{ "id": "b7f062eb-1047-4f43-b7c9-736ae2968329", "created_at": "2026-04-06T00:11:35.438528Z", "updated_at": "2026-04-10T03:33:15.533919Z", "deleted_at": null, "sha1_hash": "d2bbdefdb1f9a24af8436e363d711adb6df81a94", "title": "LockBit ransomware gang now also claims City of Oakland breach", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1868731, "plain_text": "LockBit ransomware gang now also claims City of Oakland breach\r\nBy Sergiu Gatlan\r\nPublished: 2023-03-21 · Archived: 2026-04-05 21:52:27 UTC\r\nAnother ransomware operation, the LockBit gang, now threatens to leak what it describes as files stolen from the City of\r\nOakland's systems.\r\nHowever, the gang has yet to publish any proof that they've stolen any files from the West Coast port city's network.\r\nOn the new entry added to the LockBit dark web data leak website, they're only warning that all the data they have will be\r\npublished in 19 days, on April 10.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-now-also-claims-city-of-oakland-breach/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-now-also-claims-city-of-oakland-breach/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nLockBit has previously made claims that have proven to be false on at least one occasion.\r\nIn June 2022, the ransomware group said it hacked Mandiant's systems and stole hundreds of thousands of files, which\r\nproved to be a publicity stunt after publishing a statement saying it had no ties with the Evil Corp cybercrime gang instead\r\nof leaking any stolen data.\r\nThe City of Oakland is yet to issue a statement regarding the claims made by the LockBit ransomware gang.\r\nCity of Oakland data leak warning (BleepingComputer)\r\nThis is the second ransomware gang claiming to have stolen data from the City of Oakland after Play ransomware took\r\nresponsibility in early March for a mid-February cyberattack.\r\nThe Play gang later began leaking what it claimed to be the City of Oakland's stolen data as 10GB multi-part RAR archives\r\ncontaining confidential documents, employee information, passports, and IDs.\r\nEmployees' personal information leaked online\r\nThe City issued a statement the day after the attack was claimed by the Play ransomware gang, confirming an investigation\r\ninto what was leaked online and began sending data breach notification letters to affected individuals on March 15.\r\n\"On February 8, 2023, the City of Oakland experienced a cybersecurity incident involving malware, which encrypted some\r\nof our systems,\" the City of Oakland said in the letters sent to affected employees.\r\n\"Through the investigation, the City determined that between February 6, 2023 and February 9, 2023, an unauthorized actor\r\naccessed and/or took certain files stored on City computer servers.\"\r\nImpacted employees were told that some of their personal information was stolen from the City's compromised systems,\r\nincluding names, addresses, driver's license numbers, and Social Security numbers.\r\nThe City of Oakland also declared a local state of emergency on the same day because of the impact of the ransomware\r\nattack that forced it to take all its IT systems offline on February 8 until the network was secured.\r\nWhile this ransomware attack did not impact the City's 911 and emergency services, other systems had to be taken offline,\r\nincluding phone service and systems used to process reports, collect payments, and issue permits and licenses.\r\nCity systems will likely be online next month\r\nA page on the City's official website tracking the latest developments and efforts to restore services after the February\r\nransomware attack was last updated almost two weeks ago, on March 8.\r\nIn a press conference on Monday, Oakland Mayor Sheng Thao said the City is still working on restoring affected systems\r\nand that the FBI is also helping with the ongoing investigation into the incident.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-now-also-claims-city-of-oakland-breach/\r\nPage 3 of 4\n\nWhen asked when all the City's systems would be online again, Thao said, \"we are optimistic we can get there in the next\r\nfew weeks, or maybe the next month.\"\r\nThe City of Oakland wouldn't be the first ransomware victim breached multiple times within days or weeks.\r\nAs Sophos X-Ops incident responders revealed in an August 2022 report, an automotive supplier had its systems encrypted\r\nby three different ransomware gangs within two weeks, two of the attacks happening within just two hours.\r\nUpdate March 22, 12:30 EDT: The City of Oakland says it's investigating LockBit's claims in a statement issued on\r\nTuesday.\r\nWe are aware that another unauthorized actor claims to have access to data removed from the City of Oakland’s\r\nsystems. Our investigation with cybersecurity professionals and federal law enforcement remains ongoing. Based\r\non our investigation so far, we have no indication there was additional unauthorized access of our systems. We\r\nwill continue to provide updates as appropriate.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-now-also-claims-city-of-oakland-breach/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-now-also-claims-city-of-oakland-breach/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-now-also-claims-city-of-oakland-breach/" ], "report_names": [ "lockbit-ransomware-gang-now-also-claims-city-of-oakland-breach" ], "threat_actors": [ { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "0fc739cf-0b82-48bf-9f7d-398a200b59b5", "created_at": "2022-10-25T16:07:23.797925Z", "updated_at": "2026-04-10T02:00:04.752608Z", "deleted_at": null, "main_name": "LockBit Gang", "aliases": [ "Bitwise Spider", "Operation Cronos" ], "source_name": "ETDA:LockBit Gang", "tools": [ "3AM", "ABCD Ransomware", "CrackMapExec", "EmPyre", "EmpireProject", "LockBit", "LockBit Black", "Mimikatz", "PowerShell Empire", "PsExec", "Syrphid" ], "source_id": "ETDA", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434295, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d2bbdefdb1f9a24af8436e363d711adb6df81a94.pdf", "text": "https://archive.orkl.eu/d2bbdefdb1f9a24af8436e363d711adb6df81a94.txt", "img": "https://archive.orkl.eu/d2bbdefdb1f9a24af8436e363d711adb6df81a94.jpg" } }