Ransomware Group’s War On Oakland Intensifies
Written by M.T. Agha
Nearing a month since the onslaught of a ransomware attack that prompted city officials to declare a local emergency order, the city of Oakland is now dealing with the fallout after hackers released several gigabytes of sensitive material after weeks of threats.
Earlier today, the city posted an update regarding the ongoing cybercrime incident:
“We are aware that an unauthorized party has released some of the information acquired from our network. We take this very seriously and are doing an in-depth review with the assistance of a specialized third-party data mining firm. We are dedicated to a thorough analysis to determine what and whose information is potentially involved, which will take time to complete. We are also coordinating this effort with law enforcement, including the FBI.”
Ransomware attacks occur when a party encrypts files and demands a ransom in exchange for decrypting them. Encryption results in having the files becoming inoperative. Most ransomware attacks demand sums of money in exchange for return of system control and/or return of compromised data.
The attack temporarily shut down most city services except for 911 emergency dispatch, fire emergency services, and the city’s financial systems.
The emergency order was placed on February 14 by interim city administrator G. Harold Duffey almost a week after officials in Oakland were made aware of the attack on February 8. The breach had since impacted Oakland’s phone and computer systems, leaving the city scrambling to recover its public services.
The attack temporarily shut down most city services except for 911 emergency dispatch, fire emergency services, and the city’s financial systems. By February 20, IT specialists had successfully restored library services, public computers, scanning, printing and wireless internet connectivity throughout Oakland’s facilities. However, a few city resources are still shut down such as Oakland’s non-emergency phone services (OAK311), business tax license service, while the online permit center has regained limited service.
As a result of the data breach, Oakland City Hall temporarily shut its doors, having all facility computers wiped upon reopening. In response to growing public unease, Oakland Mayor Sheng Thao reassured Oakland residents that handling the breach is a priority for her: “My Administration takes this very seriously and has been working hard to restore systems and provide assistance to anyone impacted. Moving forward we will focus on strengthening the security of our information technology systems.”
The breach of Oakland’s computer systems resulted in the theft of several years worth of confidential files and sensitive data, including private personal information that could be used by cybercriminals against city employees and others. This would make city employees and residents likely victims of crimes such as identity fraud and financial fraud.
According to Kevin Powers, a Boston College Law and Business professor, the hackers intend to “release some personally identifiable information of those that they stole or else they’ll start releasing some compromising emails of city officials; really to extort them and put the pressure on to pay up in bitcoin that they’re requesting”, however the ordeal doesn’t end here if the city of Oakland does not comply according to Powers. “Now, what the criminals are doing is say[ing], ‘Oh yeah? Here’s what we’re gonna do. Here’s the information we have out there. So, if you don’t want to pay, we’re gonna put even more out there”. For officials who have already had some of their information leaked, it is advised that they monitor their accounts for any suspicious activity warned Powers, as their information is now vulnerable to criminal activity whether or not Oakland agrees to pay the ransom fee.
So far, Oakland city officials have heeded the advice of law enforcement and cybersecurity experts and decided against paying ransom to the cybercriminals.
While Oakland hasn’t released further details about the attack, a ransomware gang known as PLAY has claimed responsibility for the attack. Their extortion site lists the leaked information they possess and may release, including personal and confidential data, city finances, government papers, city employee data, passports as well as information proving human rights violations by the city.
So far, the partial leak includes “private and personal confidential data, financial information. IDs, passports, employee full info, human rights violation information. For now partially published compressed 10gb,” PLAY published on their site.