Ransomware group threatens to post files stolen from Oakland, Calif.

As Oakland, California, recovers from a February ransomware attack, malicious actors claiming responsibility have threatened to post stolen city data.
Oakland, CA
A neighborhood in Oakland, California (Getty Images)

A ransomware group that claimed responsibility for an incident last month that upended government operations in Oakland, California, now says it intends to publish data stolen from city as soon as Saturday, according to a notice published on an extortion site this week.

The group, known as Play, announced its intentions Thursday, claiming that data stolen from the municipal network includes “private and personal confidential data, financial, gov, etc. IDs, passports, employee full info, human rights violation information,” according to a screenshot of the group’s leak site.

Oakland officials first observed a network disruption Feb. 8, shutting down numerous internal and external computer systems, causing many city bureaus to suspend services, including applications related to public information, collecting payments, issuing permits and processing reports. The incident is under investigation by state and federal law enforcement agencies, and the city has also brought in private investigative and recovery firms.

Several functions that had been knocked offline by the ransomware incident, including Oakland’s 311 line, permit applications and contracting opportunities, were brought back this week, but several others remain down, including online business tax filings, parking ticket payments and online permit payments. City officials’ latest update Friday also acknowledged the new threat to leak city data.


“While the investigation into the scope of the incident impacting the City of Oakland remains ongoing, we recently became aware that an unauthorized third party has acquired certain files from our network and intends to release the information publicly,” the city’s update reads. “If we determine that any individual’s personal information is involved, we will notify those individuals in accordance with applicable law.”

About 435,000 people reside in the Bay Area city, which declared a state of emergency Feb. 16 over the ransomware incident.

The Play group, which made public its involvement in the Oakland incident Thursday, emerged last June, leaving its victims with simple, one-word ransom notes bearing its name.

According to an analysis from the IT security firm Trend Micro, Play affiliates behave similarly to malicious actors who had been involved with Hive, a ransomware ring the FBI brought down in January. Like Hive, Play has been known to exploit a vulnerability in VPN services sold by Fortinet.

Ransomware actors’ publication of data stolen from victims has been getting more brazen. Last fall, cybercriminal associated with the Vice Society malware posted roughly 500 gigabytes of information stolen from the Los Angeles Unified School District, a trove that has since been revealed to have included employee files, tax forms and students’ mental health records.


The Play ransomware group’s threat about posting Oakland’s files does not specify how much data it plans to release.

Latest Podcasts