Play Ransomware Partially Leaks Stolen City of Oakland DataGroup Threatens Full Data Dump If Its Extortion Demands Are Not Met
Ransomware hackers attempting to extort the San Francisco Bay Area city of Oakland dumped 10 gigabytes of stolen information over the weekend and threatened that more dumps may come.
Oakland detected the ransomware attack during the night of Feb. 8. The attack did not affect emergency systems, including 911 dispatch or the city's financial systems, but it delayed responses to nonemergency matters. The California city declared a state of emergency and on Feb. 28 announced the restoration of some systems, including a telephone service for reporting flooding or sewer overflows.
A ransomware group named Play, after the
.play extension it adds to maliciously encrypted files, claimed responsibility for the attack last week by listing Oakland on its data leak site.
"If there no reaction full dump will be uploaded. Each of the archives can be used independently," the Play leak site states. Leaked data includes financial and personal identifiable information including IDs and passports, according to the post on the Play site.
The city acknowledged that certain files had been stolen from its network during the attack and is working with third-party cybersecurity specialists and law enforcement to investigate the incident. "If we determine that any individual's personal information is involved, we will notify those individuals in accordance with applicable law," an online update from the city says.
The San Francisco Chronicle reported that interim City Administrator G. Harold Duffey sent an email to city employees advising them to check their financial accounts for suspicious activity. Barry Donelan, president of the Oakland Police Officers' Association, told the newspaper he assumes the hackers nabbed personnel files for all city employees and that anyone affiliated with the city could be at risk.
The city hasn't specified which files were affected by the attack. It also hasn't stated how much Play is asking for in extortion.
Play ransomware, also known as PlayCrypt, first came to light in June 2022. TrendMicro has noted similarities with the Hive and Nokoyawa ransomware groups, suggesting "a high probability of affiliation between these ransomware families."
Among Play's high-profile victims are Argentina's Judiciary of Córdoba and the German hotel chain H-Hotels.
The group's primary focus is on organizations in Latin America, especially Brazil, but it has also carried out extortion attacks in India, Hungary, Spain and the Netherlands.
In January, cloud computing provider Rackspace fingered Play as responsible for a prolonged outage of its hosted Microsoft Exchange service (see: Rackspace Blames Zero-Day Exploit for Ransomware Hit Success). Cybersecurity firm CrowdStrike described the underlying flaw as being "a previously undisclosed exploit method for Exchange."