The **City of Oakland** was targeted by the **Play ransomware group**, a threat actor known for its **double extortion model**, where stolen data is encrypted and threatened for public release if ransom demands are unmet. The attack likely involved **exploiting vulnerabilities in external-facing services (e.g., RDP, VPNs, FortiOS, or Microsoft Exchange)** or **stolen credentials** to gain initial access. Once inside, the attackers used tools like **AdFind, Grixba, Cobalt Strike, and Mimikatz** to escalate privileges, disable security software (e.g., Microsoft Defender via PowerShell scripts), and move laterally across the network. The ransomware variant deployed may have included **ESXi-targeting malware**, capable of **shutting down virtual machines and encrypting files with unique keys per file**, severely disrupting municipal operations. Given the city’s reliance on digital infrastructure for **public services, emergency response, and administrative functions**, the attack likely caused **operational outages, financial losses from recovery efforts, and potential leaks of sensitive citizen or employee data**. The Play group’s history of **data exfiltration and public leak threats** further amplifies reputational and legal risks for the city. Recovery efforts would involve **rebuilding encrypted systems, forensic investigations, and potential ransom negotiations**, with long-term impacts on trust in municipal cybersecurity.
TPRM report: https://www.rankiteo.com/company/oakland
"id": "oak825090225",
"linkid": "oakland",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'public administration',
'location': 'Oakland, California, USA',
'name': 'City of Oakland',
'type': 'government'},
{'industry': 'cloud services',
'location': 'USA',
'name': 'Rackspace',
'type': 'private'},
{'industry': 'maritime logistics',
'location': 'Netherlands',
'name': 'Royal Dirkzwager',
'type': 'private'}],
'attack_vector': ['stolen credentials',
'exploitation of known vulnerabilities (FortiOS, Microsoft '
'Exchange, CVE-2024-57727 in SimpleHelp)',
'external-facing services (RDP, VPNs)',
'phishing (implied via credential theft)'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_detected': '2022-06-01',
'date_publicly_disclosed': '2025-06-06',
'description': 'A joint advisory from the US and Australian authorities (FBI, '
'CISA, and ASD’s ACSC) reports that the Play ransomware group '
'has compromised approximately 900 organizations over the past '
'three years (since June 2022). The group employs a double '
'extortion model, stealing data and encrypting systems, then '
'threatening to publish the data if ransom demands (paid in '
'cryptocurrency) are not met. Initial access is gained via '
'stolen credentials or exploits in FortiOS, Microsoft '
'Exchange, RDP, VPNs, and a newly disclosed SimpleHelp '
'vulnerability (CVE-2024-57727). Tools like AdFind, Grixba, '
'Cobalt Strike, and Mimikatz are used for reconnaissance, '
'lateral movement, and privilege escalation. The group also '
'deploys an ESXi variant that shuts down VMs before '
'encryption. Notable victims include the City of Oakland, '
'Rackspace, and Royal Dirkzwager.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'downtime': True,
'operational_impact': True,
'systems_affected': True},
'initial_access_broker': {'entry_point': ['stolen credentials',
'exploited vulnerabilities '
'(FortiOS, Microsoft Exchange, '
'SimpleHelp)',
'RDP/VPN']},
'investigation_status': 'ongoing (as of June 2025)',
'motivation': ['financial gain', 'data theft for extortion'],
'post_incident_analysis': {'root_causes': ['poor credential hygiene',
'unpatched vulnerabilities '
'(FortiOS, Microsoft Exchange, '
'SimpleHelp)',
'insecure RDP/VPN configurations',
'lack of detection for recompiled '
'ransomware binaries']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': True,
'ransomware_strain': 'Play (including Windows and ESXi '
'variants)'},
'references': [{'date_accessed': '2025-06-06', 'source': 'SecurityAffairs'},
{'date_accessed': '2025-05-01',
'source': 'Joint Advisory by FBI, CISA, and ACSC'}],
'regulatory_compliance': {'regulatory_notifications': ['FBI',
'CISA',
'ACSC (joint '
'advisory)']},
'response': {'communication_strategy': ['joint advisory by FBI/CISA/ACSC',
'public disclosure of IOCs and TTPs'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True},
'stakeholder_advisories': ['FBI', 'CISA', 'ACSC'],
'threat_actor': 'Play Ransomware Group',
'title': 'Play Ransomware Group Targets 900 Organizations Since 2022',
'type': ['ransomware', 'data breach', 'double extortion'],
'vulnerability_exploited': ['FortiOS (unspecified CVEs)',
'Microsoft Exchange (unspecified CVEs)',
'CVE-2024-57727 (SimpleHelp remote code '
'execution)',
'external-facing RDP/VPN misconfigurations']}