{
	"id": "0f5f103a-b3d3-4733-8d3f-7db32e2bb407",
	"created_at": "2026-04-06T01:29:21.873067Z",
	"updated_at": "2026-04-10T03:30:32.721185Z",
	"deleted_at": null,
	"sha1_hash": "3800c170620a6ecd21caa78398d38e6bb83bc184",
	"title": "California city investigating data theft after ransomware group’s claims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35170,
	"plain_text": "California city investigating data theft after ransomware group’s\r\nclaims\r\nBy Jonathan Greig\r\nPublished: 2023-08-10 · Archived: 2026-04-06 00:48:33 UTC\r\nThe California city of El Cerrito is investigating the potential theft of data after a ransomware group added the\r\ncity’s government to its list of victims on Wednesday.\r\nThe LockBit gang added 15 victims to its leak site on Wednesday including El Cerrito, which is home to more\r\nthan 25,000 residents and is about 10 minutes north of Oakland.\r\nIn a statement to Recorded Future News, assistant to the City Manager Will Provost said the city’s systems are\r\nfully operational and they are not locked out of any devices or data.\r\n“We are aware that cybercriminals have alleged to have taken data from certain City of El Cerrito systems and is\r\nthreatening to post the information to a website they maintain outside the confines of traditional internet,” Provost\r\nsaid.\r\n“We are working with third-party cybersecurity specialists and law enforcement on this issue and are actively\r\nmonitoring the unauthorized actor’s claims to investigate their validity. If we determine any sensitive information\r\nwas affected, we will notify those individuals in accordance with applicable laws.”\r\nThe LockBit ransomware gang was involved in the April ransomware attack on Oakland that caused significant\r\ndamage to the city’s operations for weeks. While the Play ransomware group initially claimed the attack, LockBit\r\nlater added the city to its leak site as well.\r\nTroves of sensitive city data about the police department, elected officials and more were leaked by both groups.\r\nThe state was forced to send in the National Guard to assist in the response.\r\nThe attack on El Cerrito would be one of several on California cities this year. Alongside the attack on Oakland,\r\nthe city of Modesto dealt with its own ransomware attack that was claimed by the Snatch ransomware group.\r\nThe city of Hayward was forced to declare a state of emergency last month after a ransomware attack encrypted\r\nalmost all of the city’s functions outside of essential services like police and healthcare.\r\nThe San Bernardino County Sheriff's Department and San Francisco’s Bay Area Rapid Transit system both dealt\r\nwith their own ransomware attacks in 2023. The state has also seen ransomware attacks on a major pro bono law\r\nfirm and, in recent days, a California-based company that controls 16 hospitals across the country.\r\nSource: https://therecord.media/california-city-el-cerrito-investigates-data-theft-lockbit\r\nhttps://therecord.media/california-city-el-cerrito-investigates-data-theft-lockbit\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/california-city-el-cerrito-investigates-data-theft-lockbit"
	],
	"report_names": [
		"california-city-el-cerrito-investigates-data-theft-lockbit"
	],
	"threat_actors": [
		{
			"id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5",
			"created_at": "2022-10-25T16:07:23.797925Z",
			"updated_at": "2026-04-10T02:00:04.752608Z",
			"deleted_at": null,
			"main_name": "LockBit Gang",
			"aliases": [
				"Bitwise Spider",
				"Operation Cronos"
			],
			"source_name": "ETDA:LockBit Gang",
			"tools": [
				"3AM",
				"ABCD Ransomware",
				"CrackMapExec",
				"EmPyre",
				"EmpireProject",
				"LockBit",
				"LockBit Black",
				"Mimikatz",
				"PowerShell Empire",
				"PsExec",
				"Syrphid"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438961,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3800c170620a6ecd21caa78398d38e6bb83bc184.pdf",
		"text": "https://archive.orkl.eu/3800c170620a6ecd21caa78398d38e6bb83bc184.txt",
		"img": "https://archive.orkl.eu/3800c170620a6ecd21caa78398d38e6bb83bc184.jpg"
	}
}