Hackers have dumped 3.3 million files on the dark web following the recent ransomware attack on West Lothian council’s schools network.
A cyber gang going by the name of ‘Interlock’ has been named as the ransomware gang responsible for the incident – which locked teaching staff and pupils out of their IT systems on May 6.
Details of the cyberattack emerged this morning via the Ransom-DB X account, which claimed 2.6 terabytes of data, amounting to 3.349 million files spread among 580,783 folders had been published by the gang.
Little is known about Interlock, which has been active since October 2024, according to cybersecurity threat intelligence firm, Kela.
Victoria Kivilevich, director of threat research, said: “Interlock is an actor active since at least October 2024, claiming around 30 victims during their activity. Interlock states that they expose the “recklessness of companies failing to protect their most critical assets: customer data and intellectual property.”
“This group targets various sectors, including healthcare and life sciences, manufacturing and industrial products, and financial services. Their activities have been observed in multiple geographies, notably the United States, Italy, and Mexico.”
The data dump on Ransom-DB’s X account includes screenshots of the stolen data – usually referred to as ‘proof packs’ that ransomware hackers send to extort victims – which appear to contain copies of passports, spreadsheets and a driving licence.
According to Talos Intelligence, Cisco’s threat intelligence research organisation, the gang operates a data leak site called “Worldwide Secrets Blog,” providing links to victims’ leaked data, chat support for victims’ communications, and the email address, “interlock@2mail.co”. The blog is not available on the surface web and can only be accessed by specialist browsing tools. Their targeting of organisations is described as ‘opportunistic’.
Technical analysis by Talos showed that the gang uses a ‘remote access tool’ (RAT) masquerading as a fake browser updater, PowerShell scripts, a credential stealer, and a key-logger before ‘deploying and enabling the ransomware encryptor binary’. That essentially is the end-to-end process for initiating the precursor malware, using keystroke copying tools to track what you type, in order to steal passwords or data to gain wider access to the network, and then launching the ransomware to lock users out of their files.
Their experts further highlighted that there were similarities between the gang’s ‘tactics, techniques, and procedures’ (TTPs) and a more well known gang called Rhysida, albeit with ‘low confidence’ levels. Researchers believe that group is located in Russia or in the Commonwealth of Independent States (CIS), the group of nation-states formerly part of the Soviet Union.
Ian Thornton-Trump of threat intelligence firm Cyjax added that the group has claimed victims including Texas Tech University Health Sciences Center, a US-based education company, Legacy Treatment Services, a US-based healthcare company and Wayne County, a US-based public sector organisation. He said: “Revenues from these purported victims range from $80 million to $2.2 billion. The group has not publicly targeted any nations within the Commonwealth of Independent States (CIS).”
He also stated that the group are adept at concealing their presence on a victim’s network, employing tools that aid ‘self-deletion’ and which clear windows event logs.
He said: “This assists in hiding communication among legitimate web traffic. The group also deletes local backups to add more pressure on the victim and potentially increase the chances of a ransom payment.”
He added: “During the group’s short tenure, it has conducted attacks fairly frequently. Two of its alleged victims are multi-billion-dollar companies, suggesting an ability to penetrate mature networks.”
Jude McCorry, CEO of Cyber and Fraud Centre – Scotland, which works to protect Scottish organisations from cybercrime, said: “We are aware of the West Lothian Council data that has been published on the dark web, and we know this maybe alarming and distressing for some people.
“We have seen “data dumps” of this nature before and usually it is not data mined or shared. This data has been illegally obtained and it should not be shared on any social media platforms. If you share this information you are sharing stolen data.
“If anyone feels they are a victim in relation to any cyber data breach – please contact Police Scotland on 101 and if financially motivated please contact your bank.”
The organisation shared further guidance on data breaches for victims, who can also call its free advice line on the Cyber and Fraud Hub which has been set up to support individuals or call 0808 2813580.
A Police Scotland spokesperson added: “On Tuesday, 6 May, 2025, we received a report of a cyber incident in the West Lothian area. Enquiries are ongoing and we are providing support to those affected.”
West Lothian council confirmed that it had been victim to the cyberattack earlier this month, which occurred as pupils were taking and preparing for national 5 and higher exams. The council sent an internal memo titled ‘IT Services – Issue Affecting Education Network’ following the breach.
It advised all council staff to ‘extra vigilant around cyber security’ and to ‘delete any suspicious emails not from trusted sources’, especially those with links or attachments.
The council initially said there was ‘no evidence that any personal or sensitive data has been accessed at this stage’. Officials later said it was not possible to say when network access would be restored and that ‘contingency arrangements’ would be in place until the end of term.
Today’s data leak has inevitably changed initial assessments, and the council is now understood to be working to inform all those affected by the breach. Even though the data amounts to over 3 million files, it is thought to be a fraction of the data stored by the council on the network.
A West Lothian council spokesperson said: “Investigation work has been ongoing into the impact of the council’s education network as a result of the criminal attack.
“The council’s education network was the victim of a sophisticated ransomware cyberattack on Tuesday 6 May. This remains a live criminal investigation, and we are working with all relevant external agencies, including Police Scotland and the Scottish Government.
“It has now (Wednesday 21 May) been confirmed that a small percentage of the overall data stored on the education network has been stolen. We are aware that some personal or sensitive data is among the information stolen by criminals.”
The spokesperson added: “We are contacting parents/carers at every school in West Lothian to advise them of the data theft, and provide advice on taking extra precautions, as well as education staff.
“We would like to offer our sincere apologies to anyone potentially affected by this criminal cyberattack.”
The council said most of the data on the schools network was for ‘operational issues for schools’, such as lesson plans, but it had carried out risks assessments on potential child protection issues, with appropriate action ‘already taken, if required’.
The education network remains removed from the rest of the council’s networks, and there has been a “significant amount of work undertaken by staff to ensure that disruption to education, including SQA exams, has been minimal,” the spokesperson added.
The Information Commissioner also said it was investigating.
An ICO spokesperson said: “People have the right to expect that organisations will handle their personal information securely and responsibly. If an individual has concerns about how their data has been handled, they should raise it with the organisation first, then report them to us if they are not satisfied with the response. West Lothian Council has made us aware of an incident and we are making enquiries.”