Play Ransomware Gang Claims Responsibility For Pwning The City Of Oakland

In a Tweet last night, security researcher Dominic Alvieri posted a copy of the Play ransomware gang’s dark web posting threatening to publish the City Of Oakland’s data of 3/4/23, which is today. The posting was listed as of March 1st. So they got just three days’ notice to pay the ransom.

The city of Oakland first experienced the ransom attack in on Feb 14th and according to their latest status report on February 28th, city services remain primarily unchanged.

The gang claims to have stolen documents contain private data including financial and government papers, identity documents, passports, employee data and information regarding human rights violations. They’re attempting to use this data to get the administration to meet their demands and pay the ransom.

Ted Miracco, CEO of Approov Mobile Security had this to say:

The recent ransomware attack on the city of Oakland is a concerning issue, and we expect to see more attacks like this on Government offices, as they are quite vulnerable. The potential implications of giving in to these demands could encourage more cyberattacks on other cities and organizations, as hackers may see it as a profitable way to extort money. The fact that the gang claims to have access to sensitive information such as financial and government papers, identity documents, passports, and employee data is alarming.  However, the city of Oakland and other organizations must prioritize the security of their computer systems and data to prevent future attacks. Hopefully, the authorities can track down and bring the hackers to justice while also ensuring the safety of the stolen data.

David Mitchell, Chief Technical Officer of HYAS followed up with this comment:

   “This ransomware group likes to start by using remote code execution (RCE) attacks on Exchange servers to gain access and then deploy their ransomware. If that was the case with Oakland, not only do they need a protective DNS solution to prevent the outbound communications from the malware but they may have failed to update vulnerable software on internet facing systems, making this even easier than using email as the initial infection vector. If this was an RCE on Exchange, a protective DNS solution would have quickly identified and blocked the malicious DNS transactions and contained the problem to the initial infection vector.”

Morten Gammelgaard, EMEA, co-founder of BullWall had this comment:  

   “The ransom attack on the City of Oakland not only disrupted city services, but as is always the case in such events, the attackers have obtained private data, including financial and government papers, identity documents, passports, employee data, and information regarding human rights violations. Data breaches and identity theft resulting from such attacks cause significant harm to individuals and organizations alike. In this case, the attackers are using the stolen data as leverage to demand a ransom payment from the city, which could result in further financial loss and reputational damage.

   “In addition to the city services being out for a week prior to IT restoring access, the potential long-term impact of the attack on the city’s infrastructure and security cannot be ignored. For some companies, a week of downtime would be significant loss of revenue or worse yet, imagine if that was a hospital that was down for 6 days!

   “This incident underscores the importance of implementing robust cybersecurity defenses, including response and containment measures to safeguard against such attacks, as there is no end in sight to these sorts of attacks.”

I for one will be interested to see if this gang gets anything out of this, and if they follow through with their threat to release the data. Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages ransomware gangs to target more victims and offers an incentive for others to get involved in this type of illegal activity. So this will be interesting to watch.

UPDATE: Darren Williams, CEO and Founder, BlackFog added this comment:

     “As cyber adversaries continue to focus on making the biggest impact by affecting the most people, it’s unsurprising that the public sector and government remains a compelling target. In 2022 for example, our State of Ransomware report observed a 17% increase in reported governmental cyber-attacks.

City councils and governments need to re-prioritize their cybersecurity as clearly, this isn’t an issue that will just go away. The effect of the attack on the City of Oakland last month appears to only now be setting in, as the stolen personal data of city workers have begun to be leaked by the attackers. 

Moreover, hackers often favor weekends and holidays to launch attacks, when the majority of employees are out of office, so newer technologies that focus on automated prevention 24/7 must be added to the security stack.”

Leave a Reply

%d bloggers like this: