{"id":20813,"date":"2022-12-14T16:10:28","date_gmt":"2022-12-15T00:10:28","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/12\/14\/news-14546\/"},"modified":"2022-12-14T16:10:28","modified_gmt":"2022-12-15T00:10:28","slug":"news-14546","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/12\/14\/news-14546\/","title":{"rendered":"Play ransomware attacks city of Antwerp"},"content":{"rendered":"

The city of Antwerp’s digital systems have come to a grinding halt. The Flemish government under which Antwerp resides has confirmed that this is the result of a ransomware attack.<\/p>\n

The consequences for the city’s inhabitants are drastic, as hundreds of city employees revert to working on paper instead of on their computers. This is creating complications for everything from the obvious to the not-so-obvious. <\/p>\n

For example: There are problems with payments to people that depend on city benefits (which are not expected to be resolved before the end of the year); libraries and recycling centers are closed; there is no way to obtain new IDs; and students with special needs are unable to use their laptops.<\/p>\n

The Play ransomware group is claiming credit on its dark web leak site.<\/p>\n

\"Play
The Play leak site claims the attack on the city of Antwerp<\/figcaption><\/figure>\n

Play is a relatively new ransomware group and first attracted media attention<\/a> a few months ago, when it attacked Argentina’s Judiciary of Córdoba. Play can be recognized by the .play<\/code> extension it adds to encrypted files and a very simple ReadMe.txt<\/code> ransom note which is only dropped at the root of the C:<\/code> drive, that simply contains the word ‘PLAY’ and a contact email address.<\/p>\n

According to the leak site, 557 GB of information was stolen, including personal information, passports, other IDs, and financial documents.<\/p>\n

ITdaily claims the attackers gained initial access through Digitalis<\/a>, the digital partner of the city of Antwerp. From there they were able to encrypt essential files which rendered databases and applications unreachable.<\/p>\n

The large amount of stolen data suggests that the threat actor must have had access over a longer period of time.<\/p>\n

The city has been given until December 19, 2022 to pay the ransom or the threat actor will start publishing the stolen data.<\/p>\n

Government warning<\/h2>\n

In a newsletter<\/a> to Belgian government employees, staff were cautioned to be alert and careful. This was prompted by recent attacks on the systems of the Zwijndrecht police<\/a> by Ragnar Locker, and an attack on the municipality of Diest<\/a> which has not been claimed by a specific ransomware group yet.<\/p>\n

The Belgian government’s warning is specifically about actionable items for the staff:<\/p>\n