The ransomware attack that hit Oakland on Wednesday February 8, 2023 is still crippling many of the city’s services a week later. In fact, the situation is so bad that the Interim City Administrator has now declared a state of emergency.

Tweet announcing the state of emergency

The ransomware attack initially forced the City’s Information Technology Department (ITD) to take all systems offline while it coordinated with law enforcement to investigate the attack.

The impact of the outage is far-reaching and ongoing. The network outage has impacted many non-emergency systems including the ability to collect payments and process reports, permits, and licenses. As a result, some of the city buildings are closed and the public is under advice to email ahead of any planned visit to one of the impacted departments.

Interim City Administrator G. Harold Duffey declared the state of emergency due to the ongoing impact of the network outages as a result of the ransomware attack. According to a spokesperson for the City:

“The declaration of a local emergency allows the City to Oakland to expedite the procurement of equipment and materials, activate emergency workers if needed, and issue orders on an expedited basis, while we work to safely restore systems and bring our services back online.”

Fortunately, the attack has not affected crucial infrastructure like the 911 dispatch and fire and emergency resources, but the Oakland Police Department (OPD) did say that response time has been delayed and asked the public:

If you don’t have an emergency or do not need an immediate emergency response, please consider the following means to report incidents:

•OPD Online Reporting: oaklandca.gov
•Oak 311: for urgent issues, call 311.
•OakDOT: call (510) 615-5566.

So far the City has not provided an indication of when the situation will be back to normal.

Attackers

At this point it’s not clear which ransomware group is behind the attack on the City of Oakland. None of them has claimed the attack and the leak sites of the major groups we checked don’t mention Oakland. This could be because the ransom negotiations have not been broken off yet.

With the investigation apparently ongoing there is no indication of which infection method was used. We’ll update this story if we learn more.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Write an incident response plan. The period after a ransomware attack can be chaotic. Make a plan that outlines how you’ll isolate an outbreak, communicate with stakeholders, and restore your systems.