PLAY ransomware group has taken responsibility for a ransomware attack that happened last week in Belgium, city of Antwerp. Diest, a city an hour’s drive to the east, has also confirmed that it was the victim of a cyberattack.
According to Christophe De Graef, the mayor of Diest:
The IT systems of all city services are down. At the moment we are trying to map everything out. The damage it has caused is still being investigated. We also don’t know who is behind it yet.
According to Het Laatste Nieuws, hackers broke into the computers and took the administration software from Digipolis, Antwerp’s digital partner. City council member Alexandra d’Archambeau tweeted that the attack had also affected the city’s email system in addition to its phone and IT systems. As a result, numerous city services, such as employment applications, library use, and new agreements with the city, are affected.
Ransomware Attack by Play takes responsibility
Although the ransomware-related part of the attack had been reported by local media, it remains unclear what group had carried out the attack. The Play ransomware campaign began listing Antwerp as one of its victims over the weekend, according to a tweet from Emsisoft security expert Brett Callow.
The Antwerp article on the data leak website alleges that 557 GB of data, including personal data, passports, IDs, and financial papers, were taken during the incident. Data has been listed on the dark web leak site used by the Play ransomware group.
Although the threat actors have said they would start releasing data in a week if a ransom is not paid, the city’s data has not yet been exposed.
Play ransomware is a relatively recent operation that initially gained media attention a few months ago when it attacked Argentina’s Córdoba Judiciary. The ransomware campaign has been consistently growing since then, picking up a continuous number of victims across the world.
The ReadMe.txt ransom letter that Play only drops at C: drive has the word “PLAY” and a contact email address, and it adds the “.play” extension to encrypted files.
Because so much data was taken, it is likely that the threat actor had access for a long time. The city was warned that if it didn’t pay the ransom by December 19, 2022, the threat actor would start publicising the stolen data. Antwerp refused to negotiate and the listing was dropped from Play’s site 2 days prior.
The employees received a warning to exercise caution in a newsletter issued to Belgian government employees. The Belgian government recommended that its staff double-check that the person they are speaking with is who they say they are. Regarding phishing attacks, they should be careful. Use up-to-date hardware, use authorised software, and only use admin privileges when necessary.
Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.