On September 20, a relatively new ransomware gang called INC Ransomware added the Federal Labor Relations Authority to their leak site. As proof, they offered six images of files, two of which appear to contain personal information from cases or submissions involving care.
In response to a request from this site, INC also provided DataBreaches with a filetree of the server they claim to have compromised. That 31.5 MB text file, called “230931090.alldir” began:
7-Zip (A) 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
Listing archive: confid.7z
—
Path = confid.7z
Type = 7z
Method = Delta LZMA2
Solid = +
Blocks = 6
Physical Size = 7359420307
Headers Size = 207451Date Time Attr Size Compressed Name
——————- —– ———— ———— ————————
2023-08-26 17:17:40 D…. 0 0 confid
2023-08-26 16:52:01 D…. 0 0 confid\05-0014 confidential
2023-08-26 16:52:12 D…. 0 0 confid\1 DGC Confidential
2023-08-26 16:52:12 D…. 0 0 confid\1 DGC Confidential\checked in
2023-08-26 16:52:13 D…. 0 0 confid\1 DGC Confidential\Performance Standards
2023-08-26 17:17:40 D…. 0 0 confid\11-0160-USMint-Denver-Confidentiality-Statements
2023-08-26 17:17:40 D…. 0 0 confid\14-0006-WAPA-CU-confidential
2023-08-26 17:17:40 D…. 0 0 confid\14-0011-Army-COE-KC-CU-confidential
2023-08-26 16:52:03 D…. 0 0 confid\14-0019 BOP Florence Confid
2023-08-26 16:52:03 D…. 0 0 confid\14-0021 Steve Hollis Confid
2023-08-26 16:51:52 D…. 0 0 confid\7112b2 confidential
2023-08-26 17:06:04 D…. 0 0 confid\ADR Act Confidential Content
2023-08-26 16:52:20 D…. 0 0 confid\ADR Act Confidential Content\. from shared 073117
2023-08-26 16:52:20 D…. 0 0 confid\ADR Act Confidential Content\16-00x
2023-08-26 16:52:21 D…. 0 0 confid\ADR Act Confidential Content\3333 -40-
2023-08-26 16:52:22 D…. 0 0 confid\ADR Act Confidential Content\3334 -1-
2023-08-26 16:52:22 D…. 0 0 confid\ADR Act Confidential Content\3338 -13-
2023-08-26 16:52:23 D…. 0 0 confid\ADR Act Confidential Content\3343 -1-
2023-08-26 16:52:23 D…. 0 0 confid\ADR Act Confidential Content\3344 -5-
2023-08-26 16:52:24 D…. 0 0 confid\ADR Act Confidential Content\3344 -5-\NG
2023-08-26 16:52:24 D…. 0 0 confid\ADR Act Confidential Content\3346 -1-
2023-08-26 16:52:24 D…. 0 0 confid\ADR Act Confidential Content\3346 -1-\NG 3346
2023-08-26 16:52:24 D…. 0 0 confid\ADR Act Confidential Content\3348 -2-
There was a lot more.
DataBreaches reached out to FLRA twice via email — on September 24 and October 3 — to inquire about the claimed attack. In the emails, DataBreaches included the information above from the filetree. FLRA has not responded at all. INC Ransomware did respond, however, to some, but not all, questions DataBreaches put to them.
INC declined to reveal when they first gained access to FLRA or how they first gained access. They confirmed that the August 26 date in the file tree was the date exfiltration of data began and informed DataBreaches that they acquired 29 GB of files — all of the files listed in the filetree that they had provided DataBreaches.
INC’s spokesperson also informed DataBreaches that they had sent FLRA a note to contact them and that they were demanding $700k. They state FLRA never responded to them at all.
They declined to show DataBreaches a copy of their ransom note, but did respond to an inquiry by saying that FLRA never detected them or kicked them out of the network while they were in it.
INC’s spokesperson declined to provide any information about their ransomware, but did say that they had locked all files and backups for what they hit.
Not much is known about INC Ransomware as yet. DataBreaches will continue to monitor the listing and will update this post if additional information becomes available, but notes that although a lot of data was provided that seem to support INC’s claims, there has been no confirmation from FLRA at this point.