Ransomware Group: INTERLOCK

VICTIM NAME: Box Elder County

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the INTERLOCK Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

Box Elder County, a public sector organization, is identified as the victim on the leak page attributed to the Interlock group. The post is dated August 13, 2025, and the page situates Box Elder County within the victim roster in what appears to be a ransomware leak publication. The content references a web-based file manager built with PHP, specifically noting Tiny File Manager, which suggests the page is framing or illustrating a tool associated with file management in the context of the incident. A body excerpt indicates an interface element that invites a user to “Search file in folder and subfolders,” implying the page includes a demonstration or description of file navigation capabilities rather than a straightforward encryption status. The page lists a single external link to a file labeled OWNERSHIP[.]csv hosted on a Tor onion service, and there are no screenshots or images present on the page. The metadata indicates downloadable content is available, but no image assets are shown in the excerpt.

The entry signals a data-leak style post common to extortion-focused campaigns, with the inclusion of a lone link to a CSV file named OWNERSHIP[.]csv on a Tor onion address, suggesting the attackers seek to publish or provide access to compromised data. There is no explicit ransom demand or encryption status described in the captured content, and the stated post date is used as the timeline reference since no separate compromise date is provided. The absence of images and the minimal media footprint imply a lean leak page that emphasizes textual content and a single data artifact rather than extensive media. The page centers on the victim’s identity and sector (public sector) while deferring further details about the attack’s scope in the available excerpt.