The City of Oakland was targeted by the Play ransomware group, a threat actor known for its double extortion model, where stolen data is encrypted and threatened for public release if ransom demands are unmet. The attack likely involved exploiting vulnerabilities in external-facing services (e.g., RDP, VPNs, FortiOS, or Microsoft Exchange) or stolen credentials to gain initial access. Once inside, the attackers used tools like AdFind, Grixba, Cobalt Strike, and Mimikatz to escalate privileges, disable security software (e.g., Microsoft Defender via PowerShell scripts), and move laterally across the network. The ransomware variant deployed may have included ESXi-targeting malware, capable of shutting down virtual machines and encrypting files with unique keys per file, severely disrupting municipal operations. Given the city’s reliance on digital infrastructure for public services, emergency response, and administrative functions, the attack likely caused operational outages, financial losses from recovery efforts, and potential leaks of sensitive citizen or employee data. The Play group’s history of data exfiltration and public leak threats further amplifies reputational and legal risks for the city. Recovery efforts would involve rebuilding encrypted systems, forensic investigations, and potential ransom negotiations, with long-term impacts on trust in municipal cybersecurity.

The Oakland ransomware attack on April 2023, which seriously disrupted city operations for weeks, was carried out by the LockBit ransomware gang. At first, the Play ransomware gang claimed responsibility for the attack, but LockBit later added the city to its list of leak locations.

The City of Oakland reported a ransomware attack. The City of Oakland, out of an abundance of caution, took the affected systems offline while they worked to secure the affected infrastructure. In order to ascertain the extent and gravity of the problem, the information technology department alerted the relevant authorities and started an inquiry into the occurrence. Even while the City's primary operations—including 911, financial information, and fire and rescue resources—were unaffected, the notice it published cautions the public about potential delays from the City as a result of the attack. The City has verified that an unauthorized entity has obtained a number of files from its network and has threatened to make the information publicly available.

The City of Oakland was targeted by Ransomware Attack after that Oakland continues to experience a network outage that has left several non-emergency systems including phone lines within the City of Oakland impacted or offline. The City appreciates the community's patience while workers from several departments collaborate to reduce interruptions and put in place workarounds to typical business procedures that enable the City to keep providing services. In addition to engaging with additional cybersecurity and technology companies on recovery and remediation efforts, the City's IT Department is collaborating with a top forensics firm to conduct a thorough incident response and investigation. With numerous local, state, and federal authorities participating, this inquiry is still ongoing. In order to address the problem, the City is creating a response strategy while adhering to industry best practises. ITD has taken affected systems offline out of an abundance of caution as they seek to secure and safely restore services. The public should anticipate delays from the City in the interim.

In 2023, the City of Oakland suffered a severe ransomware attack executed by the Play ransomware group, exposing the personal data of thousands of current and former police officers and city employees. Compromised information included home addresses, medical records, and Social Security numbers, which were leaked on the dark web. The attack crippled the city’s IT systems for weeks, disrupting essential government services and delaying critical operations, including police misconduct investigations. The breach led to a class-action lawsuit with over 10,000 plaintiffs, resulting in settlements of $175 per affected officer and up to $350 for other employees who proved financial harm. The city also offered three years of free credit monitoring. An earlier 2022 audit had warned of cybersecurity vulnerabilities due to understaffing and resource shortages, but no action was taken. The incident exposed systemic neglect in Oakland’s digital defenses, raising concerns about identity theft risks—especially for police in a high-crime city—and prolonged operational disruptions across municipal services.