Fraud Management & Cybercrime , Government , Industry Specific

Play Ransomware Partially Leaks Stolen City of Oakland Data

Group Threatens Full Data Dump If Its Extortion Demands Are Not Met
Play Ransomware Partially Leaks Stolen City of Oakland Data
Downtown Oakland, with San Francisco across the bay (Image: Daniel Parks/CC BY-NC 2.0)

Ransomware hackers attempting to extort the San Francisco Bay Area city of Oakland dumped 10 gigabytes of stolen information over the weekend and threatened that more dumps may come.

See Also: OnDemand | Overcoming the Limitations of Addressing Insider Threat in Banking: Real Solutions for Real Security Challenges

Oakland detected the ransomware attack during the night of Feb. 8. The attack did not affect emergency systems, including 911 dispatch or the city's financial systems, but it delayed responses to nonemergency matters. The California city declared a state of emergency and on Feb. 28 announced the restoration of some systems, including a telephone service for reporting flooding or sewer overflows.

A ransomware group named Play, after the .play extension it adds to maliciously encrypted files, claimed responsibility for the attack last week by listing Oakland on its data leak site.

"If there no reaction full dump will be uploaded. Each of the archives can be used independently," the Play leak site states. Leaked data includes financial and personal identifiable information including IDs and passports, according to the post on the Play site.

The city acknowledged that certain files had been stolen from its network during the attack and is working with third-party cybersecurity specialists and law enforcement to investigate the incident. "If we determine that any individual's personal information is involved, we will notify those individuals in accordance with applicable law," an online update from the city says.

The San Francisco Chronicle reported that interim City Administrator G. Harold Duffey sent an email to city employees advising them to check their financial accounts for suspicious activity. Barry Donelan, president of the Oakland Police Officers' Association, told the newspaper he assumes the hackers nabbed personnel files for all city employees and that anyone affiliated with the city could be at risk.

The city hasn't specified which files were affected by the attack. It also hasn't stated how much Play is asking for in extortion.

Play ransomware, also known as PlayCrypt, first came to light in June 2022. TrendMicro has noted similarities with the Hive and Nokoyawa ransomware groups, suggesting "a high probability of affiliation between these ransomware families."

Among Play's high-profile victims are Argentina's Judiciary of Córdoba and the German hotel chain H-Hotels.

The group's primary focus is on organizations in Latin America, especially Brazil, but it has also carried out extortion attacks in India, Hungary, Spain and the Netherlands.

In January, cloud computing provider Rackspace fingered Play as responsible for a prolonged outage of its hosted Microsoft Exchange service (see: Rackspace Blames Zero-Day Exploit for Ransomware Hit Success). Cybersecurity firm CrowdStrike described the underlying flaw as being "a previously undisclosed exploit method for Exchange."

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.