LockBit ransomware gang now also claims City of Oakland breach

City of Oakland

Another ransomware operation, the LockBit gang, now threatens to leak what it describes as files stolen from the City of Oakland’s systems.

However, the gang has yet to publish any proof that they’ve stolen any files from the West Coast port city’s network.

On the new entry added to the LockBit dark web data leak website, they’re only warning that all the data they have will be published in 19 days, on April 10.

LockBit has previously made claims that have proven to be false on at least one occasion.

In June 2022, the ransomware group said it hacked Mandiant’s systems and stole hundreds of thousands of files, which proved to be a publicity stunt after publishing a statement saying it had no ties with the Evil Corp cybercrime gang instead of leaking any stolen data.

The City of Oakland is yet to issue a statement regarding the claims made by the LockBit ransomware gang.

City of Oakland LockBit data leak warningCity of Oakland data leak warning (BleepingComputer)

This is the second ransomware gang claiming to have stolen data from the City of Oakland after Play ransomware took responsibility in early March for a mid-February cyberattack.

The Play gang later began leaking what it claimed to be the City of Oakland’s stolen data as 10GB multi-part RAR archives containing confidential documents, employee information, passports, and IDs.

​Employees’ personal information leaked online

The City issued a statement the day after the attack was claimed by the Play ransomware gang, confirming an investigation into what was leaked online and began sending data breach notification letters to affected individuals on March 15.

“On February 8, 2023, the City of Oakland experienced a cybersecurity incident involving malware, which encrypted some of our systems,” the City of Oakland said in the letters sent to affected employees.

“Through the investigation, the City determined that between February 6, 2023 and February 9, 2023, an unauthorized actor accessed and/or took certain files stored on City computer servers.”

Impacted employees were told that some of their personal information was stolen from the City’s compromised systems, including names, addresses, driver’s license numbers, and Social Security numbers.

The City of Oakland also declared a local state of emergency on the same day because of the impact of the ransomware attack that forced it to take all its IT systems offline on February 8 until the network was secured.

While this ransomware attack did not impact the City’s 911 and emergency services, other systems had to be taken offline, including phone service and systems used to process reports, collect payments, and issue permits and licenses.

City systems will likely be online next month

A page on the City’s official website tracking the latest developments and efforts to restore services after the February ransomware attack was last updated almost two weeks ago, on March 8.

In a press conference on Monday, Oakland Mayor Sheng Thao said the City is still working on restoring affected systems and that the FBI is also helping with the ongoing investigation into the incident.

When asked when all the City’s systems would be online again, Thao said, “we are optimistic we can get there in the next few weeks, or maybe the next month.”

The City of Oakland wouldn’t be the first ransomware victim breached multiple times within days or weeks.

As Sophos X-Ops incident responders revealed in an August 2022 report, an automotive supplier had its systems encrypted by three different ransomware gangs within two weeks, two of the attacks happening within just two hours.

Update March 22, 12:30 EDT: The City of Oakland says it’s investigating LockBit’s claims in a statement issued on Tuesday.

We are aware that another unauthorized actor claims to have access to data removed from the City of Oakland’s systems. Our investigation with cybersecurity professionals and federal law enforcement remains ongoing. Based on our investigation so far, we have no indication there was additional unauthorized access of our systems. We will continue to provide updates as appropriate.


Related posts

Mozilla Firefox gets built-in Firefox Relay controls

Sarah Henriquez

Massive cryptomining campaign abuses free-tier cloud dev resources

Sarah Henriquez

CircleCI warns of security breach — rotate your secrets!

Sarah Henriquez

Leave a Comment