(Photo By Paul Chinn/The San Francisco Chronicle via Getty Images)
The ransomware attack on the city of Oakland has gone from bad to worse: The hackers behind the assault also stole files from the city, and have begun leaking them online.
This past weekend, the Play ransomware gang began dumping the stolen files—which comprise 10GB of data—on the group’s site on the Dark Web. Play says the file dump includes “private and personal confidential data, financial information, IDs, passports, employee full info, human rights violation information.”
The gang is also warning it has more stolen data to dump, likely in an attempt to pressure the city to pay up to prevent more confidential information from leaking. “For now partially published compressed 10gb. If there no reaction full dump will be uploaded,” the Play gang wrote.
The San Francisco Chronicle downloaded the data, and confirmed it contains the Social Security numbers, drivers’ license numbers, birth dates, and home addresses of city employees—information that other cybercriminals could abuse to conduct identity theft schemes. In addition, the data dump contains records covering police misconduct allegations, scanned bank statements from the city’s accounts, and private information on current and past city mayors. (Oakland employs about 5,000 people.)
The city of Oakland didn’t immediately respond to a request for comment. But on Friday, the city said it was “aware” the hackers planned on dumping data allegedly stolen during the attack.
“We are working with third-party specialists and law enforcement on this issue and are actively monitoring the unauthorized third party’s claims to investigate their validity. If we determine that any individual’s personal information is involved, we will notify those individuals in accordance with applicable law,” the city said in a statement posted on its website.
The ransomware attack initially caused an outage last month across the city’s IT systems, including online services. According to the city’s website, Oakland is still working to restore its remaining systems.
As for the Play ransomware gang, the group is relatively new, emerging on the scene last year. The Play gang now seems to have successfully attacked at least 30 companies and organizations across the globe, including cloud computing provider Rackspace.
According to security firm Avertium, Play has been recently exploiting "ProxyNotShell vulnerabilities in Microsoft Exchange" to infiltrate and run malicious computer code on IT systems. "The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people," Avertium says.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
