Ransomware struggles continue for City of Oakland

The California city of Oakland was struck with a ransomware attack in early February. The city declared a state of emergency and notified the public that emergency services were operating but many systems were temporarily offline. While the mitigation efforts and the forensic investigation were underway, the Play ransomware gang threatened to publish the data stolen from the city.  That data was said to include the personal information of city employees who were on the payroll between July 2010 and January 2022.  Small business owners and other members of the public with data in the city network have also been affected.

The data breach

On March 4, the gang released a 10GB set of data they described as “Private and personal confidential data, financial information. IDs, passports, employee full info, human rights violation information. For now partially published compressed 10gb” A screenshot of the announcement is available here. The “leaktivist collective” DDoSecrets (ddosecrets dot com) has confirmed some of the contents may be damaging to the city:

The city sent data breach notification letters to affected individuals on March 15.

The LockBit ransomware gang also claims to have stolen data from Oakland and is threatening to publish the lot on April 10. City officials report there is no evidence of a second attack, and LockBit has not published evidence that it has any of the city’s data. LockBit is also known to make false claims as publicity stunts to promote its ransomware-as-a-service operation.

Although there’s no evidence that this happened in Oakland, it is possible for ransomware attack victims to suffer from multiple attacks at the same time.  Many high-profile targets are under continuous, automated attacks by multiple groups. When one threat actor finds a way into the network, another could be right behind. This is especially true when the attacker is an affiliate of more than one group.  

The victims

Although thousands of city workers and small business owners may have had their sensitive data exposed, the city labor unions seem to be making the most noise. The Oakland Police Officers’ Association (OPOA) issued a press release accusing the city of ‘ignoring’ and ‘stonewalling’ employees about the fallout from the attack. OPOA President Barry Donelan reports that some OPOA members have already been victims of identity theft since the breach. Donelan has also told local news that some police systems are still offline, leaving some officers unable to file reports properly. 

The Oakland Firefighters Local 55 (IAFF 55) has also been vocal with concerns for its members. President Zac Unger mentioned that in addition to worries about the data breach, some members were left without pay for almost two weeks.  He also emphasized that the firefighters union had warned the city “for years” that they were vulnerable to an attack.

A spokesperson for the city responded to a press inquiry regarding the lack of transparency. The letter emphasizes that transparency must be balanced with the need to protect the integrity of the investigation and the security of the city’s systems. The city is still working with the FBI and officials say they cannot release all the information they have.  Meanwhile, the labor unions have said they are considering legal action against the city.

Key takeaways

With ransomware and data breaches, there are always some common takeaways:

• Protect your credentials and defend yourself against phishing attacks
• Protect your applications with secure code and application security
• Backup your data in a safe system engineered to escape ransomware attacks

Although Oakland's cyberattack story is not yet complete, it offers some important lessons for other potential victims: 

• Overcommunicate. Just like a natural disaster, a cybersecurity event that impacts the public must be over-communicated to the public.  Oakland has been providing updates, but delivering a message isn’t enough when people are concerned about their bank accounts. Overcommunication in a time of crisis reinforces the key messages from leadership.  It doesn’t have to include sensitive information, but the communication should be proactive, frequent, and demonstrate that leadership is genuine in its efforts to solve the problem.
• Be mindful of distractions and multiple attacks. As we mentioned in the KillNet post, one attack can be a distraction for another. While IT teams are busy responding to one incident, they might not notice a separate attack taking place in another system. Multiple attacks may be carried out by one group, or multiple groups could take advantage of a compromised system.
• Act on early warnings. A city audit in 2021 noted the poor conditions of Oakland’s IT infrastructure. The audit specifically warns, “the city is exposed to threats from ransomware attacks, cyberattacks, and other threats.” The audit also mentions staffing and resource constraints. Oakland also had technical problems in December 2021 that ‘brought the city’s systems to a standstill.’   

Barracuda can help

State and local governments are favorite targets for ransomware gangs because their security posture is often defined by budgets that shrink and expand based on public opinion. These entities might not prioritize cybersecurity over other needs, but they may be willing to pay a ransom if critical services are taken hostage by ransomware.  This is considered 'the sweet spot' for cybercrime gangs. 

Ransomware is a national security issue, and the United States has been getting more aggressive in fighting these gangs at the federal level and has allocated $1 billion in cybersecurity grant funds for local governments.  We encourage eligible entities to prepare a cybersecurity strategy and apply for these funds when ready.  Barracuda defends against ransomware attacks with comprehensive security solutions and hardened data protection.  Visit our website for more information on how we can help.