Is INC ransomware group’s Leicester attack motivated by damage rather than money? 

The UK’s Leicester City Council has finally confirmed that a cyber incident on 7 March that caused the closure of the council’s IT systems was, indeed, a ransomware attack. And the INC ransomware group has claimed that it is responsible.

This raises three important questions. Why did it take so long to confirm the nature of the attack? Who is the INC ransomware group? And what was its true motive, given that the UK government has made it clear it would never do business with such criminals?

Leicester City Council confirms ransomware attack

In a 3 April incident update, Richard Sword, the Strategic Director of City Developments and Neighbourhoods at Leicester City Council, confirmed that “a small number of documents held on our servers have been published by a known ransomware group”. The confidential documents so identified include rent statements, applications to purchase council housing and “identification documents such as passport information”.

Despite now admitting that a ransomware group was behind the March attack, the council remains cagey about the extent of the breach. “At this stage we are not able to say with certainty whether other documents have been extracted from our systems,” Sword said, “however we believe it is very possible that they have.”

No shit Sherlock. In an official council FAQ relating to the ransomware attack, the council continues the guarded language: “At this point in time it is not possible to say with certainty whether data has been extracted or just viewed.”

Rebecca Moody, Head of Research and Data at Comparitech, says that the INC ransomware leak site claims to have stolen 3TB of data, and it is just the “proof pack of various sensitive documents, including passports and bank statements” that has been confirmed by the council.

Related: UK Government using an “ostrich strategy” against ransomware, says National Security Committee

Why the delayed ransomware confirmation?

Although the council is working with Leicestershire Police and the National Cyber Security Agency – and has informed the Information Commissioner – we still don’t know why it took so long to disclose the ransomware nature of the incident when confidential residents’ data is concerned.

“Given it is a public service, they should be more forthcoming with this information,” says Muhammad Yahya Patel, Cyber Security Expert at Check Point Software.

“It puts them on the back foot now if INC is claiming to have a large volume of data,” he adds. “We know that transparency and knowledge sharing is key in these situations to better understand how these groups operate and to ultimately prevent attacks in the future.”

Who is INC and why target local government?

Since its emergence in July 2023, INC has focused on both corporate and organisational networks. “The group has posted 20 victims on its site since January 2024,” says Patel, “and their victimology is different from the average ransomware enterprise, with a focus on healthcare (30%) and education (20%).”

Indeed, in the last few weeks alone, INC has been behind the attack on NHS Dumfries and Galloway. You might think that the “why” is obvious: financial gain from payment of a ransom. But it’s not quite that simple.

Over to Oliver Spence, CEO of Cybaverse. “Given the UK government has very publicly voiced its commitment to never do business with ransomware actors, it’s hard to imagine INC would be expecting a payout from these attacks. This could suggest the gang is motivated by damage, rather than money, which means more public bodies could be on its target list.”

Of course, it isn’t beyond the realms of fantasy that a ransom could be paid. “This attack joins 36 other attacks on government organisations around the world so far this year,” Moody says. “According to our data, the average ransom demand on government entities this year is $2.1 million.”

The plain truth is that INC will profit one way or another, regardless of whether a ransom is paid. “Its recent posting suggests negotiations with Leicester City have so far failed so it’s increasing the pressure to try and secure a payment,” says Moody. “Failing that, it’ll look to sell the data on the dark web.”