Oakland finds no evidence of second ransomware attack despite LockBit claims

The City of Oakland denied that it was hit with a second ransomware attack after it was added to the LockBit group’s leak site on Tuesday.

Oakland’s government has struggled for weeks to recover from a devastating ransomware attack that knocked out nearly all computers used by a variety of agencies. That attack was claimed by the Play ransomware group, which eventually leaked troves of documents two weeks ago after a ransom was not paid.

In a statement to The Record, a spokesperson for the city government said Oakland officials are aware that a second ransomware group is claiming to have stolen data.

“Our investigation with cybersecurity professionals and federal law enforcement remains ongoing,” the spokesperson said. “Based on the investigation so far, we have no indication there was additional unauthorized access of our systems. We will continue to provide updates as appropriate."

The posting by LockBit — one of the most prolific ransomware groups currently operating — confused cybersecurity experts, who listed a range of possibilities for why the group would claim to have data from the city.

Cybersecurity analyst Dominic Alvieri — who publicized the LockBit posting — told The Record that in the past some groups have sold access to stolen data once they feel they can’t earn any money from it.

LockBit updated the Oakland post with the city’s logo, no evidence at this time.@Oakland @FBI https://t.co/wh8X008Qhg pic.twitter.com/Pov86D7NIG

— Dominic Alvieri (@AlvieriD) March 21, 2023

Or, he said, it’s possible that the group went after the city around the same time as the Play ransomware group, as they have done in previous attacks involving other gangs within the last six months.

In one case in 2022, the groups Snatch, REvil and AvosLocker each posted Stratford University as a victim on their leak sites, according to Sergey Shykevich, threat intelligence group manager at Check Point Research.

Emsisoft ransomware expert Brett Callow said one explanation may be that the city did not properly remediate the issue that allowed Play ransomware group actors a way in.

He theorized that the affiliate — effectively a freelancer that launches attacks on behalf of ransomware groups — responsible for the initial attack may have used the same backdoor for a second time, this time encrypting with LockBit rather than Play.

“It wouldn’t be the first time something like this had happened. But this is only one of many possibilities – including that LockBit’s claim is completely bogus,” he said.

Allan Liska, a senior security architect at Recorded Future, said there have been cases where different ransomware groups have listed the same victim on extortion sites, causing confusion among those tracking attacks. The Record is an editorially independent publication owned by Recorded Future.

At times, the groups may be cooperating with each other, Liska said, but he echoed Callow’s assessment that it could be a single affiliate working for different groups.

Check Point Research Field Chief Information Security Officer Pete Nicoletti said that hackers from different groups take advantage of the typically long windows — more than six months on average — when a company is unaware that it has been breached.

“There is no honor or coordination between most criminal groups,” he told The Record.

“In fact, up to 4% of breaches involve 4 or more attackers. There are sophisticated attacks occurring every few seconds, so any previously exploited vulnerability, or new one that comes along is going to be found and exploited.”

The LockBit listing is yet another salvo in Oakland’s battle to restore its systems.

The city began sending out breach notification letters to thousands of employees and citizens on March 15, writing that names, addresses, driver’s license numbers, Social Security numbers and more were taken when the Play ransomware group attacked the city between February 6 and February 9.

Any person who worked for the city between July 2010 to January 2022 had their sensitive information stolen, and the city warned people to be wary of scams.

The Play group leaked extensive troves of sensitive data from several city agencies and significant amounts of data stolen from Oakland’s police department that ranged from lawsuit settlement agreements and misconduct allegations to information about ongoing litigation against the city, wire transfer records, bond sale information, and contracting data.

In addition to the stolen data, critical city services have been crippled since the attack began. It was only in the last week and a half that the city was able to restore its 311 phone line, online permit center and city contract systems. Platforms for paying parking tickets and business taxes are still being restored.

Despite assistance from federal agencies and California’s National Guard, Oakland Mayor Sheng Thao said on Tuesday that it may take another month for all services to return to normal.

This article was updated on March 22 at 12:10 p.m. with information from Sergey Shykevich, threat intelligence group manager at Check Point Research.