Ransomware group Interlock has claimed responsibility for a cyberattack on West Lothian Council, adding the Scottish local authority to its data leak site earlier today.
The gang alleges it exfiltrated a staggering 2.63 terabytes of data, comprising more than 3.3 million files and over half a million folders. A sample of the stolen data (known as a proof pack) reportedly includes images of passports, driver’s licenses, and a range of other sensitive documents.
The council had previously confirmed it fell victim to a ransomware attack on 6 May, with local schools bearing the brunt of the disruption. In a public update issued on 12 May, West Lothian Council stated that its education network had been isolated to prevent further spread.
“The education network has been isolated from the rest of the council’s networks, with no evidence that the council’s corporate and public access networks have been affected. There has been a significant amount of work undertaken by staff to ensure that disruption to education, including SQA exams, was minimal,” the council confirmed in a statement.
The council added that: “Work is ongoing with external organisations and agencies continuing to investigate the full impact of the attack and restore systems. While good progress is being made, it is not possible to say when the education network will be restored at this time.
No additional updates have been released since, and the council has yet to confirm Interlock’s claims or clarify whether a ransom has been demanded or paid. Comparitech has reached out to the council for further details, including the potential number of individuals impacted by the breach.
Who is Interlock?
Interlock is a relatively new but increasingly active ransomware gang, rearing its ugly head for the first time in October 2024. Like most modern ransomware operators, the group uses a double extortion model (demanding payment not only to decrypt compromised systems but also to delete exfiltrated data).
Since its emergence, Interlock has been linked to at least 16 confirmed ransomware attacks, with an additional 17 suspected cases not yet verified by the targeted organizations.
Rebecca Moody, Head of Data Research at Comparitech, comments: “Interlock first began adding victims to its data leak site in October 2024. As with most ransomware gangs today, it seeks a ransom payment for the decryption of systems and the deletion of stolen data. Since October 2024, we’ve tracked 16 confirmed attacks via this group and a further 17 unconfirmed attacks that haven’t been acknowledged by the organizations in question.”
Interlock has shown a particular focus on government and educational institutions. Confirmed victims include:
- Texas Tech University Health Sciences Center, US – Attacked in September 2024, with nearly 1.5 million records compromised
- Wayne County, US – Hit in October 2024
- Winnebago Public Schools, US – Also targeted in October 2024
- City of Noblesville, US – Attacked in October 2024, affecting 1,841 records
- Aztec Municipal School District, US – Breached in February 2025, forcing school closures for nearly a week
- Cherokee County School District, US – Suffered a ransomware incident in March 2025
Public Sector in the Crosshairs
Ransomware attacks on government bodies continue to rise globally. In 2025 alone, 60 confirmed attacks on government entities have been recorded, with an additional 94 under investigation.
The attack on West Lothian Council marks the second confirmed ransomware incident targeting a UK government entity this year. The first occurred in January, when Gateshead Council was hit by the Medusa ransomware group, which demanded a $600,000 ransom.
Elsewhere in Europe, the City of Pisa, Italy, was recently targeted in an attack attributed to ransomware gang Nova (formerly RALord), which claims to have stolen 2 TB of data.
Across the UK, there have been 13 confirmed ransomware incidents this year, impacting both public and private sectors. These include high-profile attacks on Marks & Spencer, Harrods, and The Co-op, as well as a recently revealed breach at logistics firm Peter Green Chilled. Authorities are also monitoring 92 unconfirmed incidents in the UK, including five involving education providers and two targeting government bodies.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.