Anonymous face with "Hacked" written underneath

PLAY Ransomware Has Claimed Responsibility for The Attack in Antwerp

PLAY ransomware group has taken responsibility for a ransomware attack that happened last week in Belgium, city of Antwerp. Diest, a city an hour’s drive to the east, has also confirmed that it was the victim of a cyberattack.

According to Christophe De Graef, the mayor of Diest:

The IT systems of all city services are down. At the moment we are trying to map everything out. The damage it has caused is still being investigated. We also don’t know who is behind it yet.

According to Het Laatste Nieuws, hackers broke into the computers and took the administration software from Digipolis, Antwerp’s digital partner. City council member Alexandra d’Archambeau tweeted that the attack had also affected the city’s email system in addition to its phone and IT systems. As a result, numerous city services, such as employment applications, library use, and new agreements with the city, are affected.

Alexandra d'Archambeau tweet
Alexandra d’Archambeau, a councillor in Antwerp, tweeted

Ransomware Attack by Play takes responsibility

Although the ransomware-related part of the attack had been reported by local media, it remains unclear what group had carried out the attack. The Play ransomware campaign began listing Antwerp as one of its victims over the weekend, according to a tweet from Emsisoft security expert Brett Callow.

The Antwerp article on the data leak website alleges that 557 GB of data, including personal data, passports, IDs, and financial papers, were taken during the incident. Data has been listed on the dark web leak site used by the Play ransomware group.

The attack on the city of Antwerp is reported on the Play ransomware website
The attack on the city of Antwerp is listed on the Play leak website

Although the threat actors have said they would start releasing data in a week if a ransom is not paid, the city’s data has not yet been exposed.

Play ransomware is a relatively recent operation that initially gained media attention a few months ago when it attacked Argentina’s Córdoba Judiciary. The ransomware campaign has been consistently growing since then, picking up a continuous number of victims across the world.

The ReadMe.txt ransom letter that Play only drops at C: drive has the word “PLAY” and a contact email address, and it adds the “.play” extension to encrypted files.

Because so much data was taken, it is likely that the threat actor had access for a long time. The city was warned that if it didn’t pay the ransom by December 19, 2022, the threat actor would start publicising the stolen data. Antwerp refused to negotiate and the listing was dropped from Play’s site 2 days prior.

The employees received a warning to exercise caution in a newsletter issued to Belgian government employees. The Belgian government recommended that its staff double-check that the person they are speaking with is who they say they are. Regarding phishing attacks, they should be careful. Use up-to-date hardware, use authorised software, and only use admin privileges when necessary.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts