Hackers Behind Oakland Ransomware Attack Dump Data On City Employees

The ransomware attack on the city of Oakland has gone from bad to worse: The hackers behind the assault also stole files from the city, and have begun leaking them online. 

This past weekend, the Play ransomware gang began dumping the stolen files —which span over 10GB of data— over the group’s site on the Dark Web. Play says the file dump includes “private and personal confidential data, financial information. IDs, passports, employee full info, human rights violation information.”

The gang is also warning it has more stolen data to dump, likely in an attempt to pressure the city to pay up to prevent more confidential information from leaking. “For now partially published compressed 10gb. If there no reaction full dump will be uploaded,” the Play gang wrote in their posting. 

The posting from the ransomware gang.

The San Francisco Chronicle downloaded(Opens in a new window) the data, and confirmed it contains the social security numbers, drivers’ license numbers, birth dates and home addresses of city employees —information that other cybercriminals could abuse to conduct identity theft schemes. In addition, the data dump contains records covering police misconduct allegations, scanned bank statements from the city’s accounts, and private information on the current and past city mayors. (Oakland employs about 5,000 people.) 

The city of Oakland didn’t immediately respond to a request for comment. But on Friday, the city said it was “aware” the hackers planned on dumping data allegedly stolen during the attack. 

“We are working with third-party specialists and law enforcement on this issue and are actively monitoring the unauthorized third party’s claims to investigate their validity. If we determine that any individual’s personal information is involved, we will notify those individuals in accordance with applicable law,” the city said in a statement(Opens in a new window) posted over its website. 

The ransomware attack initially caused an outage last month across the city’s IT systems, including online services. According to the city’s website, Oakland is still working to restore its remaining systems. 

As for the Play ransomware gang, the group is relatively new, emerging(Opens in a new window) on the scene last year. The Play gang now seems to have successfully attacked at least 30 companies and organizations across the globe, including cloud computing provider Rackspace.

According(Opens in a new window) to the security firm Avertium, Play has been recently exploiting “ProxyNotShell(Opens in a new window) vulnerabilities in Microsoft Exchange” to infiltrate and run malicious computer code IT systems. “The group also has similar tactics and techniques to the ransomware groups Hive and Nokoyawa, leading researchers to believe Play is operated by the same people,” Avertium added.