View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Oakland suffers second ransomware attack in weeks at hands of LockBit

The California city is reeling from a second ransomware attack in a matter of weeks. It has until April to pay up, the hackers say.

By Claudia Glover

The city of Oakland in California has been posted to LockBit’s dark web victim blog following a ransomware attack last month that resulted in the leaking of information from its network. The gang has given Oakland’s city council till April 10 to start negotiations otherwise more information will from the city will be leaked

Oakland has suffered two ransomware attacks in the space of a few weeks (photo by SnapASkyline/Shutterstock)

Though the city services website remains online, it is displaying a notice warning of a “network outage” that has affected “key services” such as the tax office and some non-emergency phone lines.

LockBit posted the city on its blog earlier today. “All available data will be published” it says, alongside a brief history of the city. The deadline appears set at April 10.

Second Oakland ransomware attack in weeks

The alleged attack comes just weeks after the Oakland’s city council revealed it suffered an attack in February at the hands of the Play ransomware gang.

“We are aware that an unauthorized party has released some of the information acquired from our network,” a council statement said.

“The findings to date indicate that an unauthorised actor accessed computer systems where certain individuals’ personal information was stored as part of their employment with the city,” the statement continued, describing the breach as a “ransomware incident”.

This information may have been used by LockBit to launch today’s attack. Cybercriminals often deploy stolen data as part of phishing attacks to convince victims to download hidden malware from what appears to be a trustworthy source.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

It is also possible that both the gangs implemented the attacks at the same time, says ransomware researcher Dominic Alvieri. “Play ransomware was the group that declared them first. Both groups may have attacked around the same timeframe. This is not unheard of and more prevalent lately,” he told Tech Monitor.

LockBit strikes again

LockBit is a Russian ransomware gang that has been active since 2019. Its current iteration, called LockBit 3.0 or LockBit Black, has been particularly aggressive, having hit over 850 companies in 2022 alone. US organisations have been most commonly targeted by the group over the last 12 onths.

The FBI and CISA released a report last week explaining that the gang’s current malware is more modular and evasive than its previous versions and shares similarities with that used by two other ransomware gangs from Russia, Blackmatter and Blackcat.

Both US government organiseations recommend that companies carry out several steps to secure themselves against LockBit 3.0. These include “storing passwords in hashed format using industry-recognized password managers” and “requiring administrator credentials to install software”.

Read more: New US cybersecurity strategy targets foreign hackers

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.