A Second Ransomware Crew Threatens to Publish City of Oakland Data

LockBit hackers have updated their data leak blog with an entry naming the City of Oakland as their latest victim, following similar claims from the Play ransomware gang.

The City of Oakland has been struggling to restore its IT systems for over a month now in the aftermath of a cyber-intrusion originally claimed by the Play ransomware crew.

Now, the infamous LockBit gang have updated their own name-and-shame blog to claim a stake in the data breach of Oakland’s systems.

A screenshot published by Bleeping Computer claims to showLockBit’s site threatening to publish “all available data” on oaklandca.gov. Unlike Play operators, who’ve leaked a 10 GB multi-part RAR archive said to contain troves of sensitive data, LockBit crew members seem to have nothing to show off.

Deadline April 10

The LockBit crew is threatening to leak their own pillage on April 10, although it’s not clear if they have made any demands of the City of Oakland.

Municipal officials have acknowledged that a second hacking crew has claimed responsibility for the breach, but they’re not entirely convinced those claims are true.

“We are aware that another unauthorized actor claims to have access to data removed from the City of Oakland’s systems,” reads the latest update to the City’s ongoing response to the incident.

“Our investigation with cybersecurity professionals and federal law enforcement remains ongoing,” the notice adds. “Based on our investigation so far, we have no indication there was additional unauthorized access of our systems. We will continue to provide updates as appropriate.”

In a press conference Monday, Oakland Mayor Sheng Thao said it could take  “up to one month” until city systems are fully operational again.

LockBit’s claims under question

This wouldn’t be the first time LockBit hackers lied about their activity. Last year in June, the gang falsely claimed responsibility for breaching cybersecurity vendor Mandiant in what seems to be nothing more than a publicity stunt.

And despite seeking to appease the public by stating that it avoids hitting the healthcare sector, LockBit affiliates have been observed breaching hospitals and healthcare centers as well. Following one such incident, LockBit bigwigs last year took a sympathetic approach and started offering free decryption keys to a distraught children’s hospital in Canada after one of the gang’s affiliates violated the hackers’ code of ethics.

The FBI this year released a security advisory analyzing LockBit’s ransomware operation as part of the #StopRansomware campaign. The documentation includes tactics, techniques and procedures (TTPs), indicators of compromise (IOCs), details of the ransomware’s capabilities, mitigation steps for IT administrators, and tips on sharing valuable information with the authorities.