Compromiseseverity: High2023-02-08
City of Oakland ransomware attack claimed by Play
published by BleepingComputer
Actor
Closed-group ransomware operation (no public affiliate program) active since mid-2022, named for the '.play' extension appended to encrypted files. Heavy exploitation of FortiOS SSL-VPN flaws and Mic…
Summary
The City of Oakland, California disclosed a ransomware attack on 10 February 2023 that took most non-emergency municipal systems offline and prompted a local state of emergency. The Play group listed Oakland on its extortion site on 1 March 2023 and subsequently leaked data including employee personal information; the city later settled litigation covering more than 13,000 affected current and former employees.
Tags
municipaldata-extortionus
Primary source
bleepingcomputer.comOther Play events
- 2025-06-04CISA documents Play ESXi variant and per-victim recompilation
- 2023-12-18Joint CISA/FBI/ASD advisory AA23-352A on Play ransomware
- 2023-01-23A10 Networks breached by Play ransomware affiliates
- 2022-12-23Arnold Clark customer data stolen in Play ransomware attack
- 2022-12-02Rackspace Hosted Exchange outage caused by Play ransomware