GB haul of files allegedly stolen from the city of Saint Paul, following a late-July cyberattack that forced the Minnesota capital to declare a state of national emergency. The listing on Interlock’s dark web leak site, seen by The Register, was published on August 11. It includes samples of what the gang claims are more than 66,000 files stolen from the city of Saint Paul, including scans of passports, employee records, and other internal documents. Interlock used its leak site to accuse Saint Paul officials of being “extremely careless and irresponsible” with the city’s security, claiming that “a large part of the infrastructure was damaged” and the attack caused “a lot of losses and damage.” The group added that residents were “in the worst position” after their data was “compromised on the internet.” In a public statement on Monday, Mayor Malvin Carter confirmed the Interlock ransomware crew was behind the attack. He said the published files "appear to come largely from a single shared network drive" used by the Parks and Recreation Department, and are "varied and unsystematic”. Carter said that, despite Interlock’s claims, the residents' personal or financial information has not been compromised. “Resident data is held in a cloud-based application and was not impacted,” he told reporters, adding that the city “remains in control of all our systems” and is carrying out a full reset of servers, devices, and staff passwords. Carter also confirmed the city had no intention of paying Interlock’s as-yet-unknown ransom demand — a stance which appears to have prompted the gang to follow through on its threat to spill the alleged haul online. The cyberattack, news of which was first made public on July 25, forced the shutdown of multiple systems and prompted Governor Tim Walz to activate the Minnesota National Guard’s cyber unit. Payment portals, billing services, library networks, and municipal Wi-Fi were among the services disrupted, and at the time of writing, many of these services remain unavailable almost three weeks later. City officials have not yet given a timeline for the full restoration of services. Double-extortion crew with form Interlock has been active since at least September 2024, conducting double-extortion campaigns that combine data theft with encryption to increase pressure on victims. On its leak site, the gang describes itself as “a relentless collective that exposes the recklessness of companies failing to protect their most critical assets” and claims its attacks are not financially motivated, but instead “send a message to those who hide behind weak defenses and half-measures”. Security watchers say Interlock’s playbook, from its tooling to its fondness for wrecking recovery efforts, “bears striking similarities to legacy groups such as BlackCat/ALPHV and LockBit”. However, the Interlock crew has not been formally linked to any now-defunct ransomware gangs. The FBI and CISA had flagged Interlock just a week before this latest caper, warning that the gang was targeting critical infrastructure in increasingly vicious double‑extortion campaigns.