Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label PlayCrypt. Show all posts

Attack on Oakland City attributed to Play Ransomware

 


Oakland recently became the victim of a ransomware attack that disrupted the city's services and caused a state of emergency to be declared by the city. Cyberattacks are a real-world problem with real-world consequences and the recent attack on Oakland is a demonstration of the same. 

As shared on Twitter by cybersecurity analyst Dominic Alvieri, a security researcher, it appears that an attack on a cryptosystem was the work of the Play Ransomware gang. 

The Play Ransomware operation, also known as PlayCrypt, was launched in June 2022 and has been in operation for some time. The software not only adds the .play extension to the encrypted files but also leaves a note explaining how to contact the developers via email. 

As one of the most populous cities in the San Francisco Bay Area, Oakland has a population of over 440,000 people. It is located on the east side of the county. There is a great deal of economic and trade activity happening in this city, which is also the regional commercial center. 

The city’s authorities informed the public that it had been targeted by a ransomware attack on February 10, 2023. It impacted all network systems except 911 dispatch, fire and emergency services, and city financial systems. 

On February 14, 2023, the City of Oakland issued a local state of emergency to expedite restoring the impacted systems. This was done by bringing all its services back online as soon as possible. All business taxation obligations received a 45-day extension, as the city could not facilitate online payments. Parking citation services were also impacted by a lack of calls or payments. 

By February 20, 2023, IT specialists helped restore access to public computers, scanning, printing, library services, and wireless internet connectivity throughout the city’s facilities. However, the city’s non-emergency phone services (OAK311) and business tax licenses remained unavailable, while the online permit center returned to partial service.

The latest update on the City of Oakland website came on February 28, 2023, two weeks after the ransomware attack. The service status remains mostly unchanged. 

Play Claims Responsibility for the Attack 

The Play ransomware gang has now claimed responsibility for the attack on Oakland, listing them as victims on its extortion site on March 1, 2023. This was first spotted by security researcher Dominic Alvieri. 

Threat actors claim to have stolen documents containing private, confidential data, financial and government papers, identity documents, passports, personal employee data, and even information allegedly proving human rights violations. 

These documents were allegedly stolen during hackers' intrusion into Oakland City networks. They are now used as leverage to get the city’s administration to meet their demands and pay the ransom. 

As the name implies, Play Ransomware targets diverse sectors and regions, including economic, manufacturing, technological, real estate, transportation, education, healthcare, government, and a whole lot more. 

There are different rates for ransom demands based on the importance and size of the victim organization. Some victims have recovered their data by paying millions or thousands of dollars depending on the extent of the loss. 

Oakland has had 72 hours to respond to the threat actors' request to extort it, so they have threatened to publish the above documents by the end of tomorrow. No status updates are mentioned on the City of Oakland's portal that mentions data exfiltration, so the city's authorities have not yet confirmed that data has been stolen based on the updates the city has published on the portal.

Several companies, including Antwerp, Belgian City of Antwerp, H-Hotels, Rackspace, Arnold Clark, and A10 Networks, have been hit by this ransomware operation since then.

On the open market, there have been reports that the ransomware gang Play has been suspected of participating in the attack on Oakland. The Play gang is allegedly responsible for the Oakland attack. The website that they use for an extortion attack on March 1, 2023, lists them as one of the victims of the attack. Initially, Dominic Alvieri, a security researcher at the University of Illinois, became aware of this issue, after it was raised by another researcher. 

Threat actors have stolen sensitive personal information from businesses. Documents such as financial records, government documents, identity documents, passports, information concerning personnel, as well as evidence indicating that individuals have committed human rights violations, are some of the types of records that belong to this category. 

According to reports, some of these documents were stolen by cybercriminals during the intrusions into Oakland City's network. Now, those who wish to exploit the city administration for profit are using them to obtain extortion money through extortion to meet their demands and to initiate the payment of the ransom. 

The Play Ransomware ransomware is a powerful piece of malware that targets victims across a variety of sectors and regions, so it is also highly suited to targeting victims from many different sectors, as well as industries and areas, such as manufacturing, transportation, education, healthcare, government, and much more. The amount of ransom that is demanded on behalf of the victim organization depends on the size and importance of the organization.  

There are times when victims will be required to pay thousands or even millions of dollars to recover their lost data, so they may have to pay these fees as well.   The threat actors had given Oakland approximately 72 hours to comply with the extortion attempt, due to the threat that they would publish the above documents tomorrow. 

According to a post on the City of Oakland's portal, no mention has been made of data exfiltration at the time of this writing, nor have there been any updates posted regarding it. There are, therefore, no confirmations that the information has been stolen by the authorities in the city. Several organizations have been victimized by ransomware attacks recently, including H-Hotels, Rackspace, Arnold Clark, and A10 Networks, in addition to the city of Antwerp, Belgium.